Of note, this release includes full support for Microsoft Exchange 2010 Tracking logs (previously supported with the Exchange 2007 loader, but missing a few fields), as well as JunOS (Juniper) Traffic Logs, IronPort Traffic Monitor Logs and Squid Syslog.

We’ve also included an experimental feature to allow multiple instances of WebSpy Vantage to run on the same operating system. The goal here is to run multiple reports at the same time using multiple instances of the application. To do this, we have also included a second experimental feature to disable storage locking. This allows multiple instances of Vantage to read from the same storage at once. These features can only be enabled by including a config file next to the Vantage’s executable. More on this feature here.

Here’s the full list of changes:

Application Changes

• New: Added suffix option to Import Windows Users wizard in Aliases.
• New: Date modifiers now supports h for hour and n for minute, e.g. %[-2h,yyyyMM - HH].
• New: Added tracing to storage publish task.
• Experimental: Multiple instances of Vantage can now be run simultaneously, by adding the multipleInstance key to the application config file.
• Experimental: Storage locking can be turned off to allow multiple instances of Vantage to run reports on a single storage simultaneously. This is done by adding the storageLocking key to the application config file.
• Fix: Import Organization merge options now appends attributes if keep existing user details is selected, and replaces attributes if update user details from the directory is selected.
• Fix: Import Organization merge no longer replaces user’s passwords.
• Fix: Fixed issue where no results were returned when filtering on time less than one day – such as past n hours.
• Fix: Storages are no longer duplicated in the Import new hits task dialog.
• Fix: Fixed issues where the Site Domain summary included sub-domains for European domains (.fr, .be etc).
• Fix: SQL server inputs now commit correctly if the user edits the input and only changes the port number.

Loader Changes

• New: IronPort Traffic Monitor Logs.
• New: Juniper JunOS Traffic Logs (SRX).
• New: Microsoft Exchange 2010.
• New: Squid Syslog.
• Improved: Astaro Security Gateway: Added support for an additional different syslog header.
• Improved: SonicWall: Split syslog format into Web and Firewall schemas, added support for User field, string-type Category field and split Protocol field.
• Fix: Microsoft FTMG: Changed type of Object Source field in from Int32 to String. Users will need to clear/field select/reload their storages before this change will apply.
• Fix: Astaro Mail Gateway: Improved format detection, fixed negative size issue, and Index out of bounds errors.
• Fix: IronPort WSA: Improved format detection.

How to update

To update your software, simply click Tools | Check for updates. Vantage Ultimate users will also need to update the Web Module in order to use the new loader formats that have been added. To update the Vantage Web Module, right-click the WebSpy system tray icon and select ‘Check for updates’. If you have issues with the Web Module update process, please see: http://www.webspy.com.au/forums/viewtopic.php?f=4&t=29

Let me know if you have any questions or issues!

What’s New?

Clearswift SECURE Web Gateway W3C

Clearswift have just released the latest version of their SECURE Web Gateway, which includes a transaction log export function. This enables you to send transaction logs in W3C format to an off-box FTP server for analysis. If you are updating to the latest Clearswift SECURE Web Gateway, make sure you update your Vantage software to 2.2.0.55 in order to import your W3C Transaction logs. More information on using WebSpy Vantage with Clearswift SECURE Web Gateway.

Cisco Firewall Bandwidth loader

We have also introduced a new Loader for Cisco ASA, PIX and IOS Firewall devices. This new loader imports TCP, UDP, ICMP and GRE ’session close’ events into one schema, allowing you to aggregate size values across these events. This loader is called Cisco Firewall (Bandwidth) and is now available on the Loader Selection page of the Import Wizard. Previously, these events were imported into separate schemas so there was no great way to determine total bandwidth from your Cisco syslog files (without using Netflow and WebSpy FlowMonitor).

Palo Alto Networks and WatchGuard XTM

We’re also very happy to welcome Palo Alto Networks to the WebSpy supported log file list. Vantage now supports both the CSV and syslog file formats from your PA Firewall.

Another new addition is support for the latest WatchGuard XTM devices running firmware version 11.

Full List of Changes

Here’s the full list of changes included in this update:

• New: Clearswift SECURE Web Gateway W3C.
• New: Palo Alto Networks Firewall (CSV/Syslog)
• New: Cisco Firewall (Bandwidth): This new Cisco loader imports TCP, UDP, ICMP and GRE events from ASA, PIX and IOS syslogs into one schema to aggregate size values across these events.
• New: Added WatchGuard XTM: Currently http-proxy, https-proxy, smtp-proxy and firewall lines are supported.
• Fixed: ISA Server: Fixed format detection issues, and issues importing hits with very large size values.
• Fixed: IronPort WSA: Fixed format detection issues, as well as the import issue “Invalid value for DVS Scan Code”
• Fixed: Sophos WSA: Fixed format detection issues and invalid line issues.

How to update

To update your software, simply click Tools | Check for updates. To update the Vantage Web Module, right-click the WebSpy system tray icon and select ‘Check for updates’. If you have issues with the Web Module update process, please see: http://www.webspy.com.au/forums/viewtopic.php?f=4&t=29

Let me know if you have any questions or issues!

This release will be welcomed with open arms by many customers for the following reasons:

• General usability improvements in the Web Module
  Multi-select / delete options, Ajax progress indicators to avoid page refreshes, export from Dynamics Report tab and more (see below)
• Fixes to the Microsoft Forefront TMG loader
  See my other post: Microsoft Forefront TMG logs size fields the wrong way around. Also fixed ‘value cannot be null’ error when importing SQL logs.
• Fixes to storage corruption issues
  This build should prevent ‘Normalization Index’ storage corruption issues from occurring. This often occurred after importing data, editing some log inputs and reimporting.
• New loaders and more fixes
  See below for the full list

To update your Vantage application, simply choose Tools | Check for updates. To update the Web Module, right-click the WebSpy icon in your system tray and select ‘Check for updates’. If you have any issues updating the Web Module, please see my previous post Web Module Update Errors and Workarounds.

Web Module Changes:

• New: Task progress is now updated without refreshing the page
• New: Added multi-select / delete functionality to Reports, Analyses and Storages tables.
• New: Added export functionality to Dynamic Reports view.
• New: Added Performance section on the Options tab to enabling multi-processing (improves Analysis speed)
• Fix: Dynamic Reports view now supports Trend reports.
• Fix: Organization selector on Dynamic Reports view now always reflects updated data under IE6/7/8.Fix: Fixed javascript errors in IE when expanding the organization filter.
• Fix: Report template names are no longer truncated on the Dynamic Reports view.
• Fix: Fixed errors that may occur when collating reports on the Dynamic Reports page.
• Fix: Authentication errors are now logged with stack trace.

Vantage Changes

• Fixed: ‘Normalization index’ storage corruption problems.
• Fix: Report collation: Added support for collation of Min/Max aggregates on DateTime columns (time of first hit etc). Also added support for arrayed fields (for example, category fields with a comma separated list of categories)
• Fix: Import windows wizard now remembers settings for Import all or selected users
• Fix: Organization: Filtered LDIFs may now be imported when references to some users are missing (for example, if a user’s manager does not exist in the LDIF)
• Fix: Improved connection and error handling between Vantage and the Web Module.

Loader Changes

• New: BlueReef Sonar Total Management Module
• New: Microsoft Sharepoint 2007
• New: SmoothWall Guardian 7.0 format
• New: Sun One Proxy (Supported under Sun One Webserver)
• Fixed: Astaro: Improved format detection
• Fixed: Cisco: Strings in the IP fields of 113019 lines are now imported
• Fixed: IronPort WSA: Improved log format detection
• Fixed: Microsoft Exchange 2007: No longer raises issues regarding total-bytes or internal-message-id fields
• Fixed: Micorosft FTMG (Web) SQL: No longer encounters value could not be null errors
• Fixed: Microsoft FTMG: Added option to reverse bytes received/sent fields. See Microsoft Forefront TMG logs size fields the wrong way around
• Fixed: Microsoft IIS W3C: Now imports cs-method and connection ID
• Fixed: Sophos Web Appliance: Switched the outgoing and ingoing sizes so that they are now the correct way around
• Fixed: Fixed import new hits issue associated with W3C formats. You must reload your logs before this change will take affect. Formats affected include: BlueCoat, Clearswift, Microsoft Exchange 2007, Microsoft FTMG, Microsoft Windows Media Services, WebSpy Live Tracking Log

Enjoy!

This is a great update for Vantage Ultimate users as we’ve introduced a new feature/tab into the Web Module called ‘Dynamic Reports’.

If you’re publishing the same report to the Web Module each day, you can use the Dynamic Reports tab to select a date range and a department (or whatever organizational groups you have defined) and the Web Module will collate all the daily reports that match that filter into one report. This allows you to report on entire week, month or year by simply ‘reporting on reports’, rather than reporting months of raw storage data.

Here’s the full list of changes since the last auto update (2.2.0.32 on the 14th April 2010).

Application Changes

• Added Dynamic Reports feature to the Web Module.
• Rewrote the Web Module transfer protocol. New protocol adds version checking, connection checking, and integrity checking for high latency environments.
• Purge data from storage task no longer prevents importing new hits when all data is removed from an input within a storage.
• IPv6 addresses now show IPv4-mapped addresses as plain IPv4 addresses in summaries.
• IPv6 and IPv4 addresses are now freely interchangable in filter expressions.
• Fixed IPv6 drilldowns on the Summaries screen
• SQL inputs can now be resumed from the previous position. Previously any input that was partially imported would be skipped when importing new hits.
• Template-based analysis has been fixed, no longer results in blank/non-existent analysis.
• Added new string manipulation functions to expression language; Contains, StartsWith, EndsWith, IndexOf.

Loader Changes

• Astaro: Now checks that the ID field is present in a line before attempting to read it.
• Barracuda Web Filter: Added this format to replace Spy Filter.
• BlueCoat Proxy SG W3C: Added support for gmttime, timestamp, x-bluecoat-surfcontrol-is-denied and x-bluecoat-transaction-id.
• ClearSwift: Added a new loader group for ClearSwift that includes the MimeSweeper loaders
• ClearSwift SECURE Web Gatway: Now supported with the Web Appliance loader
• Clearswift Web Appliance: User summary displays Source IP if Username is blank.
• IronPort WSA: Fixed memory usage issues.
• Microsoft FTMG: Added category name lookup to SQL loader.
• Microsoft FTMG: No longer fails to import lines where the rule field contains square brackets.
• Microsoft FTMG: URL Category field is now a string instead of an integer. Added URL Categorization Reason field.
• Microsoft FTMG: Fixed memory usage issues.
• Microsoft IIS W3C: No longer hangs or crashes when loading a file that isn’t IIS W3C.
• NetAsq: Added support for srcname field. The Username summary is populated with user first, and then srcname if user is blank. The User summary is also now populated with Source IPs if the Username summary is blank.

To update WebSpy Vantage, simple select Tools | Check for updates.

To update the Web Module, login to the Web Module server, right-click the WebSpy system tray icon, and select Check for updates.

As always, please contact us if you have any issues or questions.

When imported into WebSpy Vantage, the result is shown in a new summary called ‘Group’ which you can add to your reports.

We also added support for the custom fields Bytes Sent and Bytes Received. Due to the absence of a header in the IronPort access log, Bytes Received and Bytes Sent fields must both be present to be detected, and the Received field must precede the Sent field.

We also added support for the custom fields Request Body Size and Response Body Size. These fields can be included in your access log by adding %q (Request body size) and %b (Response body size) in the ‘Custom Fields’ edit box. Due to the absence of a header in the IronPort access log, Request Body Size and Response Body Size fields must both be present to be detected, and the Request field must precede the Response field.

We’ve also noticed that the values in the Bytes Sent and Bytes Received fields do not necessarily add up to the value logged for ‘Size’. We’re discussing this issue with our friends at IronPort and we will hopefully post a solution or explanation soon..
The information we first received about these fields indicated they represented Bytes Sent and Bytes Received. This is the way they are represented in the builds below (2.2.0.29). We will release a new build soon, with the field names changed to Request body size and Response body size. Body size is different to bytes sent/received as it does not include bytes from packet headers etc.

We’re yet to issue an automatic update for the Vantage applications, so in the mean time you can download the latest builds here:

Vantage Ultimate:
ftp://ftp.webspy.com/webspy/Builds/VantageUltimate2.2.0.29.zip

Vantage Web Module:
ftp://ftp.webspy.com/webspy/Builds/VantageWebModule2.2.0.8.exe

Vantage Giga:
ftp://ftp.webspy.com/webspy/Builds/VantageGiga2.2.0.29.zip

Vantage Premium:
ftp://ftp.webspy.com/webspy/Builds/VantagePremium2.2.0.29.zip

To apply the Vantage update, close Vantage and extract the downloaded file into Vantage’s installation folder (Usually c:\Program Files\WebSpy\Vantage <flavour> 2.2). Overwrite the existing files.

To apply the Web Module update, uninstall the Vantage Web Module from Add/Remove Programs (Programs and Features in Windows 7/Server 2008), then run the downloaded exe file, making sure you specify the same server, virtual directory and data location that your Web Module was previously using.

We will be releasing this as a public auto-update soon. Let us know if you have any issues.

If you’re considering upgrading your ISA Server to TMG, this means that you can start your deployment using the Release Candidate, and simply switch it to a licensed version with no additional configuration changes once the full release is available. At least, that is what Vladimir Holostov (Lead Program Manager, Release Manager for Forefront TMG 2010) states on the Forefront TMG (ISA Server) Product Team Blog:

“The final product will be released later this year and you can expect it to behave exactly like the Release Candidate. You can install Forefront TMG 2010 RC today and upgrade to a licensed version once available without changing the configuration of your deployment.”

To offer some peace of mind for organizations considering the deployment, Vladimir also mentions that “Forefront TMG 2010 RC is deployed at three major Microsoft sites located around the world in Haifa, Bellevue and Redmond. More than 20,000 employees are already protected by TMG and these deployments have already accumulated more than 5,000 hours of runtime, performing extremely well under heavy load”.

No major features have been added to the Release Candidate since Beta 3, however there have been improvements geared around tightening up security, reliability and performance and telemetry. For more information about the release candidate, please visit the
Forefront TMG (ISA Server) Product Team Blog.

You can also download the release candidate here

I mentioned in my last blog posting that WebSpy has introduced support for reporting on Microsoft Forefront TMG log formats in the Vantage product range. To try it out, please make sure you have installed Vantage 2.2 (any flavour – Premium, Giga or Ultimate), and then select Tools | Check for updates to download build 2.2.0.10 or above. You can then import your TMG log files by selecting the Microsoft FTMG loader in the import wizard.

Importing Microsoft Forefront Threat Management Gateway Log Files

We’re very interested to hear your thoughts on the reporting functionality, so please go ahead and give it a go!

You should be prompted to update your software on startup, but if you’ve turned off that feature, simply go to Tools | Check for Updates.

New Features

This new build sports the following new features:

• Support for Microsoft Forefront Threat Management Gateway (Beta)
  Microsoft Forefront Threat Management Gateway (FTMG) is still currently in Beta, and is due to be released around November 2009. For those that do not know, FTMG is the next version of Microsoft’s popular ISA Server. Information and downloads for FTMG can be found here http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/tmg-beta.aspx. We have added support for FTMG beta 2 and 3 for both the W3C text logs (recommended) and the internal SQL Server Express Database logs. If you are currently trialling FTMG, we are very interested to hear your feedback. Let us know how you go!
  

  Now Supported - Microsoft Forefront Threat Management Gateway

• Data purge
  You can now purge data from a storage, and schedule this purge to occur on a regular basis using Tasks. Purge options include data between a date range, data before a date, data after a date, data older than a date relative to now, and all data. This feature will let you easily maintain a single storage that only includes data for the last month or day.
  

  Options for Purging data from your storage

• Import Organization from CSV can now be scheduled using Tasks
  If you are importing your organizational structure from CSV, you can now schedule this action using Tasks. This enables you to update your organizational structure before any reports are run.
  

  Import Organization from CSV via Tasks

• Added Support for ExoServer Web
  If you’re running ExoServer Web, you can now analyze it’s logs using WebSpy Vantage.

Fixes

We also fixed some things that may have been bugging you:

• Improved the start time for the application by improving the logic to check for Storage damage.
• Fixed the IronPort loader (Fixed out of range issues on excessive size fields).
• “Having” filters no longer override the sort order of a Report Template node.
• Fixed an issue that may result in duplicated storages after migrating settings from earlier versions.
• Fixed the inability to remove invalid entities from web module permissions list (users that no longer exist).
• Fixed a timeout issue when publishing storages to the web module.

Why are you still reading? Go update now!

Have fun!

Of particular note is a fix to the Vantage range:

• Fix: Improved partition matching when filtering by a date range

This will benefit you if you’re running reports with a date range filter such as last week or yesterday (which is pretty much everyone), and are using the default storage partitioning scheme of “Date” (again… pretty much everyone).

There was an issue in Vantage’s partition filtering technology which meant that if you specified a date range filter, Vantage would still analyse an entire storage, instead of just the date partitions you selected in the filter.

So do a Tools | Check for updates to grab build 2.1.2.12 and you should see a significant speed improvement in report generation. Woo hoo!

Here’s more details on the changes:

VANTAGE

Application Changes

• New: Added support for importing event logs from non-domain machines.
• New: Added the ability for the Troubleshoot Alias/Profiles to export results to a file.
• New: Added hash salt and substring functions to the expression language.
• New: Added support for computing a date-modified file mask at import time and storing it back into the storage.
• New: Added a file mask override to the Import new hits to existing storage task action.
• New (Vantage Ulitmate & Giga): Added support for attributes on Organization groups.
• New (Vantage Ultimate): Added custom expression-based split in Web Module publishing (Beta).
• New (Vantage Ultimate): Changed the publish report wizard to allow selection of multiple storages.
• Fix: Improved partition matching when filtering by a date range.
• Fix: Fixed an issue with registrations and trial extensions.
• Fix: Fixed zero-width rectangle exceptions in chart renderer.
• Fix: Fixed overflow exceptions on footer generation in report tables.
• Fix: Fixed XmlException error during settings load.
• Fix: Storage now clears previous data when it is overwritten when using the ‘Import logs into new storage’ task.
• Fix (Vantage Ultimate & Giga): Fixed issues with date range selection when collating reports.
• Fix (Vantage Ultimate): Web Module dock no longer checks for updates to a web module server when ‘Check for updates on startup’ is disabled.

Loader Changes

• New: Added Phion Firewall
• New: Added Watchguard Firebox X Core
• New: Added NetScreen 208
• New: Added IPCop
• New: Added Astaro Mail Gateway
• New: Added iPrism Monitor v4.2
• New: Added Cisco VPN Concentrator
• New: Added Snare for Lotus Notes
• Improved: Added string host name to Kerio Mail Server
• Improved: Improved support for NetIntact PacketLogic
• Fix: Made changes to the IronPort detection method to fix the issue when importing via FTP.
• Fixed: Fixed date format issue in event log import. You can now import event logs in any regional configuration.
• Fix: Postfix loader no longer drops session state after the first recipient line
• Fix: Updated the detection method in CheckPoint Firewall-1 Syslog format.
• Fix: Fixed an issue in iSheriff where a drilldown on the Category field would display no results.
• Fix: Various fixes to Netscreen 10
• Fix: Various fixes to Arkoon PxLog
• Fix: Vaious fixes to Sendmail MTA

VANTAGE WEB MODULE

• FIX: When sorting by key column the chart will now use the “hits” aggregate for value (prevents the chart from going wacky)

ANALYZER

Application Changes

• NEW: Added support for manual configuration of ISA block list settings (Tools | Options | Block Lists)
• Fix: Fixed an issue with registrations and trial extensions
• Fix: Fixed report wizard configuration to restore the sort column from the report template

Loader Changes

• New: Added Webroot
• New: Added Qmail Desknow Mail Server
• New: Added UserGate Proxy Server 2.7
• New: Added Netgear FVX538
• Improved: Added support for importing allowed/blocked status in Sophos Web format
• Fixed: Changed CC Proxy field count check
• Fixed: Changed ISA SQL loaders to use size delta fields instead of cumulative fields
• Fixed: Modified Exchange 2000/2003 loader to discard message cache after import

LIVE

Application changes

• Fix: Fixed an issue with registrations and trial extensions

Loader changes:

• New: Added Webroot
• New: Added Qmail Desknow Mail Server
• New: Added UserGate Proxy Server 2.7
• New: Added Netgear FVX538
• Improved: Added support for importing allowed/blocked status in Sophos Web format
• Fixed: Changed CC Proxy field count check
• Fixed: Modified Exchange 2000/2003 loader to discard message cache after import

The fix can be applied to WebSpy Analyzer Giga 2.3, Analyzer Premium 4.3 or Analyzer Standard 4.3. If you’re not running the latest version, download it now!

You can download the new loader build that we created today at either of these locations:
USA West Coast (FTP)
USA East Coast (FTP)

Then extract the zip file into Analyzer’s installation folder (usually C:\Program Files\WebSpy\Analyzer flavour 4.3\) and overwrite the existing file.

Then go to the storages screen and select your Sophos storage(s) and click ‘Reload all hits’. This will re-import your log files using the modified loader and will populated the ‘Blocked’ summary appropriately. To check it out, go to the Summaries screen and run a Full Analysis. Then go to the ‘Blocked’ summary and you should see two items – ‘Blocked’ and ‘Not Blocked’. Drilldown into whichever one you care about to analyze the sites, users, files, browsing times, size downloaded etc. Go nuts!

You can also filter out blocked hits (or Not Blocked hits) from your reports. On the Reports Screen, click Generate a new report and go through the report wizard with this filter (this example shows filtering out blocked hits).

Analyzer Report Wizard - Select Custom Filters

Analyzer Report Wizard - Selecting the 'Blocked' Summary as a Filter

Analyzer Report Wizard - Adding the items that you want to filter

Analyzer Report Wizard - final filter to exclude 'Blocked' hits

Then proceed through the report wizard to generate your report. This filter can be applied to any report as well as analyses on the Summaries screen (using the same options in the Analysis Wizard).

Happy analyzing!

Unfortunately, Exchange 2007 tracking logs are not used to simple questions, and are likely to return a complicated and / or misleading answer.

But the confusion it seems, all comes down to definitions. Once you understand these definintions, things start to make a bit more sense.

What is an Email?

If you send an email to one person, you’ve sent one email. But if you’ve sent that same email to 500 people, have you sent one email, or 500? I will take a guess, and say that a large majority of you will want to see 500 in your reports.

Microsoft Exchange 2007 tracking logs contain an excellent field called ‘Message ID’. If you send an email to someone, that message is uniquely identified by a Message ID that persists though Exchange’s various functions for the lifetime of the message.

At first glance, it seems that counting Message IDs will give us what we want. But if you send the same email to 500 recipients, all those emails get the same unique message ID. So counting message IDs will show us that only one email has been sent. No good.

Then next obvious step is to count the number of recipients that received the email.

What is a Recipient?

The definition of recipient can also get clouded when you start talking about distribution lists. If you send an email to one real person, then that is one recipient. If you send the same email to five real people then that is five recipients. If you send an email to an internal distribution list, the number of recipients is the number of people that are members of that distribution list.

If you send an email to an external distribution list (such as SalesDL@othercompany.com) this will only be recorded as only one recipient, as your Exchange box has no way of knowing how many real people are members of that DL at the other company.

How do I count Recipients?

Again, Exchange Tracking logs contain another excellent field called ‘Recipient Count’. But don’t get carried away as this too can be misleading.

Without going into specifics, Exchange has a bunch of internal functions to deal with an entire message transmission. The tracking logs files contain another excellent field called Internal Message ID that identifies each of these processes per-message.

Unfortunately, each Internal Message ID contains its own value for ‘Recipient Count’. So when you sum the Recipient Count field for a single message, the final result may be much larger than the actual number of real recipients.

To illustrate, WebSpy Vantage imports Recipient Count into a Summary of the same name. Here is a screenshot of the Recipient Count Summary for one message

The Recipient Count Summary for a Single Message

As you can see, there are multiple rows of individual Recipient Counts. The first row, is actually correct. This email was actually sent to 961 people. But there are additional entries where Exchange performed an internal operation with a subset of those messages. Therefore, summing the Recipient Count field for a message is also no good.

Counting recipients “properly”

The best way to count recipients is to use WebSpy Vantage to import your logs, then drilldown into a message to the Recipients summary and look at the total number of recipients at the bottom. Alternatively, add a Count Distinct aggregate for the Recipients summary to any report template.

Here’s a screenshot of the Recipients summary:

The Recipients Summary showing Total 'Real' Recipients

And here’s a screenshot showing how to add the aggregate to a report template:

Adding the Number of Recipients to a report template

Counting Total Number of Emails

The above screenshot will give you a count of all the recipients you have ever sent email to. However, what you really want is a count of recipients per message. You can do this by concatenating the Recipient with the Message ID, and counting the total number of rows. To do this, edit the Number of recipients aggregate column above and enter [Recipient] + [MessageID] in the ‘Custom’ edit box.

Customizing an aggregate column to concatenate Recipient and MessageID

Exchange 2007 Report Templates

You can download a WebSpy Vantage Templates file here that includes three reports (Email Overview, User Email Activity, and Email Trends) that uses columns such as Number of Emails, Number of Unique Messages and Number of Recipients.

Tip: You can convert any email template that has the schema ‘All Mail Schemas’ into an Exchange 2007 template in order to report and filter using all the fields available in Exchange 2007.

To do this:

1. Right click an ‘All Mail Schema’ email template and select Duplicate.
2. Select Microsoft Exchange 2007 from the schema drop down and click OK.
3. When you edit the nodes in your new template, you will have access to all the fields that Exchange 2007 records.

Cheers!