Set-EventLogLevel \u00e2\u20ac\u0153MSExchangeIS\\9000 Private\\Logons\u00e2\u20ac\u009d \u00e2\u20ac\u201clevel low<\/code><\/p>\nNote that there might be times, special with older Outlook clients) when other users will access other mailboxes to see details about for example calendar appointments. So a login event can be a simple check in the calendar. When I booked a meeting between two users, with Outlook 2007, I did not notice a extra security extra.
\nWhen we have enable audit of mailbox access we can use a collection rule in Operations Manager to collect them and store them in the data warehouse. I will use event IT 1009 in this example, event ID 1009 is an indication that the specified user account logged into the specified mailbox.<\/p>\n
Event ID 1016 ![\"\"](\"http:\/\/contoso.se\/files\/exchangeaudit02.JPG\"\/)
<\/p>\n
Start by creating a new rule, authoring\/rules\/create a rule\/collection rule\/NT event log. The collection rule will only collect, not generate any alerts. In my example I used Windows Server 2008 Computer as target. I created the rule disable as default. Then override and enable it for a group including a couple of Exchange mailbox server computer objects.<\/p>\n
![\"\"](\"http:\/\/contoso.se\/files\/exchangeaudit01.JPG\"\/)
<\/p>\n
Event ID 1016 is also interesting. When a user access a mailbox another mailbox, then its primary mailbox, you will see a event with ID 1016.
\nThe next step is to create a report. You can use the generic Custom Event report to create a linked report showing all the events. Run the Custom Event report and select your windows server 2008 computers as objects, filter the report for example in my example Event ID equals 1009. Note that you have to check its checkbox for every report field you want to include. If you check any checkboxes you will get a empty report.<\/p>\n
If you don\u00e2\u20ac\u2122t like the default event report you can author a new in Visual Studio. You can read my guide about that here<\/a> and use the following query when building the data set in Visual Studio. In this query I have two parameters, keyword01 and keyword02. That is two parameters that the report operator can input as words to search for in the event description, for example a username and a mailbox name.<\/p>\nSELECT Event.vEvent.DateTime, vEventPublisher.EventPublisherName AS 'EventSource', vEventLoggingComputer.ComputerName AS 'Computer',
\nEvent.vEvent.EventDisplayNumber AS 'EventID', vEventChannel.EventChannelTitle, Event.vEventDetail.RenderedDescription AS 'EventDescription'
\nFROM Event.vEvent LEFT OUTER JOIN
\nvEventCategory ON Event.vEvent.EventCategoryRowId = vEventCategory.EventCategoryRowId LEFT OUTER JOIN
\nvEventPublisher ON Event.vEvent.EventPublisherRowId = vEventPublisher.EventPublisherRowId LEFT OUTER JOIN
\nvEventLoggingComputer ON Event.vEvent.LoggingComputerRowId = vEventLoggingComputer.EventLoggingComputerRowId LEFT OUTER JOIN
\nvEventLevel ON Event.vEvent.EventLevelId = vEventLevel.EventLevelId LEFT OUTER JOIN
\nvEventChannel ON Event.vEvent.EventChannelRowId = vEventChannel.EventChannelRowId LEFT OUTER JOIN
\nEvent.vEventDetail ON Event.vEvent.EventOriginId = Event.vEventDetail.EventOriginId
\nWHERE (Event.vEvent.EventDisplayNumber = '1009' OR
\nEvent.vEvent.EventDisplayNumber = '1016') AND (Event.vEventDetail.RenderedDescription LIKE '%' + @keyword01 + '%') AND
\n(Event.vEventDetail.RenderedDescription LIKE '%' + @keyword02 + '%')
\nORDER BY Event.vEvent.DateTime DESC<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"By default Exchange 2007 only log logons to the server, not to which mailbox. With the following cmdlet we can enable mailbox access auditing on our mailbox servers. Set-EventLogLevel \u00e2\u20ac\u0153MSExchangeIS\\9000 Private\\Logons\u00e2\u20ac\u009d \u00e2\u20ac\u201clevel low Note that there might be times, special with older Outlook clients) when other users will access other mailboxes to see details about … Continue reading