The Transport Rule feature of Exchange 2007 and 2010 Hub and Edge Transport servers is very useful. One of the questions I was asked recently is whether or not there is a log file that can be checked to see how many “hits” a transport rule has.
This won’t suit all transport rules, for example if you’re using them to apply disclaimers that is probably not something you want to be constantly logging.
But for scenarios such as data leak prevention logging may be more appropriate.
Exchange 2007/2010 Edge Transport servers can have transport rules that log events, simply by adding “log an event with message” as an Action in the configuration of the rule.
Configure the message to say something relevant to the transport rule.
Every time the rule conditions are met and the server takes the configured action an event log entry will also be logged.
Those event log entries can then be reported on by running a script or scraped with your network monitoring system.
How would find configured action was taken from a Hubtransport server if no Edge Transport is in user ?
Hi Paul, my orgs 2010 Exchange config does not have the edge role installed. When I attempt to create a transport rule with logging I’m not seeing an option to “log an event with message”. I’m attempting to block a message by subject. Can you confirm that this logging feature is only available when the edge role is installed? Is there another way to track how often a transport rule is triggered/used?
Thanks
The transport rule action LogEvent isn’t available on Exchange 2010 SP1 Hub Transport servers. Its only available on Edge Transport servers.
Microsoft Technet: Exchange Server 2010 Transport Rule Actions
http://technet.microsoft.com/en-us/library/aa998315.aspx
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Good catch, updating the article to make that clear.
Hi Paul,
The article doesn’t look like it’s been updated, unless I’ve misread it.
Is there a way to achieve this post Exchange 2010 SP1, and do you know why they would have removed it?
Cheers,
Ian
I have the same problem. Since 2010 does not know the “AGENTINFO” Event-ID Type like 2013 and we do not have an edge server, I am stuck with my transport rules, that reject messages based on X-SPAM-Scores.
I would like to monthly monitor all messages rejected by this transport rule but I cannot find any way to achieve that.