Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Exchange Journaling and Diagnostics: How to

Journaling and Diagnostics Logging are services to monitor and audit activity on Microsoft Exchange servers. They provide basic auditing functionality for email activity (e.g. who sent which message to whom)...
Rob Sobers
2 min read
Published May 3, 2012
Last updated June 9, 2023

Journaling and Diagnostics Logging are services to monitor and audit activity on Microsoft Exchange servers. They provide basic auditing functionality for email activity (e.g. who sent which message to whom) and, if collected and analyzed, may help organizations answer basic questions about email, as well as comply with  policies and regulations. (Note: Varonis DatAdvantage for Exchange does not require journaling or diagnostics to monitor Exchange activity.)

Journaling records email communication traffic and processes messages on the Hub Transport servers. The information collected by the journaling agent can be viewed through journaling reports, which include the original message with all the attachments.

Is your Office 365 and Teams data as secure as it could be? Find out with our Free Video Course.

Diagnostics writes additional activities to the event log (visible in Windows Event Viewer), such as “message sent as” and “message sent on behalf of” actions. Diagnostics can be configured through the Manage Diagnostics Logging Properties window in the Exchange Management Console.

Journaling and Diagnostics Logging collect significant amounts of events and generate a large amount of raw log data, so it is critical to plan which mailboxes and messages will be monitored and allocate additional storage before enabling.

Here are the steps to enable Journaling and Diagnostics in your Exchange Server.

Setting up Journaling in Exchange

There are two types of Journaling: standard and premium. Standard provides journaling of all the messages sent and received from mailboxes on a specified mailbox database, while premium provides the ability journal individual recipients by using journaling rules.

Setting up Journaling in Exchange
Here are the high-level steps to setup journaling on your Exchange server:

  • 1. First, create a journaling mailbox. This mailbox will be configured to collect all the journaling reports, and should ideally be setup with no storage limits to avoid missing any. The process to create the mailbox is:
    • Select a different OU than the default
    • Assign a display name
    • Assign user logon name (user will use to login to this mailbox)
    • Setup a password—take into account that journaling mailboxes may contain sensitive information, as a copy of the message is stored with the report.
  • 2. To enable standard Journaling it is necessary to modify the properties of the mailbox database. Under the Organization Configuration/Mailbox/Database Management/Maintenance tab, you will need to specify the journaling mailbox where you want the journaling reports sent.
  • 3. Premium Journaling requires an Exchange Enterprise Client license. To setup premium journaling, it is necessary to create journal rules, which are used to setup journaling for specific recipients. Using the EMC (Exchange Management Console) the journal rules can be created under the Hub Transport section of the Organization Configuration; on the Journal Rules tab. The fields to configure a journal rule are the following:
    • Name
    • Send reports to email
    • Scope
      • Global – all messages through the Hub transport
      • Internal – messages sent and received by users in the organization
      • External – messages sent to or from recipients outside the organization
    • Journal messages for recipient – journal messages sent to or from a specific recipient
    • Enable rule – checkbox

Make sure the status on the completion page is “Completed” to verify that the rule was created successfully.

Setting up diagnostics in Exchange

Diagnostics logging is configured separately for each service on each server. The steps to configure diagnostics logging are:

Setting up Diagnostics in Exchange

  • 1. In the Exchange Management Console (EMC), click on Server Configuration.
  • 2. Right-click on an Exchange server  to enable Diagnostics Logging on it.
  • 3. Click on Manage Diagnostics Logging Properties.
  • 4. On the Manage Diagnostics Logging window, select the services you want to enable diagnostics for.
  • 5. Choose the level of diagnostics you would like on that service.
    • Lowest – log only critical events
    • Low – log only events with logging level 1 or lower
    • Medium – log events with logging level 3 or lower
    • High – log events with logging level 5 or lower
    • Expert – log events with logging level 7 or lower
  • 6. Click on configure. The system will provide a confirmation screen.

In a future post, we will go over the Mailbox Audit Logging in MS Exchange 2010.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

threat-update-#16---o365-&-business-email-compromise
Threat Update #16 - O365 & Business Email Compromise
How can companies tell the difference between legitimate email activity from malicious activity if they suspect someone is inappropriately accessing a user’s email? Click to watch Kilian Englert and Ryan...
march-2021-malware-trends-report
March 2021 Malware Trends Report
This is a monthly report from the Varonis Forensics Team documenting activity observed while responding to incidents, performing forensics, and reverse engineering malware samples.
last-week-in-ransomware:-week-of-july-19th
Last Week in Ransomware: Week of July 19th
This past week hasn't seen quite as much activity as others, likely due to the new ransomware task force created in the US and the mysterious disappearance of REvil and other gangs.
increased-threat-activity-targeting-ivanti-vulnerabilities
Increased Threat Activity Targeting Ivanti Vulnerabilities
A recent surge in activity targeting Ivanti Connect Secure (ICS) involves chaining two vulnerabilities that give threat actors the ability to execute arbitrary commands remotely.