0

Is it possible, using Logparser or similar, to report on Exchange 2003/2010 mailbox access from users who are not the mailbox owner?

The access might come from an Outlook client or OWA so I presume this would need a query for the IIS logs and also a query for the machine event logs?

Thanks

Danny
  • 125
  • 1
  • 8

1 Answers1

0

According to this article:

  • It appears the IIS logs will contain user information in the cs-username column. You can find failed attempts by looking for reason=2 in the cs-uri-query.

  • In the Security event log Event ID 4625 contains information about failed login attempts.

Given that it appears to be stored in both locations, the easiest solution may be to just use the Event Viewer and filter down to that specific Event ID.

Otherwise "select top 10 * from u_ex*.log where cs-uri-query like '%reason=2%'" would be your starting point for the logparser query against the IIS logs.

James Skemp
  • 872
  • 2
  • 10
  • 21
  • Thanks for the follow up. Part of the issue is that there may not be a failed login attempt. We're trying to identify instances of admin-type users abusing their positions unfortunately. – Danny Aug 21 '12 at 19:24
  • Ah, that sucks. If you post some anonymized IIS logs we might be able to see if there's a successful login stored. I haven't worked with Exchange Server logs, but if it stores the authenticated user, you might be able to parse out large amounts of activity. Or they might be crafty ... Yuck. – James Skemp Aug 22 '12 at 23:21