Exchange 2007 Powerful Logging capabilities

Exchange Server 2007 Log rules

New Log Wizard

What is included in the journal report

Have you ever had to record e-mail messages between you and a particular user, and the result is that you want to find these specific e-mail messages along with the messages residing in the other 300 mailboxes that reside in that mailbox store? Microsoft Exchange Server 2007 addresses this issue, providing you with the precise control you need.

The Enterprise Client Access License (CAL) provides a per-recipient logging feature that allows you to point the target to the person you want to record. By using log rules, you can now target only the recipients and senders you want to record. You can narrow the focus down to a single mailbox, or you can expand to include all the people in the sales department (for example). Also, their mailboxes do not have to be on the same server, on the same Active Directory® site, or even in the same Exchange organization. With Active Directory replication, your changes are automatically applied to all computers running the Hub Transport server role in your organization.

Log principle

In Exchange Server 2003, log functionality is implemented for each mailbox store on each physical server. If you want to record all the mailboxes in your organization, you need to configure the logging feature for each mailbox store. If you want to record a single recipient's message, you must record each person in that user's mailbox store or create a new mailbox store for that user specifically.

The logging features in Exchange Server 2007 take advantage of the new role-based topology features that are added to exchange. As shown in Figure 1, when all messages are sent to/from mailboxes and unified messaging servers, other Exchange systems, third party applications, and the Internet, they are processed by the Hub Transport server. All Hub Transport servers contain a transport agent called the log Agent, which is responsible for applying log rules to messages. Because the log agent is located on a Hub Transport server, it encounters and evaluates each message before it reaches its recipients. The log agent does mail operations after categorization-this ensures that all recipient and sender properties of the message are accessed, and allows the agent to decide whether the message was sent directly to the recipient or received through a distribution group extension. It also indicates whether the recipient exists on the To, Cc, or Bcc lines from messages that originate within an Exchange Server 2007 organization.

Figure 1 Hub Transport server mail flow

When a message passes through a Hub Transport server, the log agent applies an administrator-configured log rule to it. These rules are used to determine whether the agent wants to capture information about a message, and then forward that information to the log mailbox along with the original message. The data is sent in the form of a message called a log report.

For earlier versions of Exchange, you must apply the configuration to multiple servers. When you create a log rule in Exchange Server 2007, the change is applied through Active Directory to all Hub Transport servers in your organization. All Hub Transport servers, in which all log agents will read the same configuration from Active Directory. Therefore, all of this ensures that all log agents apply the same log configuration.

Keep in mind the Active Directory replication time when you create or modify a log rule, because configuration changes need to be replicated throughout your organization and read by the Hub Transport server. This can take a few hours. To help you determine the update time for the log configuration, Exchange records an event in the security event log for each server.

Exchange Server 2007 ensures that log reports are never lost due to the fact that the log mailbox is not available, full, misconfigured, or offline (this is especially useful to help you comply with a variety of legal and regulatory requirements because a lost message can cause a default). If the journal report cannot be routed to a log mailbox, the report remains in the queue of the Hub Transport server until the log mailbox is available. Because this can cause queues to swell rapidly, you should monitor the availability of the log mailboxes to ensure that they are running correctly. If the log mailbox is still unavailable for a long period of time, you can configure an alternate mailbox to receive reports from the queue.