locked
Log actual email for incoming/outgoing RRS feed

  • Question

  • I know that Exchange 2010 keeps logs of all outgoing/incoming emails and you can view them with the Message Tracking.  Can I setup a way to keep the actual outgoing/incoming email itself?  I realize this will take up a lot of space, but we need to do damage control on some users.  It's important to keep these emails in case they are maliciously deleted before a nightly backup can take place.  Has anybody done this or have a recommendation?

    Thanks,

    Thursday, August 15, 2013 9:07 PM

Answers

All replies

  • Check out this post http://www.bursky.net/index.php/2012/03/copy-emails-on-exchange-to-another-mailbox/

    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline Exchange Mailbox and Public Folder EDB's and Live Exchange Servers or Import/Migrate direct from Offline EDB to Any Production Exchange Server, even cross version i.e. 2003 --> 2007 --> 2010 --> 2013 with Lucid8's DigiScope

    • Proposed as answer by Sourabh Kumar Jha Friday, August 16, 2013 5:34 AM
    • Marked as answer by sheld0r Friday, August 16, 2013 5:52 PM
    Thursday, August 15, 2013 11:40 PM
  • You can take help of suggestion from Troy which is related to Transport Rules but there is already one more mechanism of Journaling.

    Please enable per-Mailbox Database Journaling, Per-mailbox database journaling (also known as standard journaling) delivers a copy of all messages sent to and received by mailboxes on the specified mailbox database to the specified journaling mailbox.

    Please refere below article for configuration of Journaling

    http://technet.microsoft.com/en-us/library/bb123817(v=exchg.141).aspx


    Regards, Sourabh Kumar Jha

    Friday, August 16, 2013 2:55 AM
  • Check out this post http://www.bursky.net/index.php/2012/03/copy-emails-on-exchange-to-another-mailbox/

    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline Exchange Mailbox and Public Folder EDB's and Live Exchange Servers or Import/Migrate direct from Offline EDB to Any Production Exchange Server, even cross version i.e. 2003 --> 2007 --> 2010 --> 2013 with Lucid8's DigiScope

    That's exactly what I was looking for! Thank you so much!!

    I've used DigiScope in the past to recover a corrupt mailbox off Exchange 2003 and migrate it over to 2010.  I think the only catch with DigiSchope in recovering data, is the retention period for deleted items.  I believe the default is 7 days.  So after that period I don't think you can recover, or is that not accurate?

    Friday, August 16, 2013 5:56 PM
  • Well that depends on how you recover;

    1. If attempting to recover from a production server  with DigiScope it will only be able to recover items that have not past the retention date
    2. However if you use DigiScope to access an offline/backup copy of the database the deleted item retention is not in effect because there are no nightly maintenance processes running against those offline copies.  Therefore you can restore a backup from 3 months ago and any deleted items that had not aged to retention prior to that backup will be available


    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline Exchange Mailbox and Public Folder EDB's and Live Exchange Servers or Import/Migrate direct from Offline EDB to Any Production Exchange Server, even cross version i.e. 2003 --> 2007 --> 2010 --> 2013 with Lucid8's DigiScope

    Friday, August 16, 2013 6:49 PM
  • So let me ask you this Troy.  To create an offline backup of my Exchange 2010 database, I'll need dismount the database.  Once the database is dismounted, do I simply run a backup of the database with Backup Exec?  Or is there another way to backup the database safely?

    You bring up an excellent point.  I've never done offline backups before. Maybe I should start.

    I had issue where the Exchange backups weren't done properly either, so I had to go back and redo them.  I don't have a valid backup of Exchange for the past 3 or 4 months at least.  The previous admin didn't do them right.

    I keep having issues where people are deleting thing they shouldn't, so I need to get something in place NSA style if you will :) to be able to recover these items.  To much on my plate.

    Thanks for taking the time to assist.

    • Edited by sheld0r Friday, August 16, 2013 7:00 PM
    Friday, August 16, 2013 6:58 PM
  • So there are a few things you can do;

    1. Enable Mailbox Auditing, or Single Item Recovery, or put a legal hold on the mailbox and 2010 would then retain items longer for that user.

    2. Regarding backup of the database you can do it multiple ways;

    • Via Exchange Aware backup agent so that you can backup the Exchange DB while its operational.  Then when you need them you can restore to disk
    • Take the DB offline, then make a manual copy of the EDB to an alternate location for future use. Once the copy is done you can remount the production database
    • We have a utility called EPM Lite that our forensic customers use to make backups of Exchange databases.  basically it is a small foot print application that you copy to a folder on your Exchange server to run (no installer process, no registry changes) and you can direct it to backup a production database and logs to a local or remote location.  We use VSS to do this so the DB stays online and we DO NOT truncate the exchange logs so that we do not step on your existing backup product.  Single User copy that you can use on any Exchange server is 299.00 so a nice tool to have in your toolkit so that you can make on the fly backups without having to take the server offline or interrupting your protection system

    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline Exchange Mailbox and Public Folder EDB's and Live Exchange Servers or Import/Migrate direct from Offline EDB to Any Production Exchange Server, even cross version i.e. 2003 --> 2007 --> 2010 --> 2013 with Lucid8's DigiScope

    Friday, August 16, 2013 7:10 PM