• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 179
  • Last Modified:

SEND AS Auditing - Exchange 2007

Set logging level to Expert for SEND AS on my exchange mailbox servers.

Idea is that we need to be able to log whenever a user does a SEND AS operation from a shared mailbox to which they have access, in case we ever need to trace the email sent.

Anyway, following server reboot, it works but:-

1) Its in the application event log - I would have expected the Exchange Audting event log?
2) Most of the entries say /cn="username" sent a message as /cn=Microsoft private mdb. What is that and how do I determine which mailbox the email was sent from?
0
paul williams
Asked:
paul williams
  • 2
  • 2
1 Solution
 
VB ITSSpecialist ConsultantCommented:
You need to enable auditing for Extended Send As and not Send As for what you want to achieve. Also, there is no need to restart the server when you change the auditing level, just restart the Microsoft Exchange Information Store service.

Once you've enabled Extended Send As auditing, you should start seeing entries for Event ID 10106 in the Exchange Auditing log when an email is sent from another user. The fact that you enabled Send As auditing and not Extended Send As auditing may explain why you're experiencing the above.

Here's what a sample Send As audit log entry looks like:

Log name: Exchange Auditing
Source: MSExchangeIS Auditing
Date: <date>
Event ID: 10106
Task Category: Send As
Level: Information
Keywords: Classic
Description: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB sent a message as /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserA
Message Id: <BA15978123F9C848B820A8C5C1DC29B5038E9D50@Server.Contoso.com>
Mailbox: UserB
Account Name: CONTOSO\UserB
Accessing User: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB
Mailbox:<NULL>
Administrative Rights: false
Identifier: 00000000317A7130
Client Information (if Available)
Machine Name: <ClientName>
Address: <IP Address>
Process Name: OUTLOOK.EXE
Process Id: 0
Application Id: N/A

Open in new window

Have a look at the Extended Send As Auditing section in this link for more information: http://technet.microsoft.com/en-us/library/ee221156(v=exchg.80).aspx
0
 
Jian An LimSolutions ArchitectCommented:
In theory, it works ok, but in management, it is very painful because of the logs and information overload.
If you can't survive the painful process, upgrade to the latest exchange as it has better audit tracking ability.
0
 
paul williamsAuthor Commented:
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?

Our exchange servers get rebooted overnight anyway which solves this problem.
0
 
paul williamsAuthor Commented:
But yes we are evenually upgrading as well.
0
 
VB ITSSpecialist ConsultantCommented:
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?
Can't really tell you to be honest as all of Microsoft's documentation along with other articles from reputable websites state to use Extended Send As auditing.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now