Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Best Practice for Monitoring MS Exchange 2007

FormerMember

Hi Guys

Would like to have some baseline settings to set on LEM for Monitoring MS Exchange 2007.

I have set the two connectors but would also like to know of examples of setting up the filters for meaninful results.

Thanks

Airwolfr

Find more posts tagged with

Accepted answers

All comments

FormerMember

A few things that come to mind that I have monitored for in the past:

Someone opening another user's mailbox (can also track public folders)
Someone using "send as" or delegated rights to reply to an email
Any virus activity that was detected that plugs into Exchange's APIs for that kind of stuff
Failed logons in general
Failed attempts to open another user's mailbox
Unexpected activity on the Exchange server, including:
- Any of the Exchange services stopping (ESPECIALLY the Message Store) or causing errors
- Someone logging on directly to the Exchange server, successful or failed
- Shutdown/reboots of the server
- Disk space problems or other disk errors
- If you're using performance counters, thresholds for very low available memory can be useful

I'd start with a filter that just shows Exchange server activity (i.e. "Any Alert.InsertionIP = *exchange server name*") to give you the high level overview of what's going on. Some of the events will come from the regular Windows event logs, some will come from the Exchange-specific stuff. If you want to look for only one or the other, you can use ToolAlias as a shortcut to narrow to just that tool (i.e. "AnyAlert.ToolAlias = "*exchange*" or whatever it's called). You might have to start filtering OUT things you don't want to see - toggle the outer filter group to an AND and start adding stuff like "AnyAlert.ProviderSID /= (not equal) "Security 560" (to filter out Security 560 events from showing in the filter and clogging it up).

If it would help to give specific alerts and examples, I can do a little more digging. I saw most of this stuff pretty regularly through the course of the day, but if it's bogged down by noise in your Console it might be easier to start with a little more info.