none
[2010][Mailbox Audit] Retrieving Item Information RRS feed

  • Question

  • Hello fellow Forum dwellers,

    I've recently been tasked with building an automated Mailbox audit report system. It gathers audit reports from Mailboxes and sends a report. That's simple enough, however I have now been requested to add information to the report that is not contained in the Mailbox Audit data. Specifically: Sender, Recipient and Time Received.

    Simple enough, I thought, but apparently I was wrong: I've tried Message tracking log and EWS MA (2.2 against Exchange 2010 SP3), but neither will give me IDs that match the Item ID from the Mailbox Audit. The closest match I got was from EWS Items the IDs in WebClientReadFormQueryString, but it's still different.

    Using Subject is out, because it's not necessarily unique.

    Any ideas/suggestions on how to do this?

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Monday, October 13, 2014 9:01 AM

Answers

  • The ItemId in Exchange changes when items are moved between folders and there is no history that is maintained on the Items so unless the audit log gives you the new Id you won't be able to track it using that Id.

    So you'll need to try some sort of correlation here's are a few ideas

    You should have Subject and DateTime of the operation from the Audit logs so just search for the Item in the Retained Items with that Subject and LastModificationTime.

    One way of tracking it through the Tracking logs is if you log at the Tracking Logs on the Mailbox Role Server you should have Submit event for when the Message arrived which will give you the HexEntryId of the Item (when it was delivered to the Inbox) eg

    2014-04-25T01:13:52.771Z,fe80::c472:adcf:90b1:20e%22,GSEX2010DEV,,GSEX2010DEV,"MDB:06c16f00-a337-4306-b2a9-cd10dbb4d529, Mailbox:67f480e0-9841-400b-8389-780a59a01395, Event:6468, MessageClass:IPM.Note, CreationTime:2014-04-25T01:13:43.193Z, ClientType:OWA",,STOREDRIVER,SUBMIT,,<<a href="mailto:EA35E783C53E4A47B5701DCEA363080E0C1D0D5A@gsex2010dev.exdev2010.local>,,,,,,,test,gscales@exdev2010.local,,2014-04-25T01:13:43.193Z;LSRV=gsex2010dev.exdev2010.local:TOTAL=9|MSSN=1,,,,,S:ItemEntryId=00-00-00-00-13-66-3A-0A-DF-9D-34-43-9A-EB-A4-2E-42-6D-FB-58-07-00-EA-35-E7-83-C5-3E-4A-47-B5-70-1D-CE-A3-63-08-0E-00-00-00-E6-D7-85-00-00-EA-35-E7-83-C5-3E-4A-47-B5-70-1D-CE-A3-63-08-0E-00-00-0C-1D-0D-5D-00-0">EA35E783C53E4A47B5701DCEA363080E0C1D0D5A@gsex2010dev.exdev2010.local>,,,,,,,test,gscales@exdev2010.local,,2014-04-25T01:13:43.193Z;LSRV=gsex2010dev.exdev2010.local:TOTAL=9|MSSN=1,,,,,S:ItemEntryId=00-00-00-00-13-66-3A-0A-DF-9D-34-43-9A-EB-A4-2E-42-6D-FB-58-07-00-EA-35-E7-83-C5-3E-4A-47-B5-70-1D-CE-A3-63-08-0E-00-00-00-E6-D7-85-00-00-EA-35-E7-83-C5-3E-4A-47-B5-70-1D-CE-A3-63-08-0E-00-00-0C-1D-0D-5D-00-0

    If you get rid of the - you have the HexEntryId (PR_EntryId) or the item so you can either convert the ItemId you have to HexEntryId or convert this to a EWSEntryId to try to find a match. Then if you need any more information you should be able to search the RetainedItems based on the InternetMessageId from the Tracking Logs. (this won't work if the Message has been moved to a folder other then the Inbox)

    Cheers
    Glen

    • Marked as answer by FWN Wednesday, October 15, 2014 5:05 AM
    Wednesday, October 15, 2014 3:40 AM

All replies

  • Hi FWN,

    here is info about Mailbox auditing: http://technet.microsoft.com/en-us/library/ff459237(v=exchg.141).aspx

    This is disabled by default and you will have to enable it for each mailbox you wish to audit.

    When its enabled you can export the file to either .txt or .csv file with the following command:

    Search-MailboxAuditLog -identity user1@domain.com -logontypes delegate -startdate 8/15/2014 -EndDate 9/15/2015 -ShowDetails |Out-File C:\AuditLog.txt

    Hope this helps


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Monday, October 13, 2014 11:05 AM
  • Hi Guys,

    first of all Ronny:
    I already have access to MessageTrackingLogs as I mentioned, so I'm afraid this is of no help. The leading log is the Mailbox Audit and the identifiers are not compatible, so I cannot directly associate to specific items in the tracking logs (though that would have been my favorite method).

    @Off2Work:
    As I mentioned, Mailbox Auditing is working flawlessly. It's associating it to a specific item in the tracking logs or Mailbox Store where I'm having some trouble.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Monday, October 13, 2014 11:35 AM
  • Hi,

    Please have a look in to the below mentioned script.

    Before using the below mentioned script just enable the mailbox auditing for exchange mailboxes otherwise it will give you a blank output.Then you need to change the recipient,sender and mail server address in the below script as per your environment.Same time if you want to adjust the date you can change that also.

    Command to enable the mailbox audit : 

    Set-mailbox -identity "user3" -auditenabled $true

    Script for mailbox auditing in exchange 2010 :- 

    $a = "<style>"
    $a = $a + "BODY{font-family: Verdana, Arial, Helvetica, sans-serif;font-size:15;font-color: #000000}"
    $a = $a + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
    $a = $a + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: #D2B48C}"
    $a = $a + "TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: #FFEFD5}"
    $a = $a + "</style>"
    $b = "<H2> Mailbox AUdit For </br> EXCHANGE USERS (user3,user4,user6) </H2>"
    $body = Search-MailboxAuditLog -StartDate ((Get-Date).AddHours(-24)) -EndDate (Get-Date) -showdetails | select-object Operation,MailboxResolvedOwnerName,LogonUserDisplayName,LastAccessed,OperationResult,LogonType,SourceItemSubjectsList | ConvertTo-Html -Head $a -Body $b
    Send-MailMessage -To "user2@abc.com", "user1@abc.com" -From "nithya@abc.com" `
                                  -Subject "Exchange Audit Mailbox Report" -SmtpServer "mail.abc.com" -Body `
                                  ($body | Out-String) –BodyAsHtml


    Mailbox audit Script Task schedule command :-

    -PSConsoleFile "E:\Program Files\Microsoft\Exchange Server\V14\Bin\exshell.psc1" -Command ". 'C:\Script\AuditReport\mailauditreport.ps1'"

    Please feel free to reply me if you have any queries .

    Regards

    S.Nithyanandham


    Thanks S.Nithyanandham

    Monday, October 13, 2014 12:29 PM
  • Hi Nithyanandham,

    while your simple script would work for sending a default Mailbox Audit, it does not address my issue. I already know how to do an audit and it works just fine.

    What I am after is combining the audit result with other data of the Item in question. The problem is, that the Audit Result does not provide me with a unique identifier by which I can get a Tracking Log or EWS Item which would contain the additional information.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Monday, October 13, 2014 12:41 PM
  • Hi ,

    Really sorry , I have no idea about what you are trying to achieve .

    Regards

    S.Nithyanandham


    Thanks S.Nithyanandham

    Monday, October 13, 2014 12:51 PM
  • Hi Nithyanandham,

    I'm trying to add Sender, Recipient and Time Received as properties. Neither is provided by the Mailbox Audit.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Monday, October 13, 2014 12:59 PM
  • Hi ,

    If i am not mistaken , I hope you are speaking about the adding parameters in mailbox audit .

    Please have a look in to the below mentioned blog which tells you the parameters that can be included in search-mailboxauditlog and new-mailboxauditlogsearch .

    http://technet.microsoft.com/en-us/library/ff522360(v=exchg.150).aspx  --- > search-mailboxauditlog

    http://technet.microsoft.com/en-in/library/ff522362(v=exchg.150).aspx ----  > new-mailboxauditlogsearch

    As additional info , please have a look in to the following blog which will tells you the output which we get while we are using the show details parameter along with the command search-mailboxauditlog .Same it includes the fix for the SourceItemSubjectsList and SourceItemFolderPathNamesList is blank.

    http://exchangeserverpro.com/tracking-mailbox-owner-deletes-using-mailbox-audit-logging/

    Regards

    S.Nithyanandham

    Thanks S.Nithyanandham


    Monday, October 13, 2014 1:27 PM
  • Hi Nithyanandham,

    no, I'm not talking about adding parameters. I've retrieved all the information Search-MailboxAuditLog will give me. I want to add information not given by that command.

    I know how to retrieve items using EWS, I know how to read get the Message Tracking Log. Where I am struggling is combining the data in a reliable way. Subject is not reliable, item ID would be ... if they were using the same ID, which they are not.

    Thanks for your efforts, I really appreciate it, but I'm afraid this is a bit more complex an issue than that.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Monday, October 13, 2014 2:05 PM
  • The ItemId format used in EMS is generally the OWAId so you should be able to use ConvertId to convert from an OWAId to the EWSId (the only problem I've had in the past is you need to make sure you urlencode it. You should be able to test this using the EWSEditor .

    Cheers
    Glen

    Tuesday, October 14, 2014 3:36 AM
  • Hi Glen,

    thanks a lot for pointing me towards convertid. Works like a charm when the item in question has been moved. However, whenever I try to convert the OWA item ID from an Audit result where the item was MovedToDeletedItems, Powershell throws an ErrorCorruptData ServiceResponseException. Urlencoding it will work in that the errors stop, but I still don't get the correct Item ID.

    Using EWS Editor, I can inspect the item and convert between its Ews ID and its Owa ID as presented in the WebClientReadFromQueryString property.

    Irritatingly enough, I noticed that the item ID (not merely the ChangeKey) changes when the item is MovedToDeletedItems. This precludes using the message Tracking Logs.

    Did I miss anything? Any ideas on how to proceed? Cause I sure am stumped :(

    Cheers and thanks,
    Fred


    There's no place like 127.0.0.1

    Tuesday, October 14, 2014 10:30 AM
  • The ItemId in Exchange changes when items are moved between folders and there is no history that is maintained on the Items so unless the audit log gives you the new Id you won't be able to track it using that Id.

    So you'll need to try some sort of correlation here's are a few ideas

    You should have Subject and DateTime of the operation from the Audit logs so just search for the Item in the Retained Items with that Subject and LastModificationTime.

    One way of tracking it through the Tracking logs is if you log at the Tracking Logs on the Mailbox Role Server you should have Submit event for when the Message arrived which will give you the HexEntryId of the Item (when it was delivered to the Inbox) eg

    2014-04-25T01:13:52.771Z,fe80::c472:adcf:90b1:20e%22,GSEX2010DEV,,GSEX2010DEV,"MDB:06c16f00-a337-4306-b2a9-cd10dbb4d529, Mailbox:67f480e0-9841-400b-8389-780a59a01395, Event:6468, MessageClass:IPM.Note, CreationTime:2014-04-25T01:13:43.193Z, ClientType:OWA",,STOREDRIVER,SUBMIT,,<<a href="mailto:EA35E783C53E4A47B5701DCEA363080E0C1D0D5A@gsex2010dev.exdev2010.local>,,,,,,,test,gscales@exdev2010.local,,2014-04-25T01:13:43.193Z;LSRV=gsex2010dev.exdev2010.local:TOTAL=9|MSSN=1,,,,,S:ItemEntryId=00-00-00-00-13-66-3A-0A-DF-9D-34-43-9A-EB-A4-2E-42-6D-FB-58-07-00-EA-35-E7-83-C5-3E-4A-47-B5-70-1D-CE-A3-63-08-0E-00-00-00-E6-D7-85-00-00-EA-35-E7-83-C5-3E-4A-47-B5-70-1D-CE-A3-63-08-0E-00-00-0C-1D-0D-5D-00-0">EA35E783C53E4A47B5701DCEA363080E0C1D0D5A@gsex2010dev.exdev2010.local>,,,,,,,test,gscales@exdev2010.local,,2014-04-25T01:13:43.193Z;LSRV=gsex2010dev.exdev2010.local:TOTAL=9|MSSN=1,,,,,S:ItemEntryId=00-00-00-00-13-66-3A-0A-DF-9D-34-43-9A-EB-A4-2E-42-6D-FB-58-07-00-EA-35-E7-83-C5-3E-4A-47-B5-70-1D-CE-A3-63-08-0E-00-00-00-E6-D7-85-00-00-EA-35-E7-83-C5-3E-4A-47-B5-70-1D-CE-A3-63-08-0E-00-00-0C-1D-0D-5D-00-0

    If you get rid of the - you have the HexEntryId (PR_EntryId) or the item so you can either convert the ItemId you have to HexEntryId or convert this to a EWSEntryId to try to find a match. Then if you need any more information you should be able to search the RetainedItems based on the InternetMessageId from the Tracking Logs. (this won't work if the Message has been moved to a folder other then the Inbox)

    Cheers
    Glen

    • Marked as answer by FWN Wednesday, October 15, 2014 5:05 AM
    Wednesday, October 15, 2014 3:40 AM
  • Hi Glen,

    thanks a lot! I'll probably do these things:

    • Use Subject and LastModificationTime to search
    • Get the ItemEntryId as you described
    • Get valid subject-matches from the tracking log and present them all if the first two methods fail
    • Get valid subject-matches from the items in the destination folder if the first two methods fail

    Cheers and thanks again for the aid,
    Fred


    There's no place like 127.0.0.1

    Wednesday, October 15, 2014 5:14 AM