cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Is it possible in auditing to see "Who searched the mailbox"?

Go to solution
bjorn_b
Level 6
Partner Accredited Certified

‎10-11-2011 04:06 AM

Ok, this is a tricky one, since I haven't been working too much with auditing.

The scenario is like this:

When we audit a given mailbox, I am able to see that user X did a search or opened a mail in an archived mailbox (and had the "right" to do so from an EV Permissions perspektive. But in a bigger environment, we would like to perform a search to capture if there has been any searches in the archive that has been against the company's policies. An example could be that EV Administrator X has the access to the VSA and hence access to his boss' (Mr Y)archive. However, if X opens Y's archive for curiosity, (s)he is braking the company's policies, and it is of interrest to find out this through a search.

I don't know if I made the situation clear, but ask if I failed :)

If you are still with me: Can this be done via auditing, or are we talking Compliance? And can Compliance search really help us with "illegal" searches in an archive?

/bjorn

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Rob_Wilcox1
Level 6
Partner

‎10-11-2011 01:50 PM

Did you mean to say audit the category :

 

Advanced Search

?

 

If so .. that will log an entry when anyone does an integrated search from Outlook (ie searcho2k.asp)... as well as a regular search (ie search.asp) and an advanced search (ie search.asp?advanced=3).

 

What it won't tell you is whether someone did a search of a different users archive or their own.

 

You *could* write some SQL to take a look at the user who is logged as the audit, find their default archive, and compare it with the archive in the audit entry .. if different then that person did a search of someone else's archive.  You'd then need to review those manually to figure out if they were allowed searches.

Working for cloudficient.com

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
RahulG
Level 6
Employee

‎10-11-2011 06:38 AM

I beleive you can get the infromation using auditing

you may try the following

Go the properties on the EV server in Vault admin console and check  "Audit entries based on the following categories"

Rua test serach and check  Audit Viewer and try to findthe search that you performed

0 Kudos

Go to solution
Rob_Wilcox1
Level 6
Partner

‎10-11-2011 01:50 PM

Did you mean to say audit the category :

 

Advanced Search

?

 

If so .. that will log an entry when anyone does an integrated search from Outlook (ie searcho2k.asp)... as well as a regular search (ie search.asp) and an advanced search (ie search.asp?advanced=3).

 

What it won't tell you is whether someone did a search of a different users archive or their own.

 

You *could* write some SQL to take a look at the user who is logged as the audit, find their default archive, and compare it with the archive in the audit entry .. if different then that person did a search of someone else's archive.  You'd then need to review those manually to figure out if they were allowed searches.

Working for cloudficient.com
0 Kudos

Go to solution
Rob_Wilcox1
Level 6
Partner

‎10-11-2011 01:52 PM

And you could do this via the IIS logs, if you haven't got auditing enabled.

Working for cloudficient.com
0 Kudos