exchange Auditing job for a school
We have got a very strange request from one of the school principals in our area.
They suspect the IT team is reading their confidential information and would like us to come in and check logs on the server to see where OWA has been accessed from.
Just briefly testing this inhouse on our own Exchange 2010 environment we have been unable to figure out how to gather these logs. Security tab in event viewer has a million audit logs, so how do we achieve this??
Server in question Exchange 2010
Mode of access used is possibly - Outlook or OWA (but it would only be logical to use OWA)
and yes, IT team knows their passwords but we have explained them that even if they didn't, they could access their EMAILS anyway
They suspect the IT team is reading their confidential information and would like us to come in and check logs on the server to see where OWA has been accessed from.
Just briefly testing this inhouse on our own Exchange 2010 environment we have been unable to figure out how to gather these logs. Security tab in event viewer has a million audit logs, so how do we achieve this??
Server in question Exchange 2010
Mode of access used is possibly - Outlook or OWA (but it would only be logical to use OWA)
and yes, IT team knows their passwords but we have explained them that even if they didn't, they could access their EMAILS anyway
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So guys, let me get this right - By Default, audit login is not turned on in Exchange 2010, but I turn it on at the mailbox level by typing command "Set-Mailbox <Mailbox Name> -AuditEnabled $True" ??
And we will not see anything in ECP until audt logging is enabled??
@Sreraj -
You say "If you want to find IP Address from which OWA connections are made, then you should be looking in IIS logs in Client Access Servers. Open IIS Manager in CAS Server. Go to Sites-> Default Web Site -> IIS -> Logging. Default path for IIS logs is C:\inetpub\logs\LogFiles\W
Would the logs here tell us just that owa was accessed or even which user account they accessed via OWA??
And we will not see anything in ECP until audt logging is enabled??
@Sreraj -
You say "If you want to find IP Address from which OWA connections are made, then you should be looking in IIS logs in Client Access Servers. Open IIS Manager in CAS Server. Go to Sites-> Default Web Site -> IIS -> Logging. Default path for IIS logs is C:\inetpub\logs\LogFiles\W
Would the logs here tell us just that owa was accessed or even which user account they accessed via OWA??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank You
If you are having Exchange Server 2010 SP1, then you could use Mailbox Audit Logging feature available. Using this, you could turn on audit logging for a mailbox and check logging events using Powershell. You could track events like an admin/owner/delegate accessing a mailbox and carrying out activities like message read, delete, sendas, delete, etc.
To enable auditing, you need to run the following Powershell cmdlet from Exchange Management Shell.
Set-Mailbox <Mailbox Name> -AuditEnabled $True
You could search audit logs using the following cmdlet.
Search-MailboxAuditLog <Mailbox Name> -LogonTypes Owner -ShowDetails
Also, audit logs can be accessed from Exchange Control Panel (ECP). After logging into ECP, select 'Manage My Organization' -> Roles & Auditing -> 'Run a Non-Owner Mailbox Access Report'
Please refer following article for more information.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/auditing-mailbox-access.html
If you want to find IP Address from which OWA connections are made, then you should be looking in IIS logs in Client Access Servers. Open IIS Manager in CAS Server. Go to Sites-> Default Web Site -> IIS -> Logging. Default path for IIS logs is C:\inetpub\logs\LogFiles\W