Auditing, Protocol Logging, and Message Tracking

There are three types of logging in Exchange Server 2000: audit logging, protocol logging, and message tracking.

Audit Logging

Use audit logs to audit access to mailboxes and to track how individual users use the mail system. Auditing occurs through the Information Store. These logs are secured and are not typically used to generate reports on server performance statistics. Turning on auditing can have a major impact on service and server performance.

To enable auditing, select the type of auditing you want in the Windows 2000 Group Policy Microsoft Management Console (MMC) snap-in. In Group Policy, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Audit Policy. You can choose to audit the success or failure of access to Exchange objects, account management, policy changes on your system, mailbox stores, public folder stores, or Information Store, and other types of auditing. For more information, see the Windows 2000 documentation.

Each object that exists in Active Directory contains a set of security information, called a security descriptor. The security descriptor defines who can access the object and describe the type of access permitted (for example, Read or Delete). The security descriptor for each object also contains auditing information, and you can audit who accesses an object and how the object is accessed, such as Read Permissions or Delete. To start auditing the use of an object, open its Properties, click the Security tab, click Advanced, click the Auditing tab on the Access Control Setting for object_name dialog box that appears, and then set the auditing options. The audits are written into the security log. You can view the security log in the Windows 2000 Event Viewer. The entries that appear in the security log depend on the type of auditing you have selected, and can show the action performed on the object, the user account performing the action, and the time and date of the action.

Protocol Logging

You can use protocol logging for troubleshooting. Protocol logging is not meant to be a source for statistical reporting. Enabling protocol logging can decrease service and system performance substantially. You can enable protocol logging for each mail protocol: SMTP, NNTP, and HTTP.

By enabling protocol logging, you can track the commands a virtual server receives from users. You can set the logging properties of the virtual server associated with each messaging transport protocol. For example, for each message you can see the client's IP address, the client's domain name, the date and time of the message, the number of bytes sent, and the protocol command sent. When used with Windows 2000 event logs, the protocol log enables you to detect and trace problems.

Message Tracking

You can use the Message Tracking Center to track the flow of messages as well as status of messages in Exchange. While message tracking can be used as a troubleshooting tool, it can also be used for statistical reporting and to provide information on the location of messages in the system. By default, all message tracking and statistical reporting are turned off.

Message tracking logs are stored in Exchsrvr\servername.log and contain information about the sender, the time the message was sent or received, the message size and priority, and the message recipients. You can also enable messages to be tracked by subject. However, the message tracking log files and the shares on which they are located can be read by everyone in the domain. Therefore, if you enable subject logging, everyone in the domain will be able to access the subject of any message sent to, from, or through a server for which subject logging is enabled. To prevent this, you can manually restrict access to a share by going to the Security tab on the share's properties, and replacing the entry Everyone with entries for all the Exchange administrators. Do not modify or remove the other existing entries. Note that maintenance of these new Exchange administrator entries will not be performed by Exchange. You must maintain them manually.

Related Topics