Using and configuring auditing for Enterprise Vault for Microsoft Exchange.

Article:TECH49054  |  Created: 2006-01-19  |  Updated: 2011-03-06  |  Article URL http://www.symantec.com/docs/TECH49054
Article Type
Technical Solution

Product(s)

Environment

Issue



Using and configuring auditing for Enterprise Vault for Microsoft Exchange.


Solution



Enterprise Vault includes flexible auditing that can be enabled for individual Enterprise Vault servers. The auditing events are written to a SQL Server database. A single auditing database for all Enterprise Vault Servers can be configured for a vault site. Custom queries can be generated by a SQL programmer for reporting purposes.  

Audit events recorded:
 
  • The time an event occurred.
  • The account that initiated the event.
  • The archive in which an item was archived.
  • The category of the event, such as "View", "Archive", or "Delete".

Auditing can be enabled for a number of events such as:
 
  • Actions taken using the Administration Console.
  • Searches.
  • Viewing an item.
  • Deletions.

For most types of events, details and summaries can be generated:
 
  • The "Summary" returns information about the event, such as the date and time, account used, and vault used.
  • The "Details" will list more information such as excerpts from the content of a message. For example: Subject, Mailbox Owner, and Folder.

Note : There will be a slight reduction in performance on the Enterprise Vault server when auditing is enabled.

Auditing is disabled by default. Auditing can be enabled and controlled from the Enterprise Vault Administration Console.


How to configure Auditing:

Enterprise Vault auditing records activity in a number of different categories. Auditing can be enabled and specific categories can be audited.

The auditing database can be, but does not need to be, on a computer that is running Enterprise Vault services. Auditing must be hosted by the same SQL Server as the Enterprise Vault Directory Database.

The process of configuring auditing is:

 
1. Create the audit database.
 

 
2. Configure auditing on each Enterprise Vault server.
 

Currently Enterprise Vault does not provide any reporting tools for auditing. The auditing data is available in the auditing database and it can be accessed using SQL Queries.

1. Creating the auditing database:

This section describes how to use the Enterprise Vault Administration Console to create the auditing database. The database can be rolled to a new database by referencing the support article on "How to rollover an auditing database".

To create the auditing database:

 
1. In the left pane of the Administration Console, right click on the Enterprise Vault "Directory on" then click "Enable Auditing" as displayed in Figure 1.
 

 
Figure 1:
 
 
 

 
2. Under Audit Database location, click "Browse" to display the available locations for the auditing database.
 
Note: The Enterprise Vault system account must have local administrative rights on the SQL server to complete steps 2-8.
 

 
3. A new folder for the auditing database can be created by clicking on "New Folder".
 

 
4. Click the location for the auditing database and then click "OK".
 

 
5. Click "Browse" under transaction log location to display the available locations for the auditing database transaction log.
 

 
6. A new folder for the transaction logs can be created by clicking on "New Folder".
 

 
7.Click the location to use for the auditing database and then click "OK".
 

 
8. Click "OK".
 

 
There is a short pause while Enterprise Vault creates the new database. A confirmation message will appear.
 

 
9. Click "OK" on the confirmation message.
 

The database needs to be configured to audit specific Enterprise Vault operations after the database has been created. Each Enterprise Vault server will need to be configured.


2. Configuring auditing :

Enterprise Vault auditing will record data in a number of different categories. Each category can have auditing either enabled or disabled. Each category has a "Summary" level and some categories have a "Detailed" level.

To configure auditing:

 
1. Launch the Enterprise Vault Administration Console under the security context of the Enterprise Vault service account then expand the tree in the left pane until the "Enterprise Vault Server" container is visible.
 

 
2. Click the "Enterprise Vault Server"  container.
 

 
3. Right click the computer which the auditing should be enabled then click on "Properties".
 

 
4. Click the "Auditing" tab.
 

 
5. Place a check mark in the "Audit entries based on the following categories" box.
 

 
6. Select the check boxes for the categories to be audited as displayed in Figure 2.
 

Figure 2:
 


Enabling or disabling all auditing:

To disable all auditing on an individual computer:

 
1. Launch the Enterprise Vault Administration Console then expand the tree in the left pane until the "Enterprise Vault Server"  container is visible.
 

 
2. Click on the "Enterprise Vault Servers" container.
 

 
3. Right click the computer which the auditing should be disabled then click on "Properties".
 

 
4. Click on the "Auditing" tab.
 

 
5. Clear the "Audit entries based on the following categories" box. The individual category selections can remain checked.
 

 
6. Click "OK"
 

 
7. Restart all Enterprise Vault services on the vault server that was configured for auditing.
 

 

 
To enable auditing on an individual computer:

 
1. Repeat steps 1-4 above for disabling auditing
 

 
2. Select the  "Audit entries based on the following categories" box .
 

 
3. Select the categories and the detailed level to be audited.
 

 
4. Click "OK".
 

 
5. Restart all Enterprise Vault services on the vault server(s) that have been configured for auditing.
 

 
This information is available in Admin_Console_Help.chm Guide which is located at:

 
1. Enterprise Vault Installation Directory location "<INSTALL_PATH>\Program Files\Enterprise Vault" as displayed in Figure 3.
 

 
Figure 3:
 
 
 

 
Or
 

 
2. From the Enterprise Vault console.
 

 
a.  Click on "Help" on the top toolbar and select "Help of Enterprise Vault" as displayed in Figure 4.
 

 
Figure 4.
 
 
 

 
b. Click on the "Search" tab and enter "Audit" in the search box and click "List Topics" as displayed in Figure 5.
 

 
Figure 5:
 
 
 

Enterprise Vault includes a tool Audit Viewer, that enables you to view audit log data. You can specify the data you want to view. Sort by column and copy data to the Windows clipboard when the tool displays the data from the log. Please reference the Admin_Console_Help.chm Guide for more details.
 



Legacy ID



285115


Article URL http://www.symantec.com/docs/TECH49054


Terms of use for this information are found in Legal Notices