This article describes the actions which are entered in the users audit log.
The audit log is a log file detailing various events related to a mailbox. It is
designed for users to quickly see recent activity on their mailbox. The audit
log is accessible for users under the webmail client, and this can be enabled or
disabled by the administrator.
Enabling the audit log is done through the
administration program. Expand the Servers branch, right click the localhost
icon and select Properties from the popup menu. Click the Auditing tab and you
can enable the event auditing.
There are different levels of auditing, so you are able to vary the detail that gets logged. There are four levels of details that can get logged, these being lowest, low, normal and high. High level details are also added to the system messages. To change the level getting logged from the default the software offers, you change this Windows registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail
Enable\Auditing]
"Level"=dword:00000005
By default the level is 5. Change to 1 to log all events, 3 to log from low to high, 5 to log from normal to high and 10 for just logging high. Some events can happen often, such as authentication, since some clients and protocols will continuously authenticate. The level of each item is indicated in the list of events below.
As well as viewing the audit log in webmail you can access the log files directly on the server. They are located in the path:
Mail Enable\Config\Audit\[postoffice]\[mailbox]\AUDIT-YYMMDD.log
The following actions are recorded (grouped under the relevant
service):
General
When a mailbox is added (5 - if
audit changes for mailboxes is enabled)
When a mailbox is removed (5 - if
audit changes for mailboxes is enabled)
When a mailbox is edited (5 - if
audit changes for mailboxes is
enabled)
ActiveSync
When a message is sent
(5)
IMAP
When a login succeeds (1)
When a login is
made, but access to the service is denied (5 - only logged if abuse detection is
on)
When a login failed (5 - only logged if abuse detection is on)
When a
folder is deleted (5)
When messages marked for deletion in a folder are
"expunged" (5)
When a folder is renamed
(5)
Webmail
When a message is sent (5)
When a
login succeeds (1)
When a login is denied due to region (5)
When
messages are deleted (5)
When messages are archived (5)
When calendar
items are deleted (5)
When contact items are deleted (5)
When tasks are
deleted (5)
POP Retrieval
When the login to a
remote POP service fails (5)
When messages are retrieved from a remote POP
service (5)
Management service
When old messages in
Deleted Items folder are purged (5)
When old messages in Inbox folder are
purged (5)
When old messages in Sent Items folder are purged (5)
When old
messages in Junk E-mail folder are purged (5)
Postoffice
connector
When a message being delivered puts user over quota
(5)
When a message being delivered is detected as spam (5)
When a message
being delivered was deleted due to mailbox rules (5)
When a message being
delivered was deleted due delivery event (5)
When a message being delivered
was deleted due mailbox spam rules (5)
When a message was delivered to a
mailbox folder (5)
SMTP
When a message is sent by
authorised user (5)
When a message is rejected because the sender has
been blacklisted (5)
When a user has sent too many message per hour
(10)
By default there will be 5 days of audit logs kept for each mailbox. It is possible to extend this time by editing the following registry key. The registry key is in minutes.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail
Enable\Auditing]
"Retention Minutes"=dword:00001c20
You will need to
restart the mail services after changing this value. Webmail will still only
allow 5 days of logs to be viewed by users.
Product: | MailEnable (All Versions) |
Category: | Configuration |
Article: | ME020602 |
Module: | General |
Keywords: | Android,IMAP,POP,SMTP,mobile,device |
Class: | INF: Product Information |
Revised: | Tuesday, November 24, 2020 |
Author: | MailEnable |
Publisher: | MailEnable |