You can configure the following logging options for Forefront Protection 2010 for Exchange Server (FPE):

Enabling or disabling incidents logging

You can enable or disable incidents logging for each scan job type (transport, realtime, scheduled, on-demand). Enabling incidents logging allows you to track the performance of FPE more efficiently. However, disabling incidents logging can save you disk space if your resources are limited, provided that you also disable quarantining for that scan job. (If you disable incidents logging for a scan job but quarantining remains enabled, the incident is still written to the database so that FPE can quarantine the item. However, the item is not displayed in the Incidents pane.)

To enable or disable incident logging options
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, under the Logging Options section, using the check boxes, enable or disable the following incident logging options:

    • Enable transport incident logging—Specifies whether FPE should enable incident logging for the transport scan job. By default, transport incident logging is enabled. To disable the logging of incidents detected during transport scanning, clear the check box.

    • Enable realtime incident logging—Specifies whether FPE should enable incident logging for the realtime scan job. By default, realtime incident logging is enabled. To disable the logging of incidents detected during realtime scanning, clear the check box.

    • Enable scheduled incident logging—Specifies whether FPE should enable incident logging for the scheduled scan job. By default, scheduled incident logging is enabled. To disable the logging of incidents detected during scheduled scanning, clear the check box.

    • Enable on-demand incident logging—Specifies whether FPE should enable incident logging for the on-demand scan job. By default, on-demand incident logging is enabled. To disable the logging of incidents detected during on-demand scanning, clear the check box.

  3. Click Save.

Note:
For more information about incidents, see Viewing and managing incidents.

Configuring the archiving of mail during transport scanning

You can configure if and how FPE should save a copy of inbound and outbound Edge Transport or Hub Transport e-mail. The Archive transport mail parameter indicates whether inbound and outbound messages are stored in "In" and "Out" folders located in the FPE data folder. (For the default location of the data folder, see Default folders.) When stored, each message is given a file name that consists of the year, day, month, time, and a three-digit number (for example: 20090604102005020.eml). This feature is provided to help administrators and FPE support engineers diagnose and isolate problems. You can archive mail before or after a scan; these options are provided so that you can compare the original mail with the mail after being scanned. For example, an e-mail on which a delete action was performed is different after being scanned.

To configure the archiving of transport mail
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, under the Logging Options section, using the Archive transport mail drop-down list, select one of the following options:

    • None—No mail is archived. This is the default value.

    • Before scan—The original messages are archived prior to being scanned for malware.

    • After scan—The resultant messages are archived after being scanned for malware.

    • Before and after scan—Messages are archived before and after being scanned for malware.

  3. Click Save.

Enabling or disabling writing to the event log

You can enable or disable the writing of events to the event log. You can separately enable or disable event logging for incidents, engines, and operational events. By default, logging is enabled for all events.

Note:
For more information about viewing the event log by accessing Windows Event Viewer, see Using Windows Event Viewer.
To enable or disable writing to the event log
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, under the Logging Options section, you can select or clear the Enable event logging check box. When checked (the default), you can use the associated check boxes to individually enable or disable the following options (which are enabled by default):

    • Incidents—Enables or disables event logging for incidents.

    • Engines—Enables or disables event logging for engines.

    • Operational—Enables or disables logging for all other events, such as system information and health events.

    When the Enable event logging check box is cleared, incidents logging is suspended for incidents, engines, and operational events.

  3. Click Save.

Note:
You must restart the relevant Microsoft Exchange and Microsoft Forefront Server Protection services in order for any changes to these settings to take effect. Typically, this includes the Microsoft Exchange Transport, Microsoft Exchange Information Store, and Microsoft Forefront Server Protection Controller services.

Enabling or disabling spam agent logging

You can configure whether FPE should enable or disable the text logs that are used by the spam agents, which include the Content Filter and the Connection Filter (that is, the Forefront DNS block list) agents.

To enable or disable spam agent logging
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, under the Logging Options section, select (to enable) or clear (to disable) the Enable spam agent logging check box, and then click Save. By default, spam agent logging is enabled.

Note:
For more information about antispam configuration, see Using antispam filtering.

Enabling or disabling content filter incident logging

You can configure whether FPE should enable or disable content filter incident logging in the standard FPE incidents database.

Warning:
When you enable content filter incident logging, FPE writes a record to the incidents database for every spam item that is rejected or deleted by the content filter. This can consume a large amount of space in the incidents database, and may impact server performance.
To enable or disable content filter incident logging
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, under the Logging Options section, select (to enable) or clear (to disable) the Enable content filter incident logging check box, and then click Save. By default, content filter incident logging is disabled, meaning that content filter incident logging does not take place. However, other spam logging is available via the Enable spam agent logging setting.

Enabling or disabling performance counter logging

You can enable or disable the logging of performance counters that can be viewed in Windows Performance Monitor.

To enable or disable performance counter logging
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, under the Logging Options section, select (to enable) or clear (to disable) the Enable performance counters check box, and then click Save. By default, performance counters logging is enabled.

Note:
For more information about using Windows Performance Monitor with FPE, see Using Windows Performance Monitor.