?
Solved

SEND AS Auditing - Exchange 2007

Posted on 2015-01-09
5
Medium Priority
?
170 Views
Last Modified: 2015-01-12
Set logging level to Expert for SEND AS on my exchange mailbox servers.

Idea is that we need to be able to log whenever a user does a SEND AS operation from a shared mailbox to which they have access, in case we ever need to trace the email sent.

Anyway, following server reboot, it works but:-

1) Its in the application event log - I would have expected the Exchange Audting event log?
2) Most of the entries say /cn="username" sent a message as /cn=Microsoft private mdb. What is that and how do I determine which mailbox the email was sent from?
0
Comment
Question by:paul williams
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40541677
You need to enable auditing for Extended Send As and not Send As for what you want to achieve. Also, there is no need to restart the server when you change the auditing level, just restart the Microsoft Exchange Information Store service.

Once you've enabled Extended Send As auditing, you should start seeing entries for Event ID 10106 in the Exchange Auditing log when an email is sent from another user. The fact that you enabled Send As auditing and not Extended Send As auditing may explain why you're experiencing the above.

Here's what a sample Send As audit log entry looks like:

Log name: Exchange Auditing
Source: MSExchangeIS Auditing
Date: <date>
Event ID: 10106
Task Category: Send As
Level: Information
Keywords: Classic
Description: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB sent a message as /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserA
Message Id: <BA15978123F9C848B820A8C5C1DC29B5038E9D50@Server.Contoso.com>
Mailbox: UserB
Account Name: CONTOSO\UserB
Accessing User: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB
Mailbox:<NULL>
Administrative Rights: false
Identifier: 00000000317A7130
Client Information (if Available)
Machine Name: <ClientName>
Address: <IP Address>
Process Name: OUTLOOK.EXE
Process Id: 0
Application Id: N/A

Open in new window

Have a look at the Extended Send As Auditing section in this link for more information: http://technet.microsoft.com/en-us/library/ee221156(v=exchg.80).aspx
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 40543484
In theory, it works ok, but in management, it is very painful because of the logs and information overload.
If you can't survive the painful process, upgrade to the latest exchange as it has better audit tracking ability.
0
 

Author Comment

by:paul williams
ID: 40544050
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?

Our exchange servers get rebooted overnight anyway which solves this problem.
0
 

Author Comment

by:paul williams
ID: 40544051
But yes we are evenually upgrading as well.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40544100
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?
Can't really tell you to be honest as all of Microsoft's documentation along with other articles from reputable websites state to use Extended Send As auditing.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month9 days, 22 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question