10-11-2011 04:06 AM
Ok, this is a tricky one, since I haven't been working too much with auditing.
The scenario is like this:
When we audit a given mailbox, I am able to see that user X did a search or opened a mail in an archived mailbox (and had the "right" to do so from an EV Permissions perspektive. But in a bigger environment, we would like to perform a search to capture if there has been any searches in the archive that has been against the company's policies. An example could be that EV Administrator X has the access to the VSA and hence access to his boss' (Mr Y)archive. However, if X opens Y's archive for curiosity, (s)he is braking the company's policies, and it is of interrest to find out this through a search.
I don't know if I made the situation clear, but ask if I failed :)
If you are still with me: Can this be done via auditing, or are we talking Compliance? And can Compliance search really help us with "illegal" searches in an archive?
/bjorn
Solved! Go to Solution.
10-11-2011 01:50 PM
Did you mean to say audit the category :
Advanced Search
?
If so .. that will log an entry when anyone does an integrated search from Outlook (ie searcho2k.asp)... as well as a regular search (ie search.asp) and an advanced search (ie search.asp?advanced=3).
What it won't tell you is whether someone did a search of a different users archive or their own.
You *could* write some SQL to take a look at the user who is logged as the audit, find their default archive, and compare it with the archive in the audit entry .. if different then that person did a search of someone else's archive. You'd then need to review those manually to figure out if they were allowed searches.
10-11-2011 06:38 AM
I beleive you can get the infromation using auditing
you may try the following
Go the properties on the EV server in Vault admin console and check "Audit entries based on the following categories"
Rua test serach and check Audit Viewer and try to findthe search that you performed
10-11-2011 01:50 PM
Did you mean to say audit the category :
Advanced Search
?
If so .. that will log an entry when anyone does an integrated search from Outlook (ie searcho2k.asp)... as well as a regular search (ie search.asp) and an advanced search (ie search.asp?advanced=3).
What it won't tell you is whether someone did a search of a different users archive or their own.
You *could* write some SQL to take a look at the user who is logged as the audit, find their default archive, and compare it with the archive in the audit entry .. if different then that person did a search of someone else's archive. You'd then need to review those manually to figure out if they were allowed searches.
10-11-2011 01:52 PM
And you could do this via the IIS logs, if you haven't got auditing enabled.