Hi, I am using Enterprise Vault Version 9 and have turned on Auditing features. I now need to access the audit logs so i can view any admin access. i.e. If User1 changes the access to User2's vault archive, i need to be able to view that change in a log. This is so the security manager can track anything the admins are changing in terms of account access. I have set up the Reports config to link into SQL server and it seems to being back some results but they are not searchable results. I am using the AuditViewer.exe to view the results as there does not seem to be any way of search via the SQL reports. Could someone please assist in pointing me in the right direction? Thanks

thats what i also found, it only seems to audit mailbox interaction but not archive interaction would suggest creating a new idea, other than that, you may want to look in to Roles Based Administration limiting users that you may not trust or may not want to be granting those kind of permissions

You have a couple options: To use Audit Viewer to run a report on audit data 1 In Windows Explorer, browse to the Enterprise Vault program folder (normally C:\Program Files\Enterprise Vault). 2 Double-click AuditViewer.exe. 3 In the Audit Viewer window, type or select the search criteria for the records that you want to view. The following table provides information on each search term. User Name Specify the required user in the form domain\username. You can use the Enterprise Vault Administration Console to determine the ID of the archive. Right-click the required archive, and then click Properties. The Advanced tab in the properties sheet shows the archive ID. Archive Select a category of audit entries to search from the list. Audit Viewer lists only those categories that exist in the captured data. Category After you have selected a category, select a subcategory from the list. ■ Item returns the summary information for a category. ■ If you select Detailed as a category, the additional information is held in Information records. ■ All returns both the summary and detailed records for selected categories. Subcategory Date (From), Date Define a date range and time range to search the audit records. (To) Information Type a keyword for which to search in the audit records. contains Status Select a status fromthe list for the records that youwant to view. Server Select the EnterpriseVault server that is the target of this search. Type a range of numbers to indicate the audit records that you want to view. Audit ID Select the attribute by which to order the results and whether you want Audit Viewer to list the results in ascending order or descending order. Order By Audit Viewer Using Audit Viewer to run a report on audit data 26 Select whether to view all the results that the search finds or a portion of those results. Maximum Results 4 Click Search to generate the report. Copying the search results from Audit Viewer Audit Viewer displays the records that match your search criteria in the Search Results window. Click a column heading to sort the records according to the entries in that column. You can copy the contents of this window to another application, such as a spreadsheet application. To copy the search results from Audit Viewer 1 In the Search Results window, highlight the records that you want to copy. 2 Right-click the records, and then click Copy. You can also press Ctrl+A and Ctrl+C to copy all the search results to the Clipboard. 3 Paste the records into the destination document. OR: You can also view the audit log by following the instructions below. To view the audit log 1 On the Windows Start menu, click All Programs > Microsoft SQL Server > Query Analyzer. 2 At the top of the SQL Query Analyzer window, select the EnterpriseVaultAudit database. 3 Type the following command in the Query window: SELECT * FROM EVAuditView ORDER BY AuditDate DESC 4 Press F5 to run the command.

Thanks Andrew. I'd followed all of the above before posting because the only output this gives is something in the form of: 2283315 SUCCESS 2011-10-03 12:11:19.393 DOMAIN\serv_user Admin Activity ExchangeMailboxEntry 11869A60F9B452C4B85FFFC0CED01n10000SERVER1 UPDATE ExchangeMailboxEntry SET ExchangeMailboxEntryId=N'11869A60F9B452C4B8BE3AFFC0CED01n10000SERVER1',LegacyMbxDN=N'/o=DOMAIN/ou=Exchange Administrative Group (FDYBIFHO42HTSTL)/cn=Recipients/cn=User1',MbxDisplayName=N’User1',MbxAlias=N'User1',MbxNTUser=N'User1',MbxNTDomain=N'DOMAIN',MbxArchivingState=1,MbxSize=5381,MbxItemCount=365,DefaultVaultId=N'170787C9B95E8D941AA73592F24308F201110000SERVER1',LastModified='20111003 11:11:19:000',MbxStoreIdentity=5,MbxSuspended=0 WHERE ExchangeMailboxEntryId = '11869A452C4B8BE3AC5FFFC0CED01n10000SERVER1 SERVER1 I need to view something in the form of "User1 GRANTED ACCESS to User2's mailbox at 12:45pm on Tuesday". It is to provide info to non technical users that can be used for reporting

I don't think you can audit that.. since the operation is being done at the mailbox level, by Outlook, connected to Exchange. You could check out Exchange 2010's auditing, I believe that is better in this regard. Alternatively I've got a script (on the download section, I think) which can be run (periodically) to see which folders of which mailboxes have non-standard permissions... but it doesn't show when they were granted, I guess if you ran it daily you'd know to that level of granularity.

HI Rob, Your script does sound like something we can use. We can monitor any changes made in Exchange but it is specifically access to the vault archive that needs to be monitored, granted via the admin console (via Directory>Site>Archives>Exchange Mailbox>User properties>Permissions Tab). I do not think this is reflected in Exchange(?). Thanks

i think the confusion came from that "User1 granted access to User2's mailbox" which sounded like an end-user giving someone access via Delegates in Outlook. I dont think though that permission changes are audited from the VAC either

Audit Admin Access

13 Replies

PAC_11
Level 3
13 years ago
We can look into Role Based Admin but unsure if that will fit the bill. My team has full access to EV but another manager needs the same access to perform email investigations. However, his manager wants his actions to be audited to ensure he is only looking at the vault accounts he needs to. He also should not have to come to the system admins to get approval. Hence where my job in looking into auditing admin access comes in.

No worries though. Thanks for the info. If it can't be done, it can't be done.
JesusWept3
Level 6
13 years ago
what is the scope of the email investigations?
you could look at Discovery Accelerator, but this is a big piece that is really meant for legal users to search all vaults, export items, put users and items on legal holds and such.

You could always just give him PST Export access through RBA and he can export said user to a PST file and search through there.

Plus if there are items that are suspicious and such and you want to preserve that data, you can't put on a legal hold without using Discovery Accelerator or adding the hold via the API (using VBS or something such as that)
PAC_11
Level 3
13 years ago
The scope is the person needing access is the company Security Manager and when he is conducting email investigations into company staff he usually grants himself access to the users mailbox which is audited but now that we have EV, he cannot access any items that have been vaulted as he gets access denied. He wants to be able to grant himself access to this but we cannot give him access to the EV console unless any changes he makes can be attributed to him. If this can't be audited then he will have to ask for approval.

I think the Discovery Accelerator would be a step too far to make something work for just one person. I will have a look at this though just to make sure.

Can the the PST Export access be audited?

Forum Discussion

Audit Admin Access

13 Replies

Related Content

admin account lost ssh access to appliance

S3 bucket deleting Access 3350

Unable to access EVBA admin

How to access AWS Master Server Admin Console?

Re: Checking logs

Recent Discussions

EV Client Reset for MAC book

Attachments in Mails - EnterprsieVault

Enterprise Vault MPIP encrypted email decryption is not working

Defender 365 detecting malware in a CAB/DVSSP file

Broken link