locked
Mailbox Auditing Exchange 2007 SP2 RRS feed

  • Question

  • I have recently installed Exchange 2007 SP2 and patched it up to RU5.  Prior to this, all mailbox logon audits were being recorded in the event viewer application log.  I am now trying to set  up diagnostic logging via the EMC gui but when I attempt to configure it I get the error stating "No changes have been made to the diagnostic logging configuration". 

    Do I need to turn off the current logging in the registry before I can configure these setting using the GUI or EMS?

    Also, once it is configured would these logs now be recording in the Exchange Auditing log in the event viewer?

    Please let me know how I can leverage the Exchange Auditing log.

    Thank you

    Wednesday, August 24, 2011 9:07 PM

Answers

All replies

  • Hopefully this will answer these questions for you:

    http://technet.microsoft.com/en-us/library/ee221156(EXCHG.80).aspx

    Understanding Mailbox Access Auditing with Exchange Server 2007 Service Pack 2
    • Proposed as answer by Jason LJS Friday, August 26, 2011 5:23 AM
    • Marked as answer by Jason LJS Friday, September 2, 2011 5:27 AM
    Wednesday, August 24, 2011 10:31 PM
  • I have reviewed that link and it is helpful but I have a follow up question.

    We introduced auditing for Logons (MSExchangeIS\9000 Private\Logons) on a Low event level when we were at E2K7 SP1.  This level of logging is recording events in the application log.  Now that we are at E2K7 SP2 and the Exchange Auditing log is introduced, how do I now record these Logon events in the Exchange Auditing log?  Do I need to turn off logging and then turn it back on using the EMC gui?  Please advise.

    Thank you.

     

    Thursday, August 25, 2011 12:51 PM
  • I have reviewed that link and it is helpful but I have a follow up question.

    We introduced auditing for Logons (MSExchangeIS\9000 Private\Logons) on a Low event level when we were at E2K7 SP1.  This level of logging is recording events in the application log.  Now that we are at E2K7 SP2 and the Exchange Auditing log is introduced, how do I now record these Logon events in the Exchange Auditing log?  Do I need to turn off logging and then turn it back on using the EMC gui?  Please advise.

    Thank you.

     


    You may have to. It wouldnt hurt to disable and re-enable.

     

    Thursday, August 25, 2011 2:04 PM
  • I have also seen that configuration is not complete until the Information Store is restarted.  Will the Logon events then start to be recorded in the Exchange Auditing log?

     


    • Edited by jsadmin Thursday, August 25, 2011 6:39 PM
    Thursday, August 25, 2011 6:30 PM
  • I have also seent that configuration is not complete until the Information Store is restarted.  Will the Logon events then start to be recorded in the Exchange Auditing log?

     


    IF everything is configured corerctly, it should.
    Thursday, August 25, 2011 6:37 PM
  • Configuration for setting up auditing seems pretty straight forward.  I tested modifying the existing setup for MSExchangeIS\9000 Private\Logons from Low to Lowest and it shut off the Logon events in the Application log.  I then set up the MSExchangeIS\9000 Private\Logons from Lowest to Low and the Logon events re-appeared in the Application log.  Of course I did all this without restarting the information store and we are in the middle of the business day and do not want any interruptions.

    The exchanges servers are being patched tonight so if I configure the Exchnage Auditing for MSExchangeIS\9000 Private\Logons from low to lowest and then from lowest to low, once the Information store is restarted (or the server is rebooted) the logon events should then be recorded in the Exchange Auditing log?

    Is that correct?  Sorry for the repeat question as I was just trying to be more elobarate.

    Thank you

    Thursday, August 25, 2011 6:47 PM
  • Hi,

    Correct.

    The steps has been clearly listed in the link:

    http://technet.microsoft.com/en-us/library/ee221158(EXCHG.80).aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, August 26, 2011 5:22 AM
  • Thanks for the input.  I am starting slow with this to see how many logs are generated in my environment.  I have set the Folder Access logging to low (so far minimal logs are generated) while turning off and on logging for Logons.  Can someone confirm the following:  Are Logon events for the MSExchangeIS Mailbox Store consider Windows auditing logs or Access Auditing logs?  What events are logged in the Exchange Auditing log?

     

    Friday, August 26, 2011 12:55 PM
  • Hi,

    >Are Logon events for the MSExchangeIS Mailbox Store consider Windows auditing logs or Access Auditing logs? 

    The log will only record mailbox logon info.

    >What events are logged in the Exchange Auditing log?

    It depends on how you configure auditing log.

    When you enable audit logging for a mailbox, you can specify which user actions (for example, accessing, moving, or deleting a message) should be logged for a logon type (administrator, delegate user, or owner). The audit log entries also include important information such as the client IP address, host name, and process or client used to access the mailbox. For items that are moved, the entry includes the name of the destination folder.

    http://technet.microsoft.com/en-us/library/ff459237.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 1, 2011 7:05 AM