Solved: We can look into Role Based

PAC_11 · ‎10-03-2011

Hi,

I am using Enterprise Vault Version 9 and have turned on Auditing features. I now need to access the audit logs so i can view any admin access. i.e. If User1 changes the access to User2's vault archive, i need to be able to view that change in a log. This is so the security manager can track anything the admins are changing in terms of account access.

I have set up the Reports config to link into SQL server and it seems to being back some results but they are not searchable results. I am using the AuditViewer.exe to view the results as there does not seem to be any way of search via the SQL reports.

Could someone please assist in pointing me in the right direction?

Thanks

JesusWept3 · ‎10-05-2011

thats what i also found, it only seems to audit mailbox interaction but not archive interaction

would suggest creating a new idea, other than that, you may want to look in to Roles Based Administration limiting users that you may not trust or may not want to be granting those kind of permissions

https://www.linkedin.com/in/alex-allen-turl-07370146

View solution in original post

AndrewB · ‎10-03-2011

You have a couple options:

To use Audit Viewer to run a report on audit data

1 In Windows Explorer, browse to the Enterprise Vault program folder (normally

C:\Program Files\Enterprise Vault).

2 Double-click AuditViewer.exe.

3 In the Audit Viewer window, type or select the search criteria for the records

that you want to view.

The following table provides information on each search term.

User Name Specify the required user in the form domain\username.

You can use the Enterprise Vault Administration Console to

determine the ID of the archive. Right-click the required archive,

and then click Properties. The Advanced tab in the properties

sheet shows the archive ID.

Category

After you have selected a category, select a subcategory from the

list.

■ Item returns the summary information for a category.

■ If you select Detailed as a category, the additional information

is held in Information records.

■ All returns both the summary and detailed records for

selected categories.

Subcategory

Date (From), Date Define a date range and time range to search the audit records.

(To)

Information Type a keyword for which to search in the audit records.

contains

Status Select a status fromthe list for the records that youwant to view.

Server Select the EnterpriseVault server that is the target of this search.

Type a range of numbers to indicate the audit records that you

want to view.

Audit ID

Select the attribute by which to order the results and whether

you want Audit Viewer to list the results in ascending order or

descending order.

Order By

Audit Viewer

Using Audit Viewer to run a report on audit data

26

Select whether to view all the results that the search finds or a

portion of those results.

Maximum Results

4 Click Search to generate the report.

Copying the search results from Audit Viewer

Audit Viewer displays the records that match your search criteria in the Search

Results window.

Click a column heading to sort the records according to the entries in that column.

You can copy the contents of this window to another application, such as a

spreadsheet application.

To copy the search results from Audit Viewer

1 In the Search Results window, highlight the records that you want to copy.

2 Right-click the records, and then click Copy.

You can also press Ctrl+A and Ctrl+C to copy all the search results to the

Clipboard.

3 Paste the records into the destination document.

OR:

You can also view the audit log by following the instructions below.

To view the audit log

1 On the Windows Start menu, click All Programs > Microsoft SQL Server >

Query Analyzer.

2 At the top of the SQL Query Analyzer window, select the EnterpriseVaultAudit

database.

3 Type the following command in the Query window:

SELECT * FROM EVAuditView ORDER BY AuditDate DESC

4 Press F5 to run the command.

PAC_11 · ‎10-03-2011

Thanks Andrew. I'd followed all of the above before posting because the only output this gives is something in the form of:

2283315 SUCCESS 2011-10-03 12:11:19.393 DOMAIN\serv_user Admin Activity ExchangeMailboxEntry 11869A60F9B452C4B85FFFC0CED01n10000SERVER1 UPDATE ExchangeMailboxEntry SET ExchangeMailboxEntryId=N'11869A60F9B452C4B8BE3AFFC0CED01n10000SERVER1',LegacyMbxDN=N'/o=DOMAIN/ou=Exchange Administrative Group (FDYBIFHO42HTSTL)/cn=Recipients/cn=User1',MbxDisplayName=N’User1',MbxAlias=N'User1',MbxNTUser=N'User1',MbxNTDomain=N'DOMAIN',MbxArchivingState=1,MbxSize=5381,MbxItemCount=365,DefaultVaultId=N'170787C9B95E8D941AA73592F24308F201110000SERVER1',LastModified='20111003 11:11:19:000',MbxStoreIdentity=5,MbxSuspended=0 WHERE ExchangeMailboxEntryId = '11869A452C4B8BE3AC5FFFC0CED01n10000SERVER1 SERVER1

I need to view something in the form of "User1 GRANTED ACCESS to User2's mailbox at 12:45pm on Tuesday".

It is to provide info to non technical users that can be used for reporting

Rob_Wilcox1 · ‎10-03-2011

I don't think you can audit that.. since the operation is being done at the mailbox level, by Outlook, connected to Exchange.

You could check out Exchange 2010's auditing, I believe that is better in this regard.

Alternatively I've got a script (on the download section, I think) which can be run (periodically) to see which folders of which mailboxes have non-standard permissions... but it doesn't show when they were granted, I guess if you ran it daily you'd know to that level of granularity.

Working for cloudficient.com

PAC_11 · ‎10-04-2011

HI Rob,

Your script does sound like something we can use.

We can monitor any changes made in Exchange but it is specifically access to the vault archive that needs to be monitored, granted via the admin console (via Directory>Site>Archives>Exchange Mailbox>User properties>Permissions Tab).

I do not think this is reflected in Exchange(?).

Thanks

JesusWept3 · ‎10-04-2011

i think the confusion came from that "User1 granted access to User2's mailbox" which sounded like an end-user giving someone access via Delegates in Outlook.

I dont think though that permission changes are audited from the VAC either

https://www.linkedin.com/in/alex-allen-turl-07370146

Rob_Wilcox1 · ‎10-04-2011

Ah okay, I understand (now) the requirement.

To summarise :-

You want to audit an admin giving permissions on an archive via the VAC to A.N.Other user (other than the owner) ?

Is that correct ?

I've not worked with Auditing in a long time, so I'm not sure if it can do that -- I will see if I can check today, and post the results back here (one way or the other).

Working for cloudficient.com

AndrewB · ‎10-04-2011

rob, that's the way i interpreted his request too

PAC_11 · ‎10-05-2011

Sorry. My fault for not being specific.

Yes Rob, that's exactly what i need. I need to be able to audit any changes to users vault accounts by an Enterprise Vault system admin.

I basically need to be able to Police the Police!

Rob_Wilcox1 · ‎10-05-2011

As far as I can tell that's not audited. I can see enabling a mailbox is audited, but not permission changes.

Working for cloudficient.com

JesusWept3 · ‎10-05-2011

thats what i also found, it only seems to audit mailbox interaction but not archive interaction

would suggest creating a new idea, other than that, you may want to look in to Roles Based Administration limiting users that you may not trust or may not want to be granting those kind of permissions

https://www.linkedin.com/in/alex-allen-turl-07370146

PAC_11 · ‎10-05-2011

We can look into Role Based Admin but unsure if that will fit the bill. My team has full access to EV but another manager needs the same access to perform email investigations. However, his manager wants his actions to be audited to ensure he is only looking at the vault accounts he needs to. He also should not have to come to the system admins to get approval. Hence where my job in looking into auditing admin access comes in.

No worries though. Thanks for the info. If it can't be done, it can't be done.

JesusWept3 · ‎10-05-2011

what is the scope of the email investigations?
you could look at Discovery Accelerator, but this is a big piece that is really meant for legal users to search all vaults, export items, put users and items on legal holds and such.

You could always just give him PST Export access through RBA and he can export said user to a PST file and search through there.

Plus if there are items that are suspicious and such and you want to preserve that data, you can't put on a legal hold without using Discovery Accelerator or adding the hold via the API (using VBS or something such as that)

https://www.linkedin.com/in/alex-allen-turl-07370146

PAC_11 · ‎10-06-2011

The scope is the person needing access is the company Security Manager and when he is conducting email investigations into company staff he usually grants himself access to the users mailbox which is audited but now that we have EV, he cannot access any items that have been vaulted as he gets access denied. He wants to be able to grant himself access to this but we cannot give him access to the EV console unless any changes he makes can be attributed to him. If this can't be audited then he will have to ask for approval.

I think the Discovery Accelerator would be a step too far to make something work for just one person. I will have a look at this though just to make sure.

Can the the PST Export access be audited?

VOX

Audit Admin Access