Processing Exchange-Related Logs
Using InTrust, you can collect and report on audit data related to Microsoft Exchange Server.
The following Exchange Server versions are supported:
- 2019
- 2016
- 2013 Service Pack 1
- 2013
Table 1: List of Third-Party Contributions
CA for Exchange log |
InTrust supports auditing and SSRS reporting workflow for this type of log out of the box. |
This log is written by Change Auditor for Exchange. |
Exchange Tracking log |
Minor additional InTrust configuration is required, as described in Collecting Exchange Tracking Log Data, and no SSRS reports are provided for this type of log. |
There are several types of Tracking log:
- MSGTRK
Transport service events.
- lMSGTRKMA
Approvals and rejections used by moderated transport
- MSGTRKMD
Information about messages delivered to mailboxes by the Mailbox Transport Delivery service.
- MSGTRKMS
Information about messages sent from mailboxes by the Mailbox Transport Submission service.
- InTrust can currently gather only MSGTRK logs.
|
Collecting CA for Exchange Log Data
The CA for Exchange log is made available by Change Auditor for Exchange agents on Exchange servers. InTrust provides a preconfigured workflow for collecting this type of log and reporting on the data.
To work with CA for Exchange log data
- In InTrust Manager, locate the predefined Exchange-related tasks:
-
Auditing Exchange Servers: Daily Gathering
-
Auditing Exchange Servers: Ad-Hoc Reporting for the Last 24 Hours
-
Auditing Exchange Servers: Daily Reporting
-
Auditing Exchange Servers: Weekly Reporting
- Make copies of the tasks that best fit your needs. In your new tasks, adjust the settings of the jobs as necessary. For example, you may want to change the set of reports or report delivery method.
- Configure and enable the schedules of the tasks.
- Commit your changes.
Collecting Exchange Tracking Log Data
InTrust does not provide a ready-made set of configuration objects for gathering and reporting on Exchange Tracking log data. However, the core components for creating this workflow are available, and only a few configuration steps are required.
To work with Tracking log data
- In InTrust Manager, create a data source that will represent the Tracking log:
- Right-click Quest InTrust Manager | Configuration | Data Sources and select New Data Source.
- On the Select Data Source Type step of the New Data Source Wizard, select Microsoft Exchange Events.
- Specify the name and optionally a description of the data source and complete the wizard.
- Adjust the predefined site that contains Exchange servers:
- Open the properties of the Quest InTrust Manager | Configuration | Sites | Microsoft Windows Network | Auditing Exchange Servers: Exchange Servers site.
- On the Objectstab, specify your Exchange servers.
- Create a gathering policy that will configure how the Tracking log is handled:
- Right-click Quest InTrust Manager | Configuration | Gathering | Gathering Policies | Microsoft Windows Network and select New Policy.
- On the Data Sources step of the Add Data Source Wizard specify the data source you have created.
- Follow the remaining steps and configure the data source options as necessary.
- Set up a task that will specify what to do with Tracking log data:
- Create the task. For that, right-click Quest InTrust Manager | Workflow| Tasks and select New Task and complete the steps.
- Right-click the newly-created task and select New Job.
- On the Job Type step of the New Job Wizard, select Gathering.
- On the Select Policy step, select the gathering policy you have created.
- On the Select Site step, select Auditing Exchange Servers: Exchange Servers.
- On the Data Stores step, make sure you gather to a repository.
- Complete the steps.
- Enable the schedule for your task if you haven't already done so.
- Commit your changes.
The procedure above implements a minimal workflow required to get the Tracking log data into a data store. You can make further improvements to it as necessary: tweak gathering and filtering settings, enable notifications, configure data consolidation and cleanup, and so on.
To analyze the resulting Tracking log data, use Repository Viewer.
Further Reading
If you need more information about InTrust workflows and configuration, refer to the following topics: