
Change Auditor for Exchange 7.2 - User Guide

Exchange Searches and Reports


Change Auditor delivers both preconfigured and customizable reports displaying events from Exchange servers in one centralized viewer. Change Auditor for Exchange provides two subsystems related to Exchange auditing:

The Exchange subsystem is used for administration, searching and reporting on the Exchange events contained in the following facilities:
The Office 365 subsystem is used for administrators, searching and reporting on events contained in the following facilities:

Run the All Exchange Events report

Running this report retrieves the Exchange events captured on all Exchange servers hosting a Change Auditor agent.

In the explorer view (left pane), expand the Shared | Built-in | All Events folder.
Locate and double-click All Exchange Events.
NOTE: To retrieve the Exchange events captured over the last 24 hours, use the All Exchange Events in the last 24 hours report under the Shared | Built-In | Recommended Best Practice | Exchange folder.

Create custom Exchange searches

Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder crates a search which can be run and viewed by all Change Auditor users.
Click New to enable the Search Properties tabs across the bottom of the Searches page.
On the What tab, expand Add and click Subsystem | Exchange to display the Add Exchange Container dialog.
NOTE: You can use Add with Events | Subsystem | Exchange to search for an entity that already has an event associated with it in the database.
All Exchange Objects - select to include all objects. (Default when Add is used.)
This Object - select to include the selected objects only. (Default when Add With Events is used.)
This Object and Child Objects Only - select to include the selected objects and its direct child objects.
This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
By default, All Actions is selected meaning that all the activity associated with the object generates an audited event. However, you can clear the All Actions option and select individual options. The options available are:
All Actions - select to include when any of the following actions occur (Default)
Add Attribute - select to include when an attribute is added
Delete Attribute - select to include when an attribute is deleted
Modify Attribute - select to include when an attribute is modified
Rename Object - select to include when an object is renamed
Add Object - select to include when an object is added
Delete Object - select to include when an object is deleted
Move Object - select to include when an object is moved
Other - select to include other types of activity against the selected object
By default, All Transports is selected indicating that all Exchange events regardless of the transport protocol used are included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:
All Transports - select to include Exchange events regardless of the transport protocol used (Default)
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used)
Port - select to identify a specific port used for communication
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
When a scope other than All Exchange Objects is selected, the directory object picker is enabled to select the objects to include in the search definition.
You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names and optional values for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.


Column: Name


Actions (Optional)

Possible values include: Add Attribute, Delete Attribute, Modify Attribute, Rename Object, Add Object, Delete Object, Move Object or Other.

When specifying multiple values they must be separated by the Pipe character '|'.


Columns: Name,Actions


Possible values include SSL/TLS, Kerberos or Simple Bind.

When specifying multiple values they must be separated by the Pipe character '|'.


Columns: Name,Actions,Transports


The number of the required port.


Columns: Name,Actions,Transports,Port



NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all Exchange containers except those listed in the ‘what’ list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an Exchange container every time the search is run.
Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder creates a search which can be run and viewed by all Change Auditor users.
Click New at the top of the Searches page to activate the Search Properties tabs across the bottom of the Searches page.
On the What tab, expand Add and click Subsystem | Exchange.
Use the * wildcard character to match any zero or more characters. For example: LIKE *admin* finds Exchange objects that contain ‘admin’ anywhere in their name.
Click Add to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘What’ list.

The document was helpful.


I easily found the information I needed.
