Defining a Security Audit Policy
Defining a local audit policy in Windows Server is quite simple. Open Local Security Policy in Administrative Tools, expand the Local Policies node, and click Audit Policies.
To change an audit policy, simply double-click on the policy and check the box for when you want the audit to occur (Success, Failure, or both). Events generated by an audit policy appear in the Security event log.
Exchange Event Logging
Exchange Server 2010 generates two separate types of log entries to the event log: diagnostic logging and access auditing. In diagnostic logging, the events appear in the Application event log. In access auditing, the events appear in a new custom event log, which is named Application and Services Logs in the Exchange Auditing folder.
Both types of event logging may be viewed and set either from the Exchange Management Shell (EMS) or from the Exchange Management Console (EMC). In the case of the EMS, you will use the following two cmdlets:
Get-EventLogLevel This cmdlet allows you to access one or many of the levels set on the various logging items from any Exchange server in the organization (Exchange Server 2010).
Set-EventLogLevel This cmdlet allows you to set the value of a logging item on any Exchange server in the organization (Exchange Server 2010).
To view or set the values from the EMC, select a particular server from Microsoft Exchange On-Premises → Server Configuration and then click on Manage Diagnostic Logging Properties in the Actions pane (you can also right-click on the server and make this selection from the context menu).
Both types of event logging support a range of values. However, the meaning of that range differs between the two types of logging and will be discussed next.
Exchange Diagnostics Logging
Exchange Server 2010 enables you to view and modify the values of logging items from the EMC, but it's actually much easier to deal with from the EMS. In Table-7, you can see each item available for modification of its diagnostic logging level as well as its default level for logging.
The level of Lowest provides, as you might assume, the least level of logging available for a particular item. Most items have a default level of Lowest, but a few have a default level of Low. In Table-8, immediately following Table 29.7, we list five items where we recommend you might want to increase the default event level and what those items concern.
Each diagnostic logging item can have one of five documented values. Those values and their meanings are as follows:
Lowest (0) With a value of Lowest, the diagnostic logging item will produce the minimum amount of output possible for that item. Usually, this means that no output will be produced by that item in terms of Informational events, but that allWarning and Error events will still be generated.
Table-7: Exchange Server 2010 Diagnostics Logging Items and Their Default Event Level| Identity | Default Event Level |
|---|---|
| MSExchange ActiveSync\Requests | Lowest |
| MSExchange ActiveSync\Configuration | Lowest |
| MSExchange Antispam\General | Lowest |
| MSExchange Assistants\Assistants | Lowest |
| MSExchange Autodiscover\Core | Lowest |
| MSExchange Autodiscover\Web | Lowest |
| MSExchange Autodiscover\Provider | Lowest |
| MSExchange Availability\Availability Service | Lowest |
| MSExchange Availability\Availability Service General | Lowest |
| MSExchange Availability\Availability Service Authentication | Lowest |
| MSExchange Availability\Availability Service Authorization | Lowest |
| MSExchange Cluster\Move | Lowest |
| MSExchange Cluster\Upgrade | Lowest |
| MSExchange Cluster\Action | Lowest |
| MSExchange Common\General | Lowest |
| MSExchange Common\Configuration | Lowest |
| MSExchange Common\Logging | Lowest |
| MSExchange Configuration Cmdlet - Management Shell\General | Lowest |
| MSExchange Configuration Cmdlet - Management Shell\RBAC | Low |
| MSExchange Configuration Cmdlet - Remote Management\General | Lowest |
| MSExchange Configuration Cmdlet - Remote Management\RBAC | Lowest |
| MSExchange Configuration Cmdlet - Control Panel\General | Lowest |
| MSExchange Configuration Cmdlet - Control Panel\RBAC | Lowest |
| MSExchange Configuration Cmdlet - Management Web Service\General | Lowest |
| MSExchange Configuration Cmdlet - Management Web Service\RBAC | Lowest |
| MSExchange Configuration Cmdlet - Management Console\General | Lowest |
| MSExchange Configuration Cmdlet - Management Console\RBAC | Lowest |
| MSExchange Extensibility\Transport Address Book | Lowest |
| MSExchange Extensibility\MExRuntime | Lowest |
| MSExchange EdgeSync\Synchronization | Lowest |
| MSExchange EdgeSync\Topology | Lowest |
| MSExchange EdgeSync\SyncNow | Lowest |
| MSExchange TransportService\TransportService | Lowest |
| MSExchange Web Services\Core | Lowest |
| MSExchange IMAP4\General | Lowest |
| MSExchange Messaging Policies\Journaling | Lowest |
| MSExchange Messaging Policies\AttachFilter | Lowest |
| MSExchange Messaging Policies\AddressRewrite | Lowest |
| MSExchange Messaging Policies\Rules | Lowest |
| MSExchange Messaging Policies\Prelicensing | Lowest |
| MSExchange Messaging Policies\PolicyApplication | Lowest |
| MSExchange Messaging Policies\JournalReportDecryption | Lowest |
| MSExchange Messaging Policies\RightsManagement | Lowest |
| MSExchange Anti-spam Update\HygieneUpdate | Lowest |
| MSExchange Mailbox Replication\Service | Lowest |
| MSExchange Mailbox Replication\Mailbox Move | Lowest |
| MSExchange Management Application\Shell | Lowest |
| MSExchange Management Application\Console | Lowest |
| MSExchange Management Application\ProvisioningAgent | Lowest |
| MSExchange Management Application\ComponentInfoBasedTask | Lowest |
| MSExchange Management Application\AdminAuditLog | Lowest |
| MSExchange OWA\FormsRegistry | Lowest |
| MSExchange OWA\Core | Lowest |
| MSExchange OWA\Configuration | Lowest |
| MSExchange OWA\Themes | Lowest |
| MSExchange OWA\SmallIcons | Lowest |
| MSExchange OWA\Proxy | Lowest |
| MSExchange OWA\Transcoding | Lowest |
| MSExchange OWA\ADNotifications | Lowest |
| MSExchange OWA\InstantMessage | Lowest |
| MSExchange POP3\General | Lowest |
| MSExchange Process Manager\ProcessManager | Lowest |
| MSExchange Repl\Service | Lowest |
| MSExchange Repl\Exchange VSS Writer | Lowest |
| MSExchange Search Indexer\General | Lowest |
| MSExchange Search Indexer\Configuration | Lowest |
| MSExchange Store Driver\General | Lowest |
| MSExchange Store Driver\MeetingMessageProcessing | Lowest |
| MSExchange Store Driver\OofHistory | Lowest |
| MSExchange Store Driver\Approval | Lowest |
| MSExchange Store Driver\ContentAggregation | Lowest |
| MSExchange Topology\Topology Discovery | Lowest |
| MSExchange Unified Messaging\UMWorkerProcess | Lowest |
| MSExchange Unified Messaging\UMCore | Lowest |
| MSExchange Unified Messaging\UMManagement | Lowest |
| MSExchange Unified Messaging\UMService | Lowest |
| MSExchange Unified Messaging\UMClientAccess | Lowest |
| MSExchange Unified Messaging\UMCallData | Lowest |
| MSExchange Unified Messaging\MWI General | Lowest |
| MSExchange ADAccess\General | Lowest |
| MSExchange ADAccess\Cache | Lowest |
| MSExchange ADAccess\Topology | Low |
| MSExchange ADAccess\Configuration | Lowest |
| MSExchange ADAccess\LDAP | Lowest |
| MSExchange ADAccess\Validation | Low |
| MSExchange ADAccess\Recipient Update Service | Lowest |
| MSExchange ADAccess\Site Update | Lowest |
| MSExchange ADAccess\Exchange Topology | Lowest |
| MSExchange ADAccess\Statistics | Lowest |
| MSExchangeApplicationLogic\TextMessaging | Lowest |
| MSExchangeApplicationLogic\ServerPicker | Lowest |
| MSExchangeAL\Ldap Operations | Lowest |
| MSExchangeAL\Service Control | Lowest |
| MSExchangeAL\Attribute Mapping | Lowest |
| MSExchangeAL\Account Management | Lowest |
| MSExchangeAL\Address List Synchronization | Lowest |
| MSExchangeIS\9000 Private\Transport General | Lowest |
| MSExchangeIS\9000 Private\General | Lowest |
| MSExchangeIS\9000 Private\Transport Sending | Lowest |
| MSExchangeIS\9000 Private\Transport Delivering | Lowest |
| MSExchangeIS\9000 Private\Transfer Into Gateway | Lowest |
| MSExchangeIS\9000 Private\Transfer Out Of Gateway | Lowest |
| MSExchangeIS\9000 Private\MTA Connections | Lowest |
| MSExchangeIS\9000 Private\Logons | Lowest |
| MSExchangeIS\9000 Private\Access Control | Lowest |
| MSExchangeIS\9000 Private\Send On Behalf Of | Lowest |
| MSExchangeIS\9000 Private\Send As | Lowest |
| MSExchangeIS\9000 Private\Rules | Lowest |
| MSExchangeIS\9000 Private\Storage Limits | Lowest |
| MSExchangeIS\9000 Private\Background Cleanup | Lowest |
| MSExchangeIS\9000 Private\DS Synchronization | Lowest |
| MSExchangeIS\9000 Private\Views | Lowest |
| MSExchangeIS\9000 Private\Download | Lowest |
| MSExchangeIS\9000 Private\Local Replication | Lowest |
| MSExchangeIS\9001 Public\Transport General | Lowest |
| MSExchangeIS\9001 Public\General | Lowest |
| MSExchangeIS\9001 Public\Replication DS Updates | Lowest |
| MSExchangeIS\9001 Public\Replication Incoming Messages | Lowest |
| MSExchangeIS\9001 Public\Replication Outgoing Messages | Lowest |
| MSExchangeIS\9001 Public\Replication NDRs | Lowest |
| MSExchangeIS\9001 Public\Transport Sending | Lowest |
| MSExchangeIS\9001 Public\Transport Delivering | Lowest |
| MSExchangeIS\9001 Public\MTA Connections | Lowest |
| MSExchangeIS\9001 Public\Logons | Lowest |
| MSExchangeIS\9001 Public\Access Control | Lowest |
| MSExchangeIS\9001 Public\Send On Behalf Of | Lowest |
| MSExchangeIS\9001 Public\Send As | Lowest |
| MSExchangeIS\9001 Public\Rules | Lowest |
| MSExchangeIS\9001 Public\Storage Limits | Lowest |
| MSExchangeIS\9001 Public\Replication Site Folders | Lowest |
| MSExchangeIS\9001 Public\Replication Expiry | Lowest |
| MSExchangeIS\9001 Public\Replication Conflicts | Lowest |
| MSExchangeIS\9001 Public\Replication Backfill | Lowest |
| MSExchangeIS\9001 Public\Background Cleanup | Lowest |
| MSExchangeIS\9001 Public\Replication Errors | Lowest |
| MSExchangeIS\9001 Public\DS Synchronization | Lowest |
| MSExchangeIS\9001 Public\Views | Lowest |
| MSExchangeIS\9001 Public\Replication General | Lowest |
| MSExchangeIS\9001 Public\Download | Lowest |
| MSExchangeIS\9001 Public\Local Replication | Lowest |
| MSExchangeIS\9002 System\Recovery | Lowest |
| MSExchangeIS\9002 System\General | Lowest |
| MSExchangeIS\9002 System\Connections | Lowest |
| MSExchangeIS\9002 System\Table Cache | Lowest |
| MSExchangeIS\9002 System\Content Engine | Lowest |
| MSExchangeIS\9002 System\Performance Monitor | Lowest |
| MSExchangeIS\9002 System\Move Mailbox | Lowest |
| MSExchangeIS\9002 System\Download | Lowest |
| MSExchangeIS\9002 System\Virus Scanning | Lowest |
| MSExchangeIS\9002 System\Exchange Writer | Lowest |
| MSExchangeIS\9002 System\Backup Restore | Lowest |
| MSExchangeIS\9002 System\Client Monitoring | Lowest |
| MSExchangeIS\9002 System\Event History | Lowest |
| MSExchangeIS\9002 System\Database Storage Engine | Lowest |
| MSExchangeMailboxAssistants\Service | Lowest |
| MSExchangeMailboxAssistants\OOF Assistant | Lowest |
| MSExchangeMailboxAssistants\OOF Library | Lowest |
| MSExchangeMailboxAssistants\Resource Booking Attendant | Lowest |
| MSExchangeMailboxAssistants\Email_Lifecycle_Assistant | Lowest |
| MSExchangeMailboxAssistants\Junk Email Options Assistant | Lowest |
| MSExchangeMailboxAssistants\Conversations Assistant | Lowest |
| MSExchangeMailboxAssistants\Approval Assistant | Lowest |
| MSExchangeMailboxAssistants\FreeBusy Assistant | Lowest |
| MSExchangeMailboxAssistants\ELC Library | Lowest |
| MSExchangeMailSubmission\General | Lowest |
| MSExchangeMU\General | Lowest |
| MSExchangeSA\Clean Mailbox | Lowest |
| MSExchangeSA\OAL Generator | Lowest |
| MSExchangeSA\Proxy Generation | Lowest |
| MSExchangeSA\RPC Calls | Lowest |
| MSExchangeSA\RPC-HTTP Management | Lowest |
| MSExchangeTransport\SmtpReceive | Lowest |
| MSExchangeTransport\SmtpSend | Lowest |
| MSExchangeTransport\DSN | Lowest |
| MSExchangeTransport\Routing | Lowest |
| MSExchangeTransport\Logging | Lowest |
| MSExchangeTransport\Components | Lowest |
| MSExchangeTransport\RemoteDelivery | Lowest |
| MSExchangeTransport\Pickup | Lowest |
| MSExchangeTransport\Categorizer | Lowest |
| MSExchangeTransport\PoisonMessage | Lowest |
| MSExchangeTransport\MessageSecurity | Lowest |
| MSExchangeTransport\TransportService | Lowest |
| MSExchangeTransport\Exch50 | Lowest |
| MSExchangeTransport\Process | Lowest |
| MSExchangeTransport\ResourceManager | Lowest |
| MSExchangeTransport\Configuration | Lowest |
| MSExchangeTransport\Storage | Lowest |
| MSExchangeTransport\Agents | Lowest |
| MSExchangeTransport\Transport Address Book | Lowest |
| MSExchangeTransport\Orar | Lowest |
| MSExchangeTransport\ShadowRedundancy | Lowest |
| MSExchangeTransport\Approval | Lowest |
| MSExchangeTransport\TransportDumpster | Lowest |
| MSExchangeFDS\General | Lowest |
| MSExchangeFDS\FileReplication | Lowest |
| MSExchangeTransportSyncCommon\General | Lowest |
| MSExchangeTransportSyncManager\General | Lowest |
| MSExchangeTransportSyncWorker\General | Lowest |
| MSExchange OutlookProtectionRules\Outlook Protection Rules | Lowest |
| MSExchange Provisioning MailboxAssistant\Provisioning Assistant General | Lowest |
| MSExchangeThrottling\General | Lowest |
| MSExchangeThrottlingClient\General | Lowest |
Table-8: Some Diagnostic Logging Items to Increase from Default
| Item | Description |
|---|---|
| MSExchangeIS\9000 Private\Logons | Audits events relating to mailbox access |
| MSExchangeIS\9000 Private\Send As | Audits events relating to using the Send-As functionality of the Outlook client |
| MSExchangeIS\9000 Private\Send On Behalf Of | Audits events relating to using the Send-On-Behalf-Of functionality of the Outlook client |
| MSExchangeIS\9000 Private\Storage Limits | Audits events related to mailboxes exceeding their storage quotas |
| MSExchangeIS\9002 System\Move Mailbox | Audits events related to moving mailboxes between servers and mailbox databases |
Low (1) A value of Low indicates that additional warnings and errors may be generated by
the diagnostic logging item, plus some Informational details about the processing that occurs for that item.
You should always start your diagnostics with a level of Low and work up from there.
Medium (3) A value of Medium indicates that more detailed information should be reported than that with Low.
High (5) More detailed information is reported than with Medium. Also support information (often requested by Microsoft Customer Support Services) begins to be output at the level of High.
Expert (7) This level of information can be overwhelming with the modules that implement it. The information is rarely of use to anyone other than Microsoft Customer Support Services. Many modules may not implement the Expert level to produce more information over the High level.
Older versions of Microsoft Exchange Server also supported another value, Field Engineering (15), but that always had to be set using a Registry editing tool. It is likely that the level still exists. However, since it isn't documented, it isn't supported.
If you have increased the value of the logging level to assist in diagnosing a problem, you should always restore the value to the default when you are done in order to reduce the overall load on your Exchange server.
In this tutorial:
- Monitoring and Performance for Exchange Server
- Key Performance Monitor Counters
- Memory
- Processor
- Disk
- Disk Performance Counters
- Active Directory for Exchange Server
- Network
- MAPI
- Using System Center Operations Manager
- Modifying Management Pack Objects
- Event Logs
- Defining a Security Audit Policy
- Protocol and Connection Logs
- POP
- Send and Receive Logs