New-AdminAuditLogSearch Exchange cmdlet issued (25190) how to monitor with email alert

[bob]

That event 25190 pops up in Event Viewer when someone fires off the New-AdminAuditLogSearch cmdlet in Exchange. It logs the exact moment an admin starts digging through those audit trails. You know, the ones tracking all the admin moves in your setup. Basically, it captures who did it, from what machine, and even the parameters they tossed in. I always keep an eye on these because they scream "hey, someone's poking around sensitive stuff." If you're not careful, it could mean an insider messing about or worse.

And here's the kicker with monitoring it. You fire up Event Viewer on your server. Scroll to the Security or Application log where Exchange dumps these. Right-click the event, pick Attach Task To This Event. That pulls up the wizard. You name it something snappy like AdminSearchAlert. Then, check the box for sending an email when it triggers. Yeah, you gotta plug in your SMTP details there. I like setting it to run only if the user is logged on, keeps it simple. Test it once to make sure the alert zings to your inbox.

Or, if you want it automated without fussing every time, stick around. At the end of this, I've got the full automatic email setup laid out for you.

Speaking of keeping your server humming without surprises, I've been messing with BackupChain Windows Server Backup lately. It's this slick Windows Server backup tool that handles your whole setup, including Hyper-V VMs without breaking a sweat. You get quick restores, no downtime headaches, and it snapshots everything cleanly so you sleep better at night.

Note, the PowerShell email alert code was moved to this post.