Enabling protocol logging for Exchange Server

Email servers are under constant attack from a variety of sources, so it's important to be proactive about email security. One way of doing so is to enable protocol logging for Exchange Server.

Protocol logging lets you see the commands that clients are sending to your Exchange server. If you detect suspicious SMTP, NNTP or HTTP traffic patterns, you can take action before they become a problem. Protocol logs are also an excellent forensic tool for analyzing attacks that occur without warning or detection.

Protocol logging caveats

Enabling SMTP and NNTP protocol logging

By default, your log files will be saved to the C:\WINDOWS\System32\LogFiles folder on the server that's being monitored.

Other logging options

The W3C Extended Log File Format is not the only format available to you. You also have the option of using the Microsoft IIS Log File Format, the NCSA Common Log File Format and ODBC Logging.

The Microsoft IIS Log File Format and the NCSA Common Log File Format are both ASCII log file formats similar to the W3C Extended Log File Format. Given a choice among them, you are usually best off using the W3C Extended Log File Format (unless you have a compelling reason to use one of the other formats). It offers the highest level of logging detail.

The ODBC Logging File Format is completely different from the other three log file formats. It allows you to insert log data into a SQL Server or Microsoft Access database. This allows you to perform complex queries against the database and more easily find specific information within the logs.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Exchange Server Monitoring and Logging Analyzing Exchange ActiveSync data from .CSV report files Top Exchange Server performance monitoring and troubleshooting tools Extracting Exchange ActiveSync data from IIS log files How effective is tracking the IP address of an email hacker? Error message: 'ID no: 8004100e Exchange System Manager' How to generate HTML reports with the Exchange Management Shell (EMS) IMAP list command only returns a list of Exchange public folders A network connection problem or an offline server prevented delivery of the message Monitor and search Exchange mailboxes for music and video files How much bandwidth is required to send email in Exchange 2003? Email Protocols How Exchange Server performs Active Directory LDAP queries How HTTP verbs can 'hang' Outlook Web Access Establishing a direct Microsoft Outlook connection using RPC over HTTP Should I be concerned with a large number of user HTTP logons? Receiving MAPI error after uninstalling Outlook on SBS and Exchange Why HTTP can hurt Exchange ActiveSync attachments Exchange Server mailbox-level MAPI backups A primer on messaging standards: NNTP, X.400 and LDAP 8004010F MAPI not found error with Exchange 2003 A primer on messaging standards: SMTP, POP and IMAP Exchange Server Security OWA 'Loading' problems with Internet Explorer security zones New Exchange Server tools named as Products of the Year Beware of bare linefeeds in Exchange Server email Top 10 Exchange Server administration tips of 2006 Eliminate annoying Microsoft Outlook security warnings with ClickYes Pro Forefront beta secures SharePoint collaboration Dell, Symantec simplify Secure Exchange for SMBs Tutorial: How to determine which ports Exchange Server is using Unsecured devices worry IT professionals Dell and Symantec bundle hardware, security Exchange Server Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Automatic Private IP Addressing  (SearchExchange.com) IMAP  (SearchExchange.com) MAPI  (SearchExchange.com) POP3  (SearchExchange.com) SMTP  (SearchExchange.com) X.400  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

>Enabling HTTP logging for the Exchange virtual server

The log file format and the corresponding options are identical to the ones that I showed you earlier for logging the SMTP and NNTP protocols.

All protocol logs are created as text files with the .LOG extension and placed in the %SYSTEMROOT%\System32\LogFiles folder.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com: