Auditing Mailbox Access

By default Exchange 2007 only log logons to the server, not to which mailbox. With the following cmdlet we can enable mailbox access auditing on our mailbox servers.

Set-EventLogLevel “MSExchangeIS\9000 Private\Logons” –level low

Note that there might be times, special with older Outlook clients) when other users will access other mailboxes to see details about for example calendar appointments. So a login event can be a simple check in the calendar. When I booked a meeting between two users, with Outlook 2007, I did not notice a extra security extra.
When we have enable audit of mailbox access we can use a collection rule in Operations Manager to collect them and store them in the data warehouse. I will use event IT 1009 in this example, event ID 1009 is an indication that the specified user account logged into the specified mailbox.

Event ID 1016

Start by creating a new rule, authoring/rules/create a rule/collection rule/NT event log. The collection rule will only collect, not generate any alerts. In my example I used Windows Server 2008 Computer as target. I created the rule disable as default. Then override and enable it for a group including a couple of Exchange mailbox server computer objects.

Event ID 1016 is also interesting. When a user access a mailbox another mailbox, then its primary mailbox, you will see a event with ID 1016.
The next step is to create a report. You can use the generic Custom Event report to create a linked report showing all the events. Run the Custom Event report and select your windows server 2008 computers as objects, filter the report for example in my example Event ID equals 1009. Note that you have to check its checkbox for every report field you want to include. If you check any checkboxes you will get a empty report.

If you don’t like the default event report you can author a new in Visual Studio. You can read my guide about that here and use the following query when building the data set in Visual Studio. In this query I have two parameters, keyword01 and keyword02. That is two parameters that the report operator can input as words to search for in the event description, for example a username and a mailbox name.

SELECT Event.vEvent.DateTime, vEventPublisher.EventPublisherName AS 'EventSource', vEventLoggingComputer.ComputerName AS 'Computer',
Event.vEvent.EventDisplayNumber AS 'EventID', vEventChannel.EventChannelTitle, Event.vEventDetail.RenderedDescription AS 'EventDescription'
FROM Event.vEvent LEFT OUTER JOIN
vEventCategory ON Event.vEvent.EventCategoryRowId = vEventCategory.EventCategoryRowId LEFT OUTER JOIN
vEventPublisher ON Event.vEvent.EventPublisherRowId = vEventPublisher.EventPublisherRowId LEFT OUTER JOIN
vEventLoggingComputer ON Event.vEvent.LoggingComputerRowId = vEventLoggingComputer.EventLoggingComputerRowId LEFT OUTER JOIN
vEventLevel ON Event.vEvent.EventLevelId = vEventLevel.EventLevelId LEFT OUTER JOIN
vEventChannel ON Event.vEvent.EventChannelRowId = vEventChannel.EventChannelRowId LEFT OUTER JOIN
Event.vEventDetail ON Event.vEvent.EventOriginId = Event.vEventDetail.EventOriginId
WHERE (Event.vEvent.EventDisplayNumber = '1009' OR
Event.vEvent.EventDisplayNumber = '1016') AND (Event.vEventDetail.RenderedDescription LIKE '%' + @keyword01 + '%') AND
(Event.vEventDetail.RenderedDescription LIKE '%' + @keyword02 + '%')
ORDER BY Event.vEvent.DateTime DESC

Leave a Reply

Your email address will not be published. Required fields are marked *