Exchange 2010 Security Monitoring
Hi,
We are looking to implement security monitoring over Exchange 2010.
Some events we would like to monitor for are:
1. Mailbox Creation
2. Mailbox Deletion
3. Admins reading other users emails
4. Change of permissions to mailboxes.
Has anyone implemented this type of monitoring?
Does anyone know the event ID's associated with these events?
Is there a list somewhere of all event id's for Exchange 2010?
Thanks for the help
We are looking to implement security monitoring over Exchange 2010.
Some events we would like to monitor for are:
1. Mailbox Creation
2. Mailbox Deletion
3. Admins reading other users emails
4. Change of permissions to mailboxes.
Has anyone implemented this type of monitoring?
Does anyone know the event ID's associated with these events?
Is there a list somewhere of all event id's for Exchange 2010?
Thanks for the help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In the MAPI property of the Mailbox, you will see a property "PR_Creation_Time" in which it shows its creation date. Incase the mailbox was moved recently, old time will not reflect but it will now show the last mailbox moved time. You can check the event logs for created mailboxes.
Enable the auditing of Directory Service Access (KB 232714), which will give us the success/failure attempts by any user to access the AD. In success event it generates event 565 and 566, which can tell us the name of the person who delete the mailbox and the name of the person whose mailbox has been deleted.
Enable the auditing of Directory Service Access (KB 232714), which will give us the success/failure attempts by any user to access the AD. In success event it generates event 565 and 566, which can tell us the name of the person who delete the mailbox and the name of the person whose mailbox has been deleted.
ASKER
Hi,
Thanks for the responses. I think I will need to enable auditing and parse out the info I need.
Is there any place that lists all the event ID's associated with audit logging and the parameters?
Thanks
Thanks for the responses. I think I will need to enable auditing and parse out the info I need.
Is there any place that lists all the event ID's associated with audit logging and the parameters?
Thanks
this logs are not stored in event viewer. You get access to them using Exchange Control Panel. They are exported in XML format. You get a list of complete commands issued plus info about who and when issued it.
ASKER
These dont write to the event log viewer?
ASKER
we need to use a third party tool to parse the data... can it store it in a windows event log or a text file?
Please take a look at this article for export/serach options of admin audit logs:
http://technet.microsoft.com/en-us/library/ff459262.aspx
I'm not aware that storing that logs in event viewer is possible. Well, XML files are text files with special format.
http://technet.microsoft.com/en-us/library/ff459262.aspx
I'm not aware that storing that logs in event viewer is possible. Well, XML files are text files with special format.
ASKER
Do you know where that XML file sits?
"The procedure in that section sends an XML file as an e-mail attachment to the recipients you specify"
from previous link.
Sorry, I can not find where exchange server stores the source log files. But anyway I also never needed that information.
from previous link.
Sorry, I can not find where exchange server stores the source log files. But anyway I also never needed that information.
http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging
http://www.howexchangeworks.com/2010/02/administrator-audit-logging-in-exchange.html
http://www.shudnow.net/2010/08/03/changes-in-exchange-2010-sp1-administrator-audit-logging/