Mailbox Access Auditing with Exchange 2007 SP2
As soon as you update your Exchange 2007 current version to SP2 your exchange organization is ready for Mailbox Access Auditing.
Who opened my mailbox??
I am sure people who have worked on exchange would have enabled Diagnostics logging at least once for troubleshooting purposes. For people who haven’t, Diagnostics logging is a feature in exchange with which we can monitor a particular service by enabling extensive logging so that it will log each and every actions performed in form of events in event viewer.
To name some, if the System Attendant service is not staring we could enable logging for DSAccess under MSExchangeSA (mad.exe) who is responsible for topology discovery in AD. Similarly we can enable logging for Move mailbox failures, Calendar issues, MS Exchange Transport etc. For auditing purpose we never had anything handy apart from Logons which come under MSExchangeIS (store.exe). But logons are not gonna tell me anything solid because if I try to access my CEO’s Free/Busy information, it’s gonna log an event stating:
Event ID: 1016
Event Source: MSExchangeIS Mailbox Store
Event Type: Success Audit
Event Category: Logons
Description: User Domain\Username logged on to mailbox@domain.com mailbox, and is not the primary Windows 2000 account on this mailbox.
If you want to know more about it:
How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server: http://support.microsoft.com/kb/867640
Also this process does not indicate whether it is the Inbox, the Calendar, or the Contacts folder the user tried to access and whether the logon was successful or unsuccessful.
Well but the truth is with E2K3 being an exchange admin, you can still prove that User A opened User B’s mailbox with evidence. The process is hectic, but the result is worth trying. Open IIS Logs on the Backend server and do a “Find” for the user alias that you suspect would have opened someone’s mailbox. I have pasted an example in which you can clearly see that the event logged states that User meera accessed user ratish’s mailbox and read a particular message.
2009-10-12 23:27:49 W3SVC101 121.221.51.111 GET /exchange/ratish@msexchangeguru.com/Sent+Items/RE:+Exchange+2007+KnowHow.EML Cmd=open 80 MSEXCHANGEGURU\meera 121.221.151.10 Exchange-Server-Frontend-Proxy/6.5+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0
On “2009-10-12 at 23:27:49” from “ratish@msexchangeguru.com’s mailbox”, the message “RE:Exchange 2007 KnowHow” was accessed by user “MSEXCHANGEGURU\meera” and the same was a success with code “200 0 0”
But this is again possible only with logon using OWA since MAPI requests are not logged in IIS Logs. Too much of confusion, right??
With E2K7 SP2 in spotlight, we can now enable diagnostics logging for a set of specific attributes and will know who opened what, when and stuff in the form of a proper event id.
Sounds good…. How to set it up??
The main focus is on:
1. Folder Access – logs an event for a user activity like opening folders, such as the Inbox, Outbox, or Sent Items folders.
2. Message Access – log events that correspond to explicitly opening messages.
3. Extended Send As – logs events that correspond to sending a message as a mailbox-enabled user.
4. Extended Send on Behalf Of – logs events that correspond to sending a message on behalf of a mailbox-enabled user.
Before I get into details on how to configure this, will let you know the difference between Send As and Send on Behalf permission.
If a message is sent from User A on Behalf of User B, the recipient will see:
1. User A send on behalf of User B in the from field–> Send on behalf permission
2. User B in the from field wherein the message was sent by User A–> Send As permission.
Enabling mailbox auditing:
1. Open Server Configuration in EMC
2. Select the mailbox server
3. Right click & say “Manage Diagnostic Logging Properties”
4. Expand MSExchangeIS (The information store)
5. Select 9000 Private
We now have the 4 options; Folder Access, Message Access, Extended Send As and Extended Send on behalf As. Logging is being categorized into 5.
1 – Lowest
2 – Low
3 – Medium
4 – High
5 – Expert
At logging level zero (0), nothing is logged.
At logging level one (1), only actions for which the acting user invoked administrative privileges are logged.
At logging level two (2) and four (4) only access from one mailbox-enabled user to another mailbox is logged.
At logging level three (3) and five (5) access from any user to any mailbox is logged.
Now, set the logging as per your requirement.
Viewing Exchange Auditing logs
Now in Event Viewer, under Applications & Services Log we have “Exchange Auditing”
Folder Access – Event ID: 10100
Message Access – Event ID: 10102
Send As – Event Id: 10106
Send On Behalf Of – Event Id: 10104
Below is an example of how Folder access log look like:
Log name: Exchange Auditing
Source: MSExchangeIS Auditing
Event ID: 10100
Task Category: Mailbox Access Auditing
Level: Information
Keywords: Classic
Description: The folder /Inbox in Mailbox ‘UserA’ was opened by user CONTOSO\UserB
Display Name: Inbox
Accessing User: /o=First Organization/ou=Exchange Administrative Group (Exchange)/cn=Recipients/cn=UserB
Administrative Rights: false
Identifier: 00000000246A00E0
Client Information (if Available)
Machine Name:
Address:
Process Name: OUTLOOK.EXE
Process Id: 0
Application Id: N/A
Excluding an account from Mailbox Auditing:
Get-MailboxDatabase –identity “server\sg\dbname” | Add-ADPermission –User domain\username –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All
### – Restart the Information store service for these changes to take effect.
Also keep it in mind that Exchange Auditing event log may be a high traffic event log, depending on the server configuration, severity of logging enabled and user actions. Therefore, the recommended action is to have the Exchange Auditing event log be located on a dedicated hard disk drive that has sufficient space and that can support fast write operations. It can be changed from Event viewer –> Exchange Auditing logs –> Properties.
Ratish
October 15th, 2009 at 8:50 am
Ritesh,
The information you provided regarding tracking logons using IIS logs was really an eye opener.
Thanks for that.
December 21st, 2009 at 6:31 pm
How does the exchange auditing logs work for outlook anywhere / RPC over HTTPs?
When enabling extended auditing will this work if someone is using cached mode remotely?
I’ve followed your steps above to enable high logging on 9000 -> private -> message access but am getting nothing under exchange auditing within event viewer. Any suggestions?
December 22nd, 2009 at 11:05 am
Hi guys
Have spent hours trying to get this working, have followed the simple instructions above to enable auditing on MSExchangeIS but nothing is appearing under event viewer -> applications & services log -> exchange auditing.
I’ve got event ID 1016s so really need to get to the bottom of this, on paper the auditing from SP2 should be perfect for me but I just can’t get it working…
April 1st, 2010 at 7:59 pm
I’ve gone thru Micrsoft’s WHitepaper on setting this up 3 times, everything looks ok. 566 events are going into the Application Log not Security Log. I am getting no 10xxx events at all in the Exchange Auditing log.
April 19th, 2010 at 4:38 pm
I had to restart the Microsoft Exchange Information Store service before I could see the events logged in Exchange auditing
April 24th, 2010 at 6:01 am
You are indeed GURU OF EXCHANGE. Do you want to work for me. Snd email and will discuss.
October 25th, 2010 at 9:25 am
where does it save the log files for this and how large do they become?
October 25th, 2010 at 11:15 am
It can be seen in Event Viewer -> Applications & Services Log -> Exchange Auditing and log file size can be configued in properties just like any other logs.
October 26th, 2010 at 8:46 am
please have a look to this intersting article:
http://blogs.technet.com/b/mikelag/archive/2010/06/23/audit-exchange-2007-sp2-auditing.aspx
seems that for *Admins* gorup you will find in a situation where bypassa auditing is set ( actually i’m expereincing such situation..)
i found also interesting this other article:
http://technet.microsoft.com/en-us/library/ee331009(EXCHG.80).aspx
it explain that level 2 and 4 of loggin can be set just via command shell..
November 18th, 2010 at 3:41 am
Well, i started logging and I can only see logs in event viewer (windows logs/application) but nothing is looged in Exchange auditing ?
why ?
##Update## –> Restart information store service.
January 17th, 2011 at 11:31 am
This was a thorn in my side for 2days until I found the comments on this site. Checked all the MS sites, checked the bypass on many users and it turns out all I had to do was restart the store to get the logging to show in the event log.
If this is so common why do none of the articles mention this? Crazy….
Thanks Guru! and comment guys 🙂
February 2nd, 2011 at 1:23 pm
The Microsoft pages that explain this feature all state that after making changes to the logging levels, in order for them to go into affect, you need to restart the Information Store service. Not sure why this article skipped this bit of information, but it is certainly documented on the Microsoft website.
February 12th, 2011 at 4:29 am
@kloby/Will – Just added the update to restart the IS service. Thanks for pointing. 🙂
March 22nd, 2011 at 9:39 am
Absolutely great article! Good job and thank you. I have one hiccup. I configured through the EMC GUI, Server Config/Mailbox/click on my only exchange server/Manage Diagnos…../9000 Private/Folder Access and Message Access and both set to HIGH which I assume is equal to 4 on your detail above. Restarted IS and it logs everything (i.e. John Accesing John). What I need it to do is when any user accesses any other users mailbox ONLY (i.e. John accesses Robert). Unsure what I am doing wrong.
July 21st, 2011 at 8:18 am
Is there any answer about the last reply? Does anyone know anything about accessing to different outlook mailbox – it should appear in event 1029 but it shows me this in the application log instead of the exchange auditing. Why is that and how can I change it?
October 30th, 2011 at 9:16 pm
Hi,
How if i will viewing log for who has someone change my alias?
Thanks,
Panji Indonesia
December 2nd, 2011 at 6:50 am
How can i find who all logged in to users mailbox in last 15 days ?
Get-MailboxStatistics | Select DisplayName, LastLoggedOnUserAccount ? this is giving me just last logon, i need to find all logon as well as type of logon ( exp | OWA / MAPI )
February 19th, 2013 at 4:02 pm
I am successfully able to audit the logs and I can see the events. However, other domain admins cannot see the event log. They get “event viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. Access is denied (5).
I found one article that mentions they need to be an Exchange Organization Admin. However, I find that hard to believe. Especially, if I want to give someone is Legal or Compliance the ability to review the event logs without being a full Exchange admin.
Any suggestions?
April 24th, 2013 at 3:10 pm
is there any way to audit single Mailbox in Exchange 2007 sp1 ?
March 3rd, 2014 at 8:33 pm
i have enabled the audit logs, but its not capturing the logs if someone deleted the mails or mails moving to deleted items folder.
is there any way to find out?