Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Archiving and eDiscovery Community Blog

Filtering messages for journal archiving and Enterprise Vault

Created: 24 May 2014 • Updated: 29 May 2014
Rob.Wilcox's picture
0 0 Votes
Login to vote

We all know about the Enterprise Vault Custom Filtering options available within the product.  There is often a reported performance drop in archiving when these are used, and, of course, the way to build and test these particular filters is not very intuitive or user friendly.

So what other options are there?

Well in Exchange 2007 and higher you can use Journal Rules to enable journaling for particular users, groups, or whether the mail is internal or external. No filtering is needed in Enterprise Vault.  Let's see how:

Journal Rules - Overview

The idea of journal rules is that they allow you to configure how Exchange determines with a journal report should be sent to a journal mailbox.

Specific Rule - Example

Let's see we want to journal just one user.  This example is with Exchange 2010. Exchange 2007 and Exchange 2010 allow rules to be created in the same way, whereas Exchange 2013 is a little bit different. I've included a link at the end of this article about how to do this in Exchange 2013.

So first of all lets do it in the Exchange Management Console (EMC).

Open the EMC, and navigate to Organization Configuration, then Hub Transport.

Click on the Transport Rules tab. This is where you'll see existing rules, and create new ones.

Click on 'New Journal Rule' on the right hand side of the EMC.

Give the rule a name (eg Journal Rob Wilcox)

Pick the journal mailbox where a copy of the journal report will be sent.

For the scope, in this example, we'll pick the option for 'Journal message for recipient', and we'll leave the scope at 'Global' since we want ALL of the messages to/from Rob Wilcox to be journaled.

And that's it.

This can also be done in the Exchange Management Shell, that's shown in a reference at the end.

Testing the rule

The easiest way to test the rule is to first of all make sure that Enterprise Vault isn't picking up messages from the particular journal mailbox (otherwise you won't be able to see easily what's going on).

Then you need to open Outlook and create a profile to the mailbox where the journal reports have been directed.

Now from a client machine send a mail from a user to a different random user, and you should not see this arrive in the journal mailbox.

From the same client machine send a mail to the user we picked in the journal rule. You should see that arrive in the journal mailbox. The journal report will look no different than the normal journal reports for your version of Exchange.

Finally, connect to the mailbox we configured the rule for, and send a mail to someone else inside the organization. That should also arrive in the journal mailbox.

Summary
Have you had the need to filter what goes in to the journal archive? How have you approached it?  Let me know in the comments below

(reference)
http://technet.microsoft.com/en-us/library/bb124723(v=exchg.80).aspx (Exchange 2007)
http://technet.microsoft.com/en-gb/library/aa995915(v=exchg.141).aspx (Exchange 2010)
http://technet.microsoft.com/en-us/library/jj651670(v=exchg.150).aspx (Exchange 2013)
https://www-secure.symantec.com/connect/forums/jou...