Email servers are under constant attack from a variety of sources, so it's important to be proactive about email security. One way of doing so is to enable protocol logging for Exchange Server.
Protocol logging lets you see the commands that clients are sending to your Exchange server. If you detect suspicious SMTP, NNTP or HTTP traffic patterns, you can take action before they become a problem. Protocol logs are also an excellent forensic tool for analyzing attacks that occur without warning or detection.
Protocol logging caveats
- Exchange Server 2003 can use several different protocols, but it doesn't necessarily employ all of them. For example, an Outlook Web Access front-end server uses the HTTP protocol, but a back-end Exchange server typically does not.
- Protocol logging is not a catch-all operation. Methods for enabling protocol logging differ depending on what protocols you need to log. Figure out which protocols are important to each of your servers before you implement logging.
- Most importantly, protocol logging may not be a viable option for all Exchange Server organizations. I leave SMTP logging enabled on my own Exchange server and have never had any problems. However, protocol logging does consume system resources, such as CPU cycles, memory, disk space and disk I/O cycles. If your Exchange server is strapped for resources, protocol logging for anything but diagnostic purposes is probably not a good idea.
- Open Exchange System Manager and navigate to Administrative Groups -> your administrative group -> Servers -> your server -> Protocols -> SMTP (or NNTP if you want to log the use of the NNTP protocol).
In Exchange Server 2003, both the SMTP and NNTP protocols make use of virtual servers. Therefore, if you have multiple virtual servers, you will have to enable logging for each one separately.
- Right click on the virtual server for which you want to implement protocol logging and select Properties
- Select the Enable Logging checkbox found on the General tab, choose the preferred logging format (usually W3C Extended Log File Format), and click the Properties button to view Logging Properties.
- If you selected the W3C Extended Log File Format, you now need to set the new log schedule. Depending on how frequently the virtual server is used, logs can get quite large. So it's a good idea to periodically create new log files; old log files can then be deleted to free up disk space. By default, new logs are created daily, but you can adjust the frequency to meet your own needs.
- If you are using the W3C Extended Log File Format, you also need to go to the Advanced tab and select exactly what you want to log. For example, you can log date, time, Client IP address, method, URI Stem, and many other variables related to the protocol.
By default, your log files will be saved to the C:\WINDOWS\System32\LogFiles folder on the server that's being monitored.
Other logging options
The W3C Extended Log File Format is not the only format available to you. You also have the option of using the Microsoft IIS Log File Format, the NCSA Common Log File Format and ODBC Logging.
The Microsoft IIS Log File Format and the NCSA Common Log File Format are both ASCII log file formats similar to the W3C Extended Log File Format. Given a choice among them, you are usually best off using the W3C Extended Log File Format (unless you have a compelling reason to use one of the other formats). It offers the highest level of logging detail.
The ODBC Logging File Format is completely different from the other three log file formats. It allows you to insert log data into a SQL Server or Microsoft Access database. This allows you to perform complex queries against the database and more easily find specific information within the logs.
Enabling HTTP logging for the Exchange virtual server
- Open the IIS Manager console and navigate to your server -> Web Sites
-> Default Web Site.
- Right click on the Default Web Site container and select Properties
- Go to the Web Site tab and select the Enable Logging checkbox.
The log file format and the corresponding options are identical to the ones that I showed you earlier for logging the SMTP and NNTP protocols.
All protocol logs are created as text files with the .LOG extension and placed in the %SYSTEMROOT%\System32\LogFiles folder.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
Do you have comments on this tip? Let us know.
Related information from SearchExchange.com:
Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank-you gift.
This was first published in November 2006