locked
IpAddress missing in logon event(event ID 4624) when client logon using POP3 or IMAP RRS feed

  • Question

  • Hi,

    When client access exchange server, there is logon events(event ID 4624) generated in server's security log. If client is using outlook or owa, the event has client's IP address in event data IpAddress field. But if client is using POP3 or IMAP to access exchange server, in this event, this field is empty. Is there a way to make IP address available in this case too? Or is this a bug?

    Our exchange is 2007.

    Thanks,

    Felix

    Friday, June 3, 2011 6:51 AM

All replies

  • Hi Felix:
       You need to update exchange 2007 to Sp3 RU1 and modify ProtocolLogonAudit.
       You can read this KB http://support.microsoft.com/kb/2251714

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, June 6, 2011 1:59 AM
  • Thanks, Terence. I tried this but it doesn't work. I installed SP3 and RU1. now, my exchange version is 08.03.0106.001. I tried both Set-OrganizationConfig(I verified it with Get-OrganizationConfig) and modifying Microsoft.Exchange.Pop3.exe.config, and I restarted POP3 service after the change. Upon client POP3 login, I don't see event 2104, and in 4624 the IpAddress field is still "-". What can be wrong?

    Thanks,

    Felix

    Wednesday, June 8, 2011 9:00 AM
  • Hi
       I can’t find other article about it. It is security log not exchange log.
       Maybe you can post it server forum.
     
    http://social.technet.microsoft.com/Forums/en-us/winserversecurity/threads
       I don’t know whether they know about it.
      


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, June 8, 2011 9:09 AM
  • I asked on server forum and didn't get any answer.

     

    Can someone help to get more info on this? These logs are generated by exchange server. Can exchange server fill in the valid IpAddress in 4624 for POP/IMAP? Or how can 2104 be generated with SP3 RU1?

     

    Thanks,

    Felix

    Tuesday, June 14, 2011 12:56 AM
  • Any answer or suggestions?
    Tuesday, June 21, 2011 6:54 PM