Mailbox Access Auditing and Message Access
Folks, I work for a large organization (>30,000 active mailboxes), and we are looking at implementing mailbox access audit logging on our Exchange 2007 SP2 servers. We've implemented this in our stage environment (before we put it on the production clusters) and I'm seeing some interesting results. While we see the exact folders that are being accessed, the information we are seeing about message access is less than ideal. We see a message that says (roughly), "The message <4833f0b9-4cb9-448f-b876-7fec2e6000b5@serverFQDN> in Mailbox MailboxName was opened by user DOMAIN\userlogonname". I have tried to search for this message ID in message tracking but can not find it. How do I determine what message this is without opening the mailbox and checking each message in the specified folder? Thanks ... Will Martin
November 8th, 2010 1:13pm

Hi Willard Martin, If you do not found the email from the tracking log, the log maybe deleted already. Per my known, there is no other way to check the email message unless you access the special mailbox. So I would suggest that if you usually check it, it is better not backup all the tracking log and use it. Regards! Gavin
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2010 5:08am

The message tracking logs show the message ID on the hub server. The ID I'm seeing in the audit logs is the message ID on the mailbox server, which looks to be very different. As for the message tracking log being missing, we did these tests all in one day and none of the logs were removed at that time. So while you might be right, I seriously doubt it. Thanks, Gavin ...
November 10th, 2010 1:06pm

Hi Willard Martin, It sounds odd, per my known, the meessage id would be the internet message id, they should same. Could you please confirm that the message which is open is the same message which you search in the trackinglog again. Best regards! Gavin
Free Windows Admin Tool Kit Click here and download it now
November 11th, 2010 1:35am

The message I have opened should be in the message tracking logs, yes. But in the message tracking logs, the message ID references the Hub Server, which on the mailbox server, the message IDs reference the mailbox servers (in the system I am checking). So yes, I am copying the message ID from the Message Access Logs into the Message Tracking Search - and I am finding nothing ...
November 15th, 2010 10:47am

Hi Willard Martin, I have do some local test and could not reproduce the issue your referred, in my test lab everything work well. When you search the email trough the message tracking tool according to the message id, you should use this formate as below: 4833f0b9-4cb9-448f-b876-7fec2e6000b5@serverFQDN not just the 4833f0b9-4cb9-448f-b876-7fec2e6000b5 Regards! Gavin
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 2:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics