Mailbox Access Auditing

Mailbox Access Auditing using Exchange Server (ES) 2007 SP2

Under Window Server 2008

With the ES 2007 SP2, Microsoft has introduced a new mailbox access auditing feature among others.

It uses store.exe process, an access point for mail in mailbox databases, and enables auditing using a set of Diagnostics logging categories namely: Folder Access, Message access, ‘Extended Send As’ and ‘Extended Send On Behalf Of’. Each of the category can provide different level of logging depending on the scale specified; zero (not enable) to five (maximum logging).

            In window server 2008, ES 2007 SP2 creates a new event log, Exchange Auditing, under ‘Applications and Services Logs\Exchange Auditing’, shown below. All the auditing based on applied filters can be seen here. Window server 2008 has Wevtutil tool as well to retrieve information about event logs and publishers. Viewing of Exchange Auditing is done through ‘wevtutil’ is made through:

                        wevtutil gl “Exchange Auditing” command

Specifically, wevtutil command can be used like this: to audit log file and path, respectively.

Wevtutil sl “Exchange Auditing” /lfn:<path>\ExchangeAuditing\ExAudit.evtx

Where <path> is desired path of log file.

Wevtutil sl “Exchange Auditing” /ms:<size in bytes>

where <size in bytes> is intuitively the log file size.

An example of specifying 25 MB log file size will be: Wevtutil sl “Exchange Auditing” /ms: 25600

The default file system location of this event log is <path to exchange installation>\Exchange Server\Logging\AuditLogs.

How to enable Mailbox Access Auditing:

Under ES 2007 SP2, auditing can be enabled using bothExchange Management Console (EMC) & Exchange Management Shell (EMS). We will go through each. To do so; server expects the following roles from you:                   

• Local Administrator rights
• Exchange Organization Administrations rights

Open EMC to locate the server, TECHNO1 here, and select ‘Manage Diagnostic Logging Properties…’ either by server context menu or selection from right-pane of EMC console.

Resultant dialog box, Manage Diagnostic Logging Properties, will pop-up. Expand TECHNO1 server in list box under ‘Update logging levels for services’ radio-button.

Scroll-down the list-box to expand Microsoft Exchange Information Store entry namely, MSExchangeIS. Then expand ‘9000 Private.’

Upon following above, you will see the categories, talked before, shown below. Select each of four, to specify level of logging using radio-buttons, Lowest Low Medium High Expert, under list-box. Then click configure to move on.

On successful completion, you will see the enabled categories. Click Finish and you are done.

Now that we have done in EMC, let’s quickly see how it is done through EMS. Doing in EMS is setting above four to a logging level under registry.

Open Registry then expand to the path HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MSExchangeIS\Diagnostics\9000 Private. You will see the same four categories: ‘9074 Folder Access’, ‘9075 Message Access’, ‘9076 Extended Send As’ and‘9077 Extended Send On Behalf Of’ we want to use for filtering.

Start EMS and use ‘Set-Location’ command to set current directory to the path identified in registry above i.e.

            Set-Location “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MSExchangeIS\Diagnostics\9000 Private”

Resultant shell prompt will look like the one below. Also, available registry entries under that folder can be seen using ‘Get-ItemProperty –Path.’

Now to set a logging level of each category we use ‘Set-ItemProperty’ command like

            Set-ItemProperty -Path. –Name “9074 Folder Access” –Value 3

Here intuitively dot Path represents current directory (or registry path), Name is the registry key name to set and the value for the level of logging, three here to do medium level. Similarly, others can be set using same command with their name.

Once we are done with above, changes can be seen using ‘Get-ItemProperty –Path.’

This is it; we are now at the same stage we were after enabling audit using EMC.

After enabling mailbox access audit, we often want to specify the log file path, their size and other characteristics.

Open Server Manager, ‘TECHNO1’ here, to locate Exchange Auditing under Applications and Services Logs of Diagnostics. Then select Properties in the right-pane of Server Manager Console.

Most of the properties are intuitive to their names. Log path is for the event log file. ‘Maximum log size’ specifies available space for log entries and what to do when maximum log size is reached. You can also clear log when you want using right bottom button of Clear Log. Click OK to finish.

Conclusion: This tutorial explains Mailbox Access Auditing feature of ES 2007 SP2 under Window Server 2008. We worked through both GUI-based and shell-based commands for auditing feature. I also introduced you to the Wevtutil tool available in Window Server 2008 for playing with logs.