The Transport Rule feature of Exchange 2007 and 2010 Hub and Edge Transport servers is very useful. One of the questions I was asked recently is whether or not there is a log file that can be checked to see how many “hits” a transport rule has.
This won’t suit all transport rules, for example if you’re using them to apply disclaimers that is probably not something you want to be constantly logging.
But for scenarios such as data leak prevention logging may be more appropriate.
Exchange 2007/2010 Edge Transport servers can have transport rules that log events, simply by adding “log an event with message” as an Action in the configuration of the rule.
Configure the message to say something relevant to the transport rule.
Every time the rule conditions are met and the server takes the configured action an event log entry will also be logged.
Those event log entries can then be reported on by running a script or scraped with your network monitoring system.