Configuring Exchange server for auditing

Diagnostic Logging should be configured in Exchange Server to gain access to mailbox logon reports for advanced auditing. Upon configuration, the mailbox logon events are recorded in the Application Log in Event Viewer and can then be used to generate mailbox logon-related reports. This topic explains the procedure to set the diagnostic logging levels using the Exchange Management Shell and Exchange Management Console.

• Use Exchange System Manager to set the logging levels

• Use Exchange Management Shell to set the logging levels (or)
• Use Exchange Management Console to set the logging levels (only for 2007 and 2010)

Use Exchange System Manager to configure Exchange Server 2003

1. Open System Manager from Start → All Programs → Microsoft Exchange.
2. In the console tree, expand First Administrative Group → First Administrative Group → Servers.
3. Right-click on the server and select Properties.
4. On the Properties window, go to the Diagnostic logging tab.
5. Under Services, select MSExchangeIS → Mailbox.
6. Under Categories, select Logons and select Maximum in Logging level option.
7. Click on OK.
   
8. On configuring, all the available data from the event logs will be fetched. If there is no data in the event logs, please wait for the desired audit event and event collection to happen.
   

Use Exchange Management Shell to configure Exchange Server 2007 and above

1. Open Exchange Management Shell from Start → Programs → Microsoft Exchange.
2. Run the following command: Set-EventLogLevel "MSExchangeIS\9000 Private\Logons" –Level Expert
3. On configuring, all the available data from the event logs will be fetched. If there is no data in the event logs, please wait for the desired audit event and event collection to happen.

(OR)

Use Exchange Management Console to configure Exchange Server 2007 and 2010

1. Open Exchange Management Console from Start → All Programs → Microsoft Exchange.
2. In the console tree, navigate to Server configuration → Mailbox
3. Right-click on the server and select Manage Diagnostic Logging Properties.
   
4. On the Manage Diagnostic Logging Properties wizard page, expand MSExchangeIS → 9000 Private and select Logons service.
5. Set the logging level as Expert.
6. Click on Configure.
   

Note: In Exchange Server 2007, Exchange Management Console can be used for SP2 or later. For SP1 and earlier versions, use the Exchange Management Shell.

On configuring, all the available data from the event logs will be fetched. If there is no data in the event logs, please wait for the desired audit event and event collection to happen.