1 Reply Latest reply on Jul 25, 2012 4:43 PM by nicole pauls

    Best Practice for Monitoring MS Exchange 2007

    Airwolfr

      Hi Guys

       

      Would like to have some baseline settings to set on LEM for Monitoring MS Exchange 2007.

       

      I have set the two connectors but would also like to know of examples of setting up the filters for meaninful results.


      Thanks

       

      Airwolfr

        • Re: Best Practice for Monitoring MS Exchange 2007
          nicole pauls

          A few things that come to mind that I have monitored for in the past:

          • Someone opening another user's mailbox (can also track public folders)
          • Someone using "send as" or delegated rights to reply to an email
          • Any virus activity that was detected that plugs into Exchange's APIs for that kind of stuff
          • Failed logons in general
          • Failed attempts to open another user's mailbox
          • Unexpected activity on the Exchange server, including:
            • Any of the Exchange services stopping (ESPECIALLY the Message Store) or causing errors
            • Someone logging on directly to the Exchange server, successful or failed
            • Shutdown/reboots of the server
            • Disk space problems or other disk errors
            • If you're using performance counters, thresholds for very low available memory can be useful

           

          I'd start with a filter that just shows Exchange server activity (i.e. "Any Alert.InsertionIP = *exchange server name*") to give you the high level overview of what's going on. Some of the events will come from the regular Windows event logs, some will come from the Exchange-specific stuff. If you want to look for only one or the other, you can use ToolAlias as a shortcut to narrow to just that tool (i.e. "AnyAlert.ToolAlias = "*exchange*" or whatever it's called). You might have to start filtering OUT things you don't want to see - toggle the outer filter group to an AND and start adding stuff like "AnyAlert.ProviderSID /= (not equal) "Security 560" (to filter out Security 560 events from showing in the filter and clogging it up).

           

          If it would help to give specific alerts and examples, I can do a little more digging. I saw most of this stuff pretty regularly through the course of the day, but if it's bogged down by noise in your Console it might be easier to start with a little more info.