Change Auditor for Exchange 6.9.5 - Event Reference Guide

Introduction

Change Auditor for Exchange simplifies the audit process by tracking the activities taking place in your entire Exchange environment and then provides real-time, detailed alerts about vital changes that occur. Continually being in-the-know helps you prove compliance, drive security, and improve uptime while proactively auditing changes to Exchange Server configurations and performance.

ActiveSync is a feature of Exchange Service which is used to synchronize data between mobile devices and Exchange mailboxes. Change Auditor for Exchange allows you to audit mobile devices using the Microsoft ActiveSync for Exchange 2010, 2013, and 2016 interfaces to access email, calendar, contacts, and tasks from their organization’s Microsoft Exchange Server. A new Exchange ActiveSync Monitoring facility has been added to Change Auditor to organize these new events; however, all the new ActiveSync events are included in the existing Exchange subsystem for searching and reporting.

Change Auditor for Exchange also allows you to audit the activities taking place in the Office 365 Exchange Online organization. For details see the Change Auditor for Office 365 and Azure Active Directory Auditing User Guide and Change Auditor for Office 365 and Azure Active Directory Auditing Event Reference Guide.

In addition to real-time event auditing, you can also enable event logging to capture Exchange events locally in a Windows event log. These event logs can then be collected using InTrust to satisfy long-term storage requirements.

This guide lists the events captured by Change Auditor for Exchange. Separate event reference guides are available that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.


Was this topic helpful?

[Select Rating]



Change Auditor for Exchange Events

This section lists the audited events specific to Change Auditor for Exchange. It also lists each event’s corresponding severity setting and the Exchange versions supported. Audited events are listed in alphabetical order by facility:

 

 


Was this topic helpful?

[Select Rating]



Exchange ActiveSync Monitoring

ActiveSync Autodiscover command executed

Occurs when the ActiveSync ‘Autodiscover’ command is executed by a mobile device to get configuration information for a user mailbox. (Disabled by default)

Low

ActiveSync Create Collection command executed

Occurs when a mobile device creates a folder in a mailbox.

Medium

ActiveSync Delete Collection command executed

Occurs when a mobile device deletes a folder in a mailbox.

NOTE: This command is deprecated in ActiveSync 12.0 (and up) but is still supported by Exchange Server. It indicates an early (Exchange 2003) version of ActiveSync is in use by the device.

Medium

ActiveSync Folder Create command executed

Occurs when a mobile device user tries to create a folder in the mailbox.

Medium

ActiveSync Folder Delete command executed

Occurs when a mobile device tries to delete a folder in the mailbox.

Medium

ActiveSync Folder Sync (initial) command executed

Typically occurs shortly after a Provision command when a device is attaching to the Exchange Server, or when synchronization needs to be reset. This event is a variation of the Folder Sync event when the requested synchronization key is zero indicating that the entire contents of the specified folder are requested.

Medium

ActiveSync Folder Sync command executed

Occurs when a mobile device requests an update of the mailbox folder hierarchy, typically when a folder has been added, removed, moved or renamed from another mail client.

Medium

ActiveSync Folder Update command executed

Created when a mobile device tries to rename a folder in the mailbox.

Medium

ActiveSync Get Hierarchy command executed

Occurs when a mobile device requests the folder tree for a mailbox.

Medium

ActiveSync Get Item Estimate command executed

Occurs when a mobile device requests the approximate number of items in a mailbox folder that have to be synchronized.

Medium

ActiveSync Item Operations command executed

Occurs when a mobile device attempts to empty a folder, move a conversation, or fetch a message item’s contents.

Medium

ActiveSync Meeting Response command executed

Occurs when a mobile device user responds to a meeting request.

Medium

ActiveSync Move Collection command executed

Occurs when a mobile device moves a folder in a mailbox.

Medium

ActiveSync Move Items command executed

Occurs when a mobile device user moves message items from one folder to another in the mailbox.

NOTE: When the destination is the Deleted items folder, the Sync command will be used instead of the Move Items command.

Medium

ActiveSync Ping command executed

Occurs when the client needs to determine if a Sync or Folder Sync is required in the user mailbox. It is sent frequently and does not indicates anything except that the mobile device is connected and alive. (Disabled by default)

Low

ActiveSync Provision command executed

Typically occurs as the first command executed by a new mobile device attempting to attach to an Exchange Server mailbox, or when an error has occurred in synchronization requiring a reset of the synchronization process.

High

ActiveSync Remote Wipe failed

Occurs when a mobile device acknowledges a Remote Wipe command but is unable or unwilling to comply. Typically, the Exchange administrator will remove the mobile device partnership after the Remove Wipe command completes.

High

ActiveSync Remote Wipe requested

Occurs when an Exchange administrator requests a remote wipe (factory reset, clearing all user data) of a mobile device.

High

ActiveSync Remote Wipe successful

Occurs when a mobile device acknowledges a Remote Wipe command and begins cleaning user data. Typically, the Exchange administrator will remove the mobile device partnership after the Remote Wipe command completes.

High

ActiveSync Resolve Recipients command executed

Occurs when the mobile client requests free/busy information on one or more recipients. It may also be used to request S/MIME certificates so that encrypted S/MIME email can be sent.

Medium

ActiveSync Search command executed

Occurs when the mobile client wants to find entries in an address book or mailbox.

Medium

ActiveSync Send Mail command executed

Occurs when a mobile device user sends an email.

Medium

ActiveSync Settings command executed

Occurs when a mobile device performs one of the following tasks:

Medium

ActiveSync Smart Forward command executed

Occurs when the mobile device forwards a message without retrieving the full contents of the message from the server.

Medium

ActiveSync Smart Reply command executed

Occurs when the mobile device replies to a message without retrieving the full contents of the message from the server.

Medium

ActiveSync Sync (initial) command executed

Typically occurs shortly after a Provision command when a mobile device is attaching to the Exchange Server, or when synchronization needs to be reset. This event is a variation of the Sync event when the requested synchronization key is zero indicating that the entire contents of the specified mailbox (other than folders) are requested.

Medium

ActiveSync Sync command executed

Occurs when a mobile device sends or attempts to get mailbox item (other than folder) changes from the Exchange Server.

Medium

ActiveSync Validate Certificate command executed

Occurs when a mobile device attempts to validate a certificate that has been received in an S/MIME email message.

Medium


Was this topic helpful?

[Select Rating]



Exchange Administrative Group

Database Availability Group Added

Created when a Database Availability Group (DAG) is created in Active Directory.

Medium

Database Availability Group Removed

Created when a Database Availability Group (DAG) is removed from Active Directory.

Medium

Database Availability Group Renamed

Created when a Database Availability Group (DAG) is renamed in Active Directory.

Medium

Database Availability Group Witness Directory Changed

Created when the witness directory is changed for a Database Availability Group (DAG).

Medium

Database Availability Group Witness Server Changed

Created when the witness server is changed for a Database Availability Group (DAG).

Medium

Mailbox Store Dismounted

Created when the Mailbox Store is dismounted.

For more information, see Note 1.

For more information, see Note 14.

High

Mailbox Store Mounted

Created when the Mailbox Store is mounted.

For more information, see Note 1.

For more information, see Note 14.

High

Public Store Dismounted

Created when the Public Store is dismounted.

For more information, see Note 1.

For more information, see Note 14.

High

Public Store Mounted

Created when the Public Store is mounted.

For more information, see Note 1.

For more information, see Note 14.

High


Was this topic helpful?

[Select Rating]



Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

Please note our Privacy Policy recently changed to support GDPR. You may read it here. Continuing to use our website indicates you have accepted the new policy.