Inside Out Security Blog   /  

Exchange Journaling and Diagnostics: How to

Exchange Journaling and Diagnostics: How to

Journaling and Diagnostics Logging are services to monitor and audit activity on Microsoft Exchange servers. They provide basic auditing functionality for email activity (e.g. who sent which message to whom) and, if collected and analyzed, may help organizations answer basic questions about email, as well as comply with  policies and regulations. (Note: Varonis DatAdvantage for Exchange does not require journaling or diagnostics to monitor Exchange activity.)

Journaling records email communication traffic and processes messages on the Hub Transport servers. The information collected by the journaling agent can be viewed through journaling reports, which include the original message with all the attachments.

Is your Office 365 and Teams data as secure as it could be? Find out with our Free Video Course.

"I was kind of shocked how open the sharing with Teams can be, one mis-click and your data is accessible to anyone on the Internet."

Diagnostics writes additional activities to the event log (visible in Windows Event Viewer), such as “message sent as” and “message sent on behalf of” actions. Diagnostics can be configured through the Manage Diagnostics Logging Properties window in the Exchange Management Console.

Journaling and Diagnostics Logging collect significant amounts of events and generate a large amount of raw log data, so it is critical to plan which mailboxes and messages will be monitored and allocate additional storage before enabling.

Here are the steps to enable Journaling and Diagnostics in your Exchange Server.

Setting up Journaling in Exchange

There are two types of Journaling: standard and premium. Standard provides journaling of all the messages sent and received from mailboxes on a specified mailbox database, while premium provides the ability journal individual recipients by using journaling rules.
Setting up Journaling in Exchange
Here are the high-level steps to setup journaling on your Exchange server:

  1. First, create a journaling mailbox. This mailbox will be configured to collect all the journaling reports, and should ideally be setup with no storage limits to avoid missing any. The process to create the mailbox is:
    1. Select a different OU than the default
    2. Assign a display name
    3. Assign user logon name (user will use to login to this mailbox)
    4. Setup a password—take into account that journaling mailboxes may contain sensitive information, as a copy of the message is stored with the report.
  2. To enable standard Journaling it is necessary to modify the properties of the mailbox database. Under the Organization Configuration/Mailbox/Database Management/Maintenance tab, you will need to specify the journaling mailbox where you want the journaling reports sent.
  3. Premium Journaling requires an Exchange Enterprise Client license. To setup premium journaling, it is necessary to create journal rules, which are used to setup journaling for specific recipients. Using the EMC (Exchange Management Console) the journal rules can be created under the Hub Transport section of the Organization Configuration; on the Journal Rules tab. The fields to configure a journal rule are the following:
    1. Name
    2. Send reports to email
    3. Scope
      • Global – all messages through the Hub transport
      • Internal – messages sent and received by users in the organization
      • External – messages sent to or from recipients outside the organization
    4. Journal messages for recipient – journal messages sent to or from a specific recipient
    5. Enable rule – checkbox

Make sure the status on the completion page is “Completed” to verify that the rule was created successfully.

Setting up Diagnostics in Exchange

Diagnostics logging is configured separately for each service on each server. The steps toSetting up Diagnostics in Exchange configure diagnostics logging are:

  1. In the Exchange Management Console (EMC), click on Server Configuration.
  2. Right-click on an Exchange server  to enable Diagnostics Logging on it.
  3. Click on Manage Diagnostics Logging Properties.
  4. On the Manage Diagnostics Logging window, select the services you want to enable diagnostics for.
  5. Choose the level of diagnostics you would like on that service.
    • Lowest – log only critical events
    • Low – log only events with logging level 1 or lower
    • Medium – log events with logging level 3 or lower
    • High – log events with logging level 5 or lower
    • Expert – log events with logging level 7 or lower
  6. Click on configure. The system will provide a confirmation screen.

In a future post, we will go over the Mailbox Audit Logging in MS Exchange 2010.