The Transport Rule feature of Exchange 2007 and 2010 Hub and Edge Transport servers is very useful. One of the questions I was asked recently is whether or not there is a log file that can be checked to see how many “hits” a transport rule has.

This won’t suit all transport rules, for example if you’re using them to apply disclaimers that is probably not something you want to be constantly logging.

But for scenarios such as data leak prevention logging may be more appropriate.

Exchange 2007/2010 Edge Transport servers can have transport rules that log events, simply by adding “log an event with message” as an Action in the configuration of the rule.

Exchange 2007/2010 Transport Rule Logging

Configure the message to say something relevant to the transport rule.

Exchange 2007/2010 Transport Rule Logging

Every time the rule conditions are met and the server takes the configured action an event log entry will also be logged.

Exchange 2007/2010 Transport Rule Logging

Those event log entries can then be reported on by running a script or scraped with your network monitoring system.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. HH

    How would find configured action was taken from a Hubtransport server if no Edge Transport is in user ?

  2. ITFreely

    Hi Paul, my orgs 2010 Exchange config does not have the edge role installed. When I attempt to create a transport rule with logging I’m not seeing an option to “log an event with message”. I’m attempting to block a message by subject. Can you confirm that this logging feature is only available when the edge role is installed? Is there another way to track how often a transport rule is triggered/used?

    Thanks

      1. Ian

        Hi Paul,
        The article doesn’t look like it’s been updated, unless I’ve misread it.

        Is there a way to achieve this post Exchange 2010 SP1, and do you know why they would have removed it?

        Cheers,
        Ian

        1. Joachim

          I have the same problem. Since 2010 does not know the “AGENTINFO” Event-ID Type like 2013 and we do not have an edge server, I am stuck with my transport rules, that reject messages based on X-SPAM-Scores.

          I would like to monthly monitor all messages rejected by this transport rule but I cannot find any way to achieve that.

Leave a Reply