Re: Can Splunk help me find out who has read a spe...

aleem · ‎07-15-2016

We send a company newsletter out to thousands of employees. We would like to know who has read the newsletter. It is simply embedded in an email. Newsletter read means the email status goes from 'unread' to 'read'.

I would hope to present the email ID for the newsletter email to the exchange server and it would give me a list of who has read it or at least a count of who has read it.

Wondering if the App for Microsoft Exchange would do the job or if there is another way.

Thanks
Aleem

Be the best version of you

sheamus69 · ‎07-15-2016

Hi Aleem,

I think that outlook/exchange effectively treat read receipts as an email, so you might be able to search for those messages specifically in the mail logs?

This would assume (yeah, i know ass-u-me!) That end users hadn't turned off reply to read receipts in outlook...

Gareth

aleem · ‎07-15-2016

Hi Garth,
We are avoiding read receipts 😉

I guess that the marking of an email from being 'unread' to 'read' is an event with Exchange. I have no idea where this would be 'recorded'. Splunk seems ideal for this depending what it has access to.

Thanks
Aleem

Be the best version of you

sheamus69 · ‎07-15-2016

I haven't supported Exchange since the 5.5 days (the dark ages) - but this seems to suggest its doable if the correct level of auditing is turned on.

woodcock · ‎07-15-2016

post a sample of an "email read" log/event.

aleem · ‎07-15-2016

Hi Greg,
I don't have a log at this point. I am not even sure what log files might exist as I have no knowledge around Exchange. I am trying to figure out if Splunk would be able to help me by interrogating Exchange.

Thanks
Aleem

Be the best version of you

Can Splunk help me find out who has read a specific email (Exchange)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases