Mailbox Auditing Exchange 2007 SP2
I have recently installed Exchange 2007 SP2 and patched it up to RU5. Prior to this, all mailbox logon audits were being recorded in the event viewer application log. I am now trying to set up diagnostic logging via the EMC gui but when
I attempt to configure it I get the error stating "No changes have been made to the diagnostic logging configuration".
Do I need to turn off the current logging in the registry before I can configure these setting using the GUI or EMS?
Also, once it is configured would these logs now be recording in the Exchange Auditing log in the event viewer?
Please let me know how I can leverage the Exchange Auditing log.
Thank you
August 24th, 2011 5:15pm
Hopefully this will answer these questions for you:
http://technet.microsoft.com/en-us/library/ee221156(EXCHG.80).aspx
Understanding Mailbox Access Auditing with Exchange Server 2007 Service Pack 2
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2011 6:39pm
I have reviewed that link and it is helpful but I have a follow up question.
We introduced auditing for Logons (MSExchangeIS\9000 Private\Logons) on a Low event level when we were at E2K7 SP1. This level of logging is recording events in the application log. Now that we are at E2K7 SP2 and the Exchange Auditing log is
introduced, how do I now record these Logon events in the Exchange Auditing log? Do I need to turn off logging and then turn it back on using the EMC gui? Please advise.
Thank you.
August 25th, 2011 8:58am
I have reviewed that link and it is helpful but I have a follow up question.
We introduced auditing for Logons (MSExchangeIS\9000 Private\Logons) on a Low event level when we were at E2K7 SP1. This level of logging is recording events in the application log. Now that we are at E2K7 SP2 and the Exchange Auditing log is
introduced, how do I now record these Logon events in the Exchange Auditing log? Do I need to turn off logging and then turn it back on using the EMC gui? Please advise.
Thank you.
You may have to. It wouldnt hurt to disable and re-enable.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2011 10:11am
I have also seen that configuration is not complete until the Information Store is restarted. Will the Logon events then start to be recorded in the Exchange Auditing log?
August 25th, 2011 2:37pm
I have also seent that configuration is not complete until the Information Store is restarted. Will the Logon events then start to be recorded in the Exchange Auditing log?
IF everything is configured corerctly, it should.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2011 2:43pm
Configuration for setting up auditing seems pretty straight forward. I tested modifying the existing setup for MSExchangeIS\9000 Private\Logons from Low to Lowest and it shut off the Logon events in the Application log. I then set up the MSExchangeIS\9000
Private\Logons from Lowest to Low and the Logon events re-appeared in the Application log. Of course I did all this without restarting the information store and we are in the middle of the business day and do not want any interruptions.
The exchanges servers are being patched tonight so if I configure the Exchnage Auditing for MSExchangeIS\9000 Private\Logons from low to lowest and then from lowest to low, once the Information store is restarted (or the server is rebooted) the logon events
should then be recorded in the Exchange Auditing log?
Is that correct? Sorry for the repeat question as I was just trying to be more elobarate.
Thank you
August 25th, 2011 2:54pm
Hi,
Correct.
The steps has been clearly listed in the link:
http://technet.microsoft.com/en-us/library/ee221158(EXCHG.80).aspx
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 1:29am
Thanks for the input. I am starting slow with this to see how many logs are generated in my environment. I have set the Folder Access logging to low (so far minimal logs are generated) while turning off and on logging for Logons. Can someone
confirm the following: Are Logon events for the MSExchangeIS Mailbox Store consider Windows auditing logs or Access Auditing logs? What events are logged in the Exchange Auditing log?
August 26th, 2011 9:04am
Hi,
>Are Logon events for the MSExchangeIS Mailbox Store consider Windows auditing logs or Access Auditing logs?
The log will only record mailbox logon info.
>What events are logged in the Exchange Auditing log?
It depends on how you configure auditing log.
When you enable audit logging for a mailbox, you can specify which user actions (for example, accessing, moving, or deleting a message) should be logged for a logon type (administrator, delegate user, or owner). The audit log entries also include important
information such as the client IP address, host name, and process or client used to access the mailbox. For items that are moved, the entry includes the name of the destination folder.
http://technet.microsoft.com/en-us/library/ff459237.aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 3:14am