Here is the situation. Someone on our network is accessing another person's email using an email client (Outlook). Obviously they found out their password. How can I get log files to prove that the person's email box is being accessed by the certain computer IP of the culprit?
Exchange logging only seems to track the messages coming in and out of the Exchange server.
I have IIS logging setup for OWA access logging.
So here is what I need to log. Computer IP xx.xx.xx.xx send userID domain\victim time etc...
Now this may be in exchange logging but I may not know how to set it up correctly, please help.
Just to clarify, I'm not looking for help to prevent this from happenning I'm looking for help to gather evidence on this culprit.