Solved

exchange Auditing job for a school

Posted on 2014-11-16
5
101 Views
Last Modified: 2014-11-20
We have got a very strange request from one of the school principals in our area.
They suspect the IT team is reading their confidential information and would like us to come in and check logs on the server to see where OWA has been accessed from.
Just briefly testing this inhouse on our own Exchange 2010 environment we have been unable to figure out how to gather these logs. Security tab in event viewer has a million audit logs, so how do we achieve this??

Server in question Exchange 2010
Mode of access used is possibly - Outlook or OWA (but it would only be logical to use OWA)

and yes, IT team knows their passwords but we have explained them that even if they didn't, they could access their EMAILS anyway
0
Comment
Question by:manav08
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 19

Assisted Solution

by:suriyaehnop
suriyaehnop earned 200 total points
ID: 40446687
If you have Exchnage 2010, you're little bit lucky. Exchange 2010 has audit function. However, the user's audit was disable by default.

Administrator audit also has to be enabled.

http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging/

http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/administrator-audit-logging-part1.html
0
 
LVL 12

Expert Comment

by:SreRaj
ID: 40446700
Hi,

If you are having Exchange Server 2010 SP1, then you could use Mailbox Audit Logging feature available. Using this, you could turn on audit logging for a mailbox and check logging events using Powershell. You could track events like an admin/owner/delegate accessing a mailbox and carrying out activities like message read, delete, sendas, delete, etc.

To enable auditing, you need to run the following Powershell cmdlet  from Exchange Management Shell.

Set-Mailbox <Mailbox Name> -AuditEnabled $True

You could search audit logs using the following cmdlet.

Search-MailboxAuditLog <Mailbox Name> -LogonTypes Owner -ShowDetails

Also, audit logs can be accessed from Exchange Control Panel (ECP). After logging into ECP, select 'Manage My Organization' -> Roles & Auditing -> 'Run a Non-Owner Mailbox Access Report'

Please refer following article for more information.

http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/auditing-mailbox-access.html

If you want to find IP Address from which OWA connections are made, then you should be looking in IIS logs in Client Access Servers. Open IIS Manager in CAS Server. Go to Sites-> Default Web Site -> IIS -> Logging. Default path for IIS logs is C:\inetpub\logs\LogFiles\W3SVC1.
0
 
LVL 11

Author Comment

by:manav08
ID: 40446786
So guys, let me get this right - By Default, audit login is not turned on in Exchange 2010, but I turn it on at the mailbox level by typing command "Set-Mailbox <Mailbox Name> -AuditEnabled $True" ??

And we will not see anything in ECP until audt logging is enabled??

@Sreraj -

You say "If you want to find IP Address from which OWA connections are made, then you should be looking in IIS logs in Client Access Servers. Open IIS Manager in CAS Server. Go to Sites-> Default Web Site -> IIS -> Logging. Default path for IIS logs is C:\inetpub\logs\LogFiles\W3SVC1"

Would the logs here tell us just that owa was accessed or even which user account they accessed via OWA??
0
 
LVL 12

Accepted Solution

by:
SreRaj earned 300 total points
ID: 40446805
Yes, Mailbox Audit Logging is not enabled by default. You have to turn it on for a particular mailbox. Once you turn it on, then you can see audit log events in ECP.

Regarding logs, it will give you information like date-time, username, ip address for each user connection. But IIS logs could be cumbersome as it contains ActiveSync access data as well and based on the number of users hitting CAS Server, log file could be huge. You could use tools like Log Parser to interpret the IIS Logs. Please refer 'Read IIS Logs' section in the following article.

http://msexchangeguru.com/2012/02/01/exchange-activesync/
0
 
LVL 11

Author Closing Comment

by:manav08
ID: 40456096
Thank You
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question