Exchange 2010 Authentication Logs by IP Address

Is there a log file on Exchange 2010 that logs attempts and or successful connections of users made to connect via Outlook client to Exchange?  I have an IP address that was given to me, and I need to know if this workstation has had any communication with the Exchange server, and if it would be able to provide a username or other detailed information in order for me to track it down.

Thanks.
LVL 1
fireguy1125Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

piattndCommented:
Look at the windows security event log on the exchange server.  You can filter by date/time range and sometimes by user.
0
piattndCommented:
To elaborate a bit more:

Every time your outlook connects to the exchange server, it passes credentials across to the server.  These credentials are either manually typed into your Outlook Account configuration, or it uses the current logged on user credentials (typical for "on domain" exchange).

Unfortunately for you, the built in filtering of the event viewer is not too friendly for filtering out authentication events by user.

Logon type you're going to be looking for is logon type 3 (for network based logon).  I'd suggest narrowing down the results to the date range you want, then exporting your items.  You can use a log parser to take it from there.

Microsoft provides a log parser at this url:

http://www.microsoft.com/en-us/download/details.aspx?id=24659

This guy goes into pretty good depth for queries using the log parsing tool:

http://www.stevebunting.org/udpd4n6/forensics/logparser.htm

Holler if you have any other questions or run into problems.  This should get you all the information it is you wish to know.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
piattndCommented:
One other thing....

Because it's Exchange 2010, you'll need to make sure you're looking at the server that holds the correct role.  If you're a smaller environment, you may only have 1 or 2 servers, so that won't be a big deal.  I think the role you're trying to focus here is the "Mailbox" role.  If you were more worried about a mobile device, I'd say you'd need to look at the Client Access role (the event logs on the server that hosts that role that is).
0
fireguy1125Author Commented:
Thanks, didn't realize this was in Security Event Log, Log Parser really helpful.
0
piattndCommented:
Hope that all worked out for you.  Thanks for the grade.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.