Exchange Mailbox Audit Log Event ID 25002

SourceExchange (LOGbinder EX)
LogMailbox Audit
Windows Security Log
Category
 • Subcategory
Object Access
 • Application Generated
Type Success
Failure
Discussions on Event ID 25002
Ask a question about this event

25002: Operation Create - Create item in Exchange mailbox

This is an event from Exchange audit event from LOGbinder EX generated by Log  Mailbox Audit.

On this page

Exchange Create action.

An item is created for example by sending or receiving a message. Creating folders is not audited.

Free Security Log Resources by Randy

Description Fields in 25002

Field Description
Occurred Date and time when Exchange registered the cmdlet.
Operation Operation performed on the mailbox.
Result Result of the operation:
  • Failed
  • PartiallySucceeded
  • Succeeded
Originating server The host name of the server.
Mailbox GUID Destination of move or copy (if applicable) - Mailbox's Globally Unique Identifier.
Mailbox owner Mailbox user resolved name in the format DOMAIN\SamAccountName.
Mailbox owner UPN Destination of move or copy (if applicable) - Mailbox owner's User Principal Name.
Mailbox owner SID Destination of move or copy (if applicable) - Mailbox owner's SID (Security Identifier).
Folder ID ID of affected folder (if applicable).
Folder name Name of affected folder (if applicable).
Performed user name Display name of the user who performed the operation.
Performed user SID SID of the user who performed the operation.
Performed logon type Logon type of the user who performed the operation. Logon types include:
  • Owner
  • Delegate
  • Admin
Client info Details that identify which client or Exchange component performed the operation.
Client IP address IP address of the client (e.g. Outlook).
Client process name Process name of the client application as reported by the client
Client version Version of the client application as reported by the client.
Item ID ID of affected item (if applicable).
Item subject Subject of affected item (if applicable).
Additional information Additional information, if any (otherwise "n/a").

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Where Does This Event Come From?

This Event Is Produced By

Which Integrates with Your SIEM

Examples of 25002

Create item in Exchange mailbox
Occurred: 1/16/2013 10:57:25 AM
Operation: Create
Result: Succeeded
Originating server: SP2010-EX1 (14.02.0328.009)
Mailbox
  GUID: d74d840c-4dff-4d73-bd8c-5b7a6ce254fd
  Owner: n/a
  Owner UPN: Jack.Striker@sp2010.com
  Owner SID: S-1-5-21-2141518605-3280587107-2299868870-1113
Folder
  ID: LgAAAADhmB/WGtj9QJHQYGoruww9AQB73FvAgkdWRYw1hL/iqQFMAAAAJaFPAAAB
  Folder: \Drafts
Performed By
  User name: Administrator
  User SID: S-1-5-21-2141518605-3280587107-2299868870-500
  Logon type: Owner
Client
  Info: Client=OWA
  IP address: fe80::c005:56c7:e881:f29eAdministrator
  Process name: n/a
  Version: n/a
Item
  ID: RgAAAADhmB/WGtj9QJHQYGoruww9BwB73FvAgkdWRYw1hL/iqQFMAAAAJaFPAAB73FvAgkdWRYw1hL/iqQFMAAAjcMZ6AAAJ
  Subject: Send as Jack
Additional information: Owner= [Jack Striker]; LastAccessed= [2013-01-16T10:57:25.9308033-05:00]; LogonType= [Delegate]

For more information, see http://logbinder.com/support

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources