Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
OWA logging/monitoring ?? 1
- Thread starter pctekkk
- Start date
-
1
- #2
ShackDaddy
MIS
You will see logon success and failure events in the security log on your domain controller, since the OWA server refers authentication queries to the DC. Usually the events give the username that was attempted and the system on which the authentication was attempted.
Look for a 529 failure event. It will be generated by the system account on the server and will include the source IP address that was attempting to log on to the OWA server.
For successes, look for event 552.
ShackDaddy
Look for a 529 failure event. It will be generated by the system account on the server and will include the source IP address that was attempting to log on to the OWA server.
For successes, look for event 552.
ShackDaddy
- Thread starter
- #3
ShackDaddy
MIS
If you your Exchange server is also a DC (like on SBS), the same thing applies.
Have you tried logging on to OWA or putting a bad password in on an OWA logon and then checking the security log for the events that I mentioned?
The events I mentioned don't require special logging options to be turned on; they are recorded by default.
If you do want to get more logging for OWA, you could probably monitor logons by changing the logging settings for MSExchangeIS->Mailbox->Logons to Maximum. You find that setting in the Exchange System Manager when you get properties on the server name and choose the Diagnostic Logging tab. Any change you make here will cause changes in what gets logged to the Application log. Personally, I think that if you just filter the Security log for the event numbers I mentioned earlier, you should get a pretty good idea of who logged on, and when.
ShackDaddy
Have you tried logging on to OWA or putting a bad password in on an OWA logon and then checking the security log for the events that I mentioned?
The events I mentioned don't require special logging options to be turned on; they are recorded by default.
If you do want to get more logging for OWA, you could probably monitor logons by changing the logging settings for MSExchangeIS->Mailbox->Logons to Maximum. You find that setting in the Exchange System Manager when you get properties on the server name and choose the Diagnostic Logging tab. Any change you make here will cause changes in what gets logged to the Application log. Personally, I think that if you just filter the Security log for the event numbers I mentioned earlier, you should get a pretty good idea of who logged on, and when.
ShackDaddy
- Thread starter
- #5
- Thread starter
- #6
quick one,
MS technote 246248
talks about ones to turn on,but
i dont see any of those,
is that only for exch 5.5 ??
its option 4 talks about turning on MSExchangeDS
set security, ExDS Interface and Mapi interface, Directory access, LDAP interface and Name resolution
thanks for any info
MS technote 246248
talks about ones to turn on,but
i dont see any of those,
is that only for exch 5.5 ??
its option 4 talks about turning on MSExchangeDS
set security, ExDS Interface and Mapi interface, Directory access, LDAP interface and Name resolution
thanks for any info
ShackDaddy
MIS
That article is for 5.5. In 2003, the one you want to log connections is the one that I mentioned above: MSExchangeIS->Mailbox->Logons.
That's the same as option 6 in the article you read, and that's the option that actually logged who used OWA in the events listed below that. The last event in that article shows someone logging on to OWA.
That's the same as option 6 in the article you read, and that's the option that actually logged who used OWA in the events listed below that. The last event in that article shows someone logging on to OWA.
- Status
Similar threads
- Locked
- Question
- Locked
- Question