Solved

SEND AS Auditing - Exchange 2007

Posted on 2015-01-09
5
161 Views
Last Modified: 2015-01-12
Set logging level to Expert for SEND AS on my exchange mailbox servers.

Idea is that we need to be able to log whenever a user does a SEND AS operation from a shared mailbox to which they have access, in case we ever need to trace the email sent.

Anyway, following server reboot, it works but:-

1) Its in the application event log - I would have expected the Exchange Audting event log?
2) Most of the entries say /cn="username" sent a message as /cn=Microsoft private mdb. What is that and how do I determine which mailbox the email was sent from?
0
Comment
Question by:paul williams
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40541677
You need to enable auditing for Extended Send As and not Send As for what you want to achieve. Also, there is no need to restart the server when you change the auditing level, just restart the Microsoft Exchange Information Store service.

Once you've enabled Extended Send As auditing, you should start seeing entries for Event ID 10106 in the Exchange Auditing log when an email is sent from another user. The fact that you enabled Send As auditing and not Extended Send As auditing may explain why you're experiencing the above.

Here's what a sample Send As audit log entry looks like:

Log name: Exchange Auditing
Source: MSExchangeIS Auditing
Date: <date>
Event ID: 10106
Task Category: Send As
Level: Information
Keywords: Classic
Description: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB sent a message as /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserA
Message Id: <BA15978123F9C848B820A8C5C1DC29B5038E9D50@Server.Contoso.com>
Mailbox: UserB
Account Name: CONTOSO\UserB
Accessing User: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserB
Mailbox:<NULL>
Administrative Rights: false
Identifier: 00000000317A7130
Client Information (if Available)
Machine Name: <ClientName>
Address: <IP Address>
Process Name: OUTLOOK.EXE
Process Id: 0
Application Id: N/A

Open in new window

Have a look at the Extended Send As Auditing section in this link for more information: http://technet.microsoft.com/en-us/library/ee221156(v=exchg.80).aspx
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 40543484
In theory, it works ok, but in management, it is very painful because of the logs and information overload.
If you can't survive the painful process, upgrade to the latest exchange as it has better audit tracking ability.
0
 

Author Comment

by:paul williams
ID: 40544050
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?

Our exchange servers get rebooted overnight anyway which solves this problem.
0
 

Author Comment

by:paul williams
ID: 40544051
But yes we are evenually upgrading as well.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40544100
Thanks. Bit confusing that you need to enable extended send as and not just send as.

So what does send as do then?
Can't really tell you to be honest as all of Microsoft's documentation along with other articles from reputable websites state to use Extended Send As auditing.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now