SUMMARY

This article describes the actions which are entered in the users audit log. The audit log is a log file detailing various events related to a mailbox. It is designed for users to quickly see recent activity on their mailbox. The audit log is accessible for users under the webmail client, and this can be enabled or disabled by the administrator.

Enabling the audit log is done through the administration program. Expand the Servers branch, right click the localhost icon and select Properties from the popup menu. Click the Auditing tab and you can enable the event auditing.

There are different levels of auditing, so you are able to vary the detail that gets logged. There are four levels of details that can get logged, these being lowest, low, normal and high. High level details are also added to the system messages. To change the level getting logged from the default the software offers, you change this Windows registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Auditing]
"Level"=dword:00000005

By default the level is 5. Change to 1 to log all events, 3 to log from low to high, 5 to log from normal to high and 10 for just logging high. Some events can happen often, such as authentication, since some clients and protocols will continuously authenticate. The level of each item is indicated in the list of events below.

DETAIL

As well as viewing the audit log in webmail you can access the log files directly on the server. They are located in the path:

Mail Enable\Config\Audit\[postoffice]\[mailbox]\AUDIT-YYMMDD.log

The following actions are recorded (grouped under the relevant service):

General
When a mailbox is added (5 - if audit changes for mailboxes is enabled)
When a mailbox is removed (5 - if audit changes for mailboxes is enabled)
When a mailbox is edited (5 - if audit changes for mailboxes is enabled)

ActiveSync
When a message is sent (5)

IMAP
When a login succeeds (1)
When a login is made, but access to the service is denied (5 - only logged if abuse detection is on)
When a login failed (5 - only logged if abuse detection is on)
When a folder is deleted (5)
When messages marked for deletion in a folder are "expunged" (5)
When a folder is renamed (5)

Webmail
When a message is sent (5)
When a login succeeds (1)
When a login is denied due to region (5)
When messages are deleted (5)
When messages are archived (5)
When calendar items are deleted (5)
When contact items are deleted (5)
When tasks are deleted (5)

POP Retrieval
When the login to a remote POP service fails (5)
When messages are retrieved from a remote POP service (5)

Management service
When old messages in Deleted Items folder are purged (5)
When old messages in Inbox folder are purged (5)
When old messages in Sent Items folder are purged (5)
When old messages in Junk E-mail folder are purged (5)

Postoffice connector
When a message being delivered puts user over quota (5)
When a message being delivered is detected as spam (5)
When a message being delivered was deleted due to mailbox rules (5)
When a message being delivered was deleted due delivery event (5)
When a message being delivered was deleted due mailbox spam rules (5)
When a message was delivered to a mailbox folder (5)

SMTP
When a message is sent by authorised user (5)
When a message is rejected because the sender has been blacklisted (5)
When a user has sent too many message per hour (10)

CHANGING LOG RETENTION 

By default there will be 5 days of audit logs kept for each mailbox. It is possible to extend this time by editing the following registry key. The registry key is in minutes.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Auditing]
"Retention Minutes"=dword:00001c20

You will need to restart the mail services after changing this value. Webmail will still only allow 5 days of logs to be viewed by users.