RSA Event Source Configuration Guide. Microsoft Exchange Server

(1)

Microsoft Exchange Server

Last Modified: Tuesday, March 11, 2014

Event Source (Device) Product Information

Vendor Microsoft

Event Source (Device) Exchange Server

Supported Versions 2003, 2007 (Windows Server 2003 and 2008), 2010, and 2013

Note: To support Exchange Auditing logs in

Microsoft Exchange 2007 SP2 or later, you need to install the EBF: ENV-36943. For details, contact RSA enVision Customer Support. Additional Downloads sftpagent.conf.msexchange,

sftpagent.conf.msexchange2k7, sftpagent.conf.msexchange2010, sftpagent.conf.msexchange2013, sftpagent.conf.MSExchangeSMTP

LOGbinder EX (for Exchange Server 2010 and 2013) RSA Product Information

Supported Version RSA enVision 4.0 and 4.1 Event Source (Device) Type msexchange, 64

Collection Method File reader and Windows event logs

Event Source (Device) Class.Subclass Host.Mail Servers

Content 2.0 Table Messaging

This document contains the following information for the Microsoft Exchange Server event source: l Configuration Instructions l Release Notes 20140311-145050 l Release Notes 20140213-121344 l Release Notes 20131211-220046 l Release Notes 20130731-180221 l Release Notes 20130625-110128 l Release Notes 20130501-153011 l Release Notes 20130326-113451 l Release Notes 20130228-133928 l Release Notes 20121227-120737 l Release Notes 20121024-162733 l Release Notes 20120927-104626

(2)

Important: If you use agentless Windows collection, you must first configure and discover Microsoft

Exchange Server with the NIC File Reader Service and mark it as multi-device. If you have already discovered agentless Windows collection, you must set agentless Windows collection to multi-device, manually add the Microsoft Exchange Server event source, and restart the NIC Collector Service. RSA enVision collects two sets of messages from Microsoft Exchange Server: one from the message tracking log file and one from the Windows application event log file. Therefore, you must set up two NIC services and select options in Microsoft Exchange Server.

Note: The Intelligent Message Filter feature in the message tracking log file is not supported.

Depending on your version of Microsoft Exchange Server, do one of the following: l Configure Collection from Microsoft Exchange Server 2003

l (Optional) Set Up Agentless Collection in Microsoft Exchange Server 2003 l Configure Collection from Microsoft Exchange Server 2007

l Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013 l Configure File Reader for Microsoft Exchange Server 2007 Service Pack 2 and Later l Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and

later

l Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit

l Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008

(3)

Configure Collection from Microsoft Exchange Server

2003

To configure Microsoft Exchange Server 2003:

1. To set up the NIC File Reader Service in enVision, follow these steps:

a. Add Microsoft Exchange Server to the NIC File Reader Service, and restart the service. For detailed instructions see the enVision Help topic "Set Up File Reader Service."

b. Install the NIC SFTP Agent on the host that is sending logs to enVision.

For instructions on installing the NIC SFTP Agent, see RSA enVision NIC SFTP Agent Configuration, which is available on SecurCare Online.

c. From the Window Services dialog box, start the NIC FTP Agent Service.

Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the

RSA enVision appliance. For details, see RSA enVision NIC SFTP Agent Configuration. 2. In enVision, set up the NIC Windows Service. For detailed instructions, see the enVision Help

topic "Set Up Windows Service."

3. To set up Windows Application event logging and collect Windows Application event log messages in Microsoft Exchange Server 2003, follow these steps:

a. Open the Exchange System Manager.

b. Click Administrative Group or Organization > Servers. c. Right-click the name of the server, and select Properties.

d. On the Diagnostics Logging tab, enable logging at the levels shown in the following table.

Note: Hardware platforms and server loads influence how much degradation your system

will experience if you enable logging.

Service Category Logging Level

IMAPSvc4 Connections Authentication General Maximum Maximum Maximum POPSvc4 Connections Authentication General Maximum Maximum Maximum

MSExchangeDSAccess General Maximum

MSExchangeIS - System Connections

General

Maximum Maximum

MSExchange - Public

Folders Logons Maximum

(4)

Service Category Logging Level General Access Control Maximum Maximum MSExchangeIS - Mailbox Logons General Access Control Maximum Maximum Maximum

MSExchangeSA Mailbox Management Maximum

e. Click OK.

4. To collect message tracking log messages, follow these steps: a. Open the Exchange System Manager.

b. Click Administrative Group or Organization > Servers.

c. In the Servers window, right-click the name of the server, and select Properties. d. Click the General tab.

e. Select Enable subject logging and display and Enable message tracking. f. Click OK.

(5)

Set Up Agentless Collection on Microsoft Windows

Server 2003

Use the legacy Windows Agentless collector to collect the audit logs for Microsoft Exchange Server running on Windows Server 2003.

To add the legacy Agentless Windows Collector service:

1. Log onto enVision and navigate to Services > Device Services > Windows Services > Manage

Windows Services.

2. Under Filtered Windows Services, click Add. 3. Set the following parameters:

l For the IP Address of Service, enter the IP Address of the Windows server for your Exchange Server.

l Unselect Security and System, leaving only Application selected. 4. Click Apply.

5. Enter the log on credentials for the Exchange Server system.

(6)

Configure Collection from Microsoft Exchange Server

2007

To configure Microsoft Exchange Server 2007:

1. To set up the NIC File Reader Service in enVision, follow these steps:

a. Add Microsoft Exchange Server to the NIC File Reader Service, and restart the service. For detailed instructions see the enVision Help topic "Set Up File Reader Service."

b. Install the NIC SFTP Agent on the host that is sending logs to enVision.

For instructions on installing the NIC SFTP Agent, see RSA enVision NIC SFTP Agent Configuration, which is available on SecurCare Online.

c. From the Window Services dialog box, start the NIC FTP Agent Service.

RSA enVision appliance. For details, see RSA enVision NIC SFTP Agent Configuration. 2. In enVision, set up the NIC Windows Service. For detailed instructions, see the enVision Help. 3. To collect Windows event log messages, using the Exchange Management Shell, configure the

logging services at the levels shown in the following table. Service Category Logging Level MSExchange ADAccess\ General Expert

MSExchangeIS\9002 System\Connections General Expert Expert MSExchangeIS\9001 Public\ Logons General Access Control Expert Expert Expert MSExchangeIS\9000 Private\ Logons General Access Control Expert Expert Expert

For more information, see the following articles on Microsoft TechNet: l Diagnostic Logging of Exchange Processes

l Processes with Configurable Event Logging Levels l Change Logging Levels for Exchange Processes

4. To confirm that message tracking logging is enabled, follow these steps: a. Open the Exchange Management Console.

b. From the Server Configuration section, right-click the name of the server, and select

Properties.

c. Click the Log Settings tab.

(7)

d. Ensure that Enable message tracking logging is selected. e. Click OK.

(8)

Configure SMTP Protocol logging on Microsoft

Exchange Server 2007, 2010 and 2013

To configure SMTP Protocol Logging on Microsoft Exchange Server 2007 and 2010:

1. To enable protocol logging on a Receiver Connector from Exchange Management Console (EMC): a. Expand the Server Configuration | Hub Transport node.

b. Select the Hub Transport server you want to configure, then select the Receive Connector > Properties tab.

c. On the General tab, change the Protocol Logging Level to Verbose.

2. To enable protocol logging on a Send Connector from Exchange Management Console (EMC): a. Expand the Organization Configuration | Hub Transport node.

b. On the Send Connectors tab, select the Send Connector > Properties tab. c. On the General tab, change the Protocol Logging Level to Verbose.

Note: The default location of the SMTP protocol logs:

Receive Connector logs are located in:

Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive Exchange 2007: \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive

Send Connector logs are located in:

Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend Exchange 2007: \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend

This location is used during Configuration of File Reader Collection of Exchange Server 2007 and 2010. Please refer to the additional download ‘sftpagent.conf.MSExchangeSMTP’. To configure SMTP Protocol Logging on Microsoft Exchange Server 2013:

1. To enable protocol logging on a Receiver Connector and Send Connector connector in the Transport service on a Mailbox server, or on a Receive connector in the Front End Transport service on a Client Access server from Exchange Administration Console (EAC):

a. In the EAC, navigate to Mail flow > Send connectors or Mail flow > Receive connectors. b. Select the connector you want to configure, and then click Edit.

c. On the General tab in the Protocol logging level section, select Verbose Protocol logging is enabled on the connector.

d. Click Save.

2. To configure the protocol log paths for the Send connectors and Receive connectors in the Transport service on a Mailbox server from Exchange Administration Console (EAC):

8 Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013

(9)

a. In the EAC, navigate to Servers > Servers.

b. Select the Mailbox server you want to configure, and then click Edit . c. On the server properties page, click Transport logs.

d. In the Protocol log section, change any of the following settings:

l Send protocol log path The value you specify must be on the local Exchange server. If the folder doesn't exist, it will be created for you when you click Save.

l Receive protocol log path The value you specify must be on the local Exchange server. If the folder doesn't exist, it will be created for you when you click Save. e. Click Save.

Note: This location is used in “Send protocol log path” and “Receive protocol log path”

should be used during Configuration of File Reader Collection of Exchange Server 2013. Please refer to the additional download ‘sftpagent.conf.MSExchangeSMTP’.

Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013

(10)

Configure File Reader for Microsoft Exchange Server

2007 Service Pack 2 and Later

Set up the NIC File Reader Service for the event source. For complete instructions, see the enVision Help topic "Set Up File Reader Service."

To set up the NIC File Reader Service:

1. In enVision, add the event source to the NIC File Reader Service. 2. Start the NIC File Reader Service.

For instructions, see the enVision Help.

3. In enVision, set up the FTP server (in multiple appliance sites, the FTP server is on an LC or RC). For instructions, see the enVision Help.

4. Install and set up the NIC SFTP Agent on the Microsoft Exchange host that send logs to enVision. Choose the appropriate configuration file depending upon your version:

l For Microsoft Exchange Server 2007 SP2, sftpagent.conf.msexchange2k7 l For Microsoft Exchange Server 2010, sftpagent.conf.msexchange2010 l For Microsoft Exchange Server 2013, sftpagent.conf.msexchange2013

l For SMTP protocol Logs from Microsoft Exchange Server 2007, 2010, and 2013,

sftpagent.conf.MSExchangeSMTP

RSA enVision appliance. For details, see RSA enVision NIC SFTP Agent Configuration. For instructions on installing the NIC SFTP Agent, see RSA enVision NIC SFTP Agent Configuration, which is available on SecurCare Online.

5. From the Windows Services window, start the NIC SFTP Agent Service.

10 Configure File Reader for Microsoft Exchange Server 2007 Service Pack 2 and Later

(11)

Configure Windows Collection from Microsoft

Exchange Server 2007 Service Pack 2 and Later

To configure Microsoft Exchange Server 2007 SP2 and later:

1. In enVision, set up the NIC Windows Service. For detailed instructions, see the enVision Help. 2. To set up Windows Application event logging and collect Windows Application event log

messages, follow these steps:

a. Open the Exchange Management Console.

b. From the navigation menu, click Microsoft Exchange On-Premises > Server

Configuration.

c. In the Actions pane, click Manage Diagnostic Logging Properties. d. Select Update logging levels for services.

e. From the Configure Server Diagnostic Logging Properties list, enable logging of services at the levels shown in the following table.

Service Category Logging Level MSExchange ADAccess\ General Expert

MSExchangeIS\9002 System\Connections General Expert Expert MSExchangeIS\9001 Public\ Logons General Access Control Expert Expert Expert MSExchangeIS\9000 Private\ Logons General Access Control Expert Expert Expert f. Click Configure.

g. In the Completion window, check the status of the configuration.

If the configuration fails, use the Back button to make the necessary changes. h. Click Finish.

3. In Microsoft Exchange Server 2007, to confirm that message tracking logging is enabled, follow these steps:

b. From the Server Configuration section, right-click your server, and select Properties. c. On the Log Settings tab, ensure that Enable message tracking logging is selected. d. Click OK.

In Microsoft Exchange Server 2010, to confirm that message tracking logging is enabled, follow these steps:

Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and Later

(12)

b. From the navigation menu, click Microsoft Exchange On-Premises > Server

Configuration.

c. From the Server Configuration section, right-click your server, and select Properties. d. On the Log Settings tab, ensure that Enable message tracking log is selected.

e. Click OK.

4. To enable Microsoft Exchange Server 2007 Exchange Auditing, follow these steps:

Note: After you complete this step, you must complete the next section, "Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008." Exchange auditing is not yet available in Microsoft Exchange 2010 service packs.

a. Open the Exchange Management Console. b. Click Server Configuration > Mailbox.

c. In the Create Filter section, right-click the name of your server, and select Manage

Diagnostic Logging Properties.

d. Click ServerName > MSExchangeIS > 9000 Private.

e. Select Folder Access, Message Access, Extended Send As, and Extended Send On

Behalf Of, and set their logging levels to Expert.

f. Click Configure, then click Finish.

12 Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and Later

(13)

Configure Microsoft Exchange Server 2010 and 2013

for Administrator Audit and Mailbox Audit

To configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit: 1. To configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox

Audit:

a. Log on to the Microsoft Exchange Server 2010 and 2013 using Domain Privileges. b. Configure Exchange Mailbox Auditing using the link:

http://www.ultimatewindowssecurity.com/exchange/mailboxaudit/configure.aspx Please refer to the example command:

Set-Mailbox -Identity "John Smith" -AuditDelegate

SendAs,SendOnBehalf,MessageBind,FolderBind -AuditEnabled $true

in the link to Configure Mailbox Auditing for each of the users and their respective parameters for each user as per company requirements . Run this command using the “Exchange Management Shell” with administrator privileges.

c. Configure Exchange Administrator Auditing using the link:

http://www.ultimatewindowssecurity.com/exchange/adminaudit/configure.aspx Please refer to the sample command:

SetAdminAuditLogConfig AdminAuditLogEnabled $true AdminAuditLogCmdlets * -AdminAuditLogParameters * -AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule*

in the link to Configure Administrator Auditing for each of the users and their respective parameters for each user as per company requirements . Run this command using the “Exchange Management Shell” with administrator privileges.

d. Configure Microsoft Exchange for changing the Exchange audit search poll interval:

The value that controls the search poll interval timing is stored in an XML configuration file under the %ExchangeInstallPath% folder. The file is in the Bin folder, and called

Microsoft.Exchange.Servicehost.exe.config. Look for the following line inside the<appSettings> tag:

This value determines (in milliseconds) the search poll interval. Set the value to an appropriate number for the task.

2. To configure LOGbinder EX to send Administrator Audit and Mailbox Audit to enVision:

Note: To collect auditing events from Microsoft Exchange Server into the Windows Event

Viewer, you must download the third-party application LOGbinder EX from

http://www.logbinder.com. When configuring Exchange Server 2010 and 2013, you must download LOGbinder EX 2.0.

Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit

(14)

a. For Microsoft Exchange Server 2010 and 2013, download LOGbinder EX 2.0 from http://www.logbinder.com.

b. To configure the input settings, follow these steps: i. In the LOGbinder EX interface, click New Input.

ii. Refer to the Logbinder EX documentation to enter the fields "Powershell URL", "Exchange URL", and "Recipient" correctly.

iii. Click OK.

c. To configure the output settings, follow these steps: i. Click Output.

ii. Using LOGbinder EX 2.0, double-click LOGbinder EX Event Log and ensure that Send output to LOGbinder EX Event Log is selected.

iii. Deselect Include noise events and Include XML data. iv. Click OK.

d. To start the service, follow these steps: i. Click Service.

ii. Click Start.

Set Up Agentless Collection on Exchange server 2007

SP2 and later on Windows Server 2008

Beginning with the August 2010 Event Source Update, enVision provides a new agentless collector, the Windows Eventing Collection Service. For details, see the Microsoft Windows Eventing 6.0 Web Services API topic in the enVision Help.

Note: The Windows Eventing Collector Service can collect logs only from Microsoft Exchange Server

2010.

Prerequisites

You must install the Windows Eventing Collector Service. For more information, see the enVision Help topic "Setting Up the Windows Eventing Collector Service."

Disable the Legacy Collector

If you are using the Windows Eventing Collector Service, RSA recommends that you disable the legacy Windows agentless collector. Otherwise, event collection is duplicated, and enVision stores duplicate message data.

To disable the legacy agentless Windows collector:

1. In enVision, click Overview > System Configuration > Services > Device Services >

Windows Service > Manage Windows Service.

2. Select the Windows Agentless Collector Service for each Microsoft Exchange Server for which

14 Set Up Agentless Collection on Exchange server 2007 SP2 and later on Win-dows Server 2008

(15)

you will be using the Windows Eventing Collector Service. 3. Click Delete.

Enable Event Collection on Microsoft Exchange Server 2010 and 2013

To collect from the extended log channels for Microsoft Exchange:

1. Add or update the alias for the event source.

Each event source has its own alias, which specifies the URL for the event source, as well as other details.

2. Open a new command shell, and change directories to the E:\nic\enVision version\node_

name\collection-services\winevent directory.

3. Do one of the following:

l To edit an existing alias, type: wineventconfig.exe -e l To add a new alias, type:

wineventconfig.exe -a

4. Respond to the prompts with your information. For details, see the enVision Help.

5. Using a comma as the delimiter between channel names, enter any of the following event channels to which you want to subscribe:

l Application l Exchange Auditing

Note: Exchange auditing is only available for Microsoft Exchange Server 2007 Service

Pack 2, and requires additional configuration. For details, seeConfigure the Exchange Auditing Channel. l Microsoft-Exchange-MailboxDatabaseFailureItems/Operational l Microsoft-Exchange-HighAvailability/Operational l Microsoft-Exchange-HighAvailability/Debug l LOGbndEX l MSExchange Management

Note: The LOGbndEX channel is for Admin Audit and Mailbox Audit for Microsoft Exchange

Server 2010 and 2013. You must enter the names as they appear in the preceding list. If you misspell any channel name, events from that channel will not be collected.

6. To test your configuration, run the following command: wineventconfig.exe -t

Set Up Agentless Collection on Exchange server 2007 SP2 and later on Win-dows Server 2008

(16)

Configure the Exchange Auditing Channel

To configure the Exchange Auditing channel, you must enable Windows Remote Management. This is described in the "Microsoft Windows Eventing 6.0 Web Services API" document, available from the RSA SecurCare Online (SCOL) web site.

Follow all directions in that document to enable Windows Remote Management, except that you must replace Security with Exchange Auditing when setting access to your channel.

That document describes the command to set read access to the Security Channel:

wevtutil gl Security

To configure the Exchange Auditing channel, replace Security with "Exchange Auditing" as shown here:

wevtutil gl "Exchange Auditing"

Microsoft Exchange Server Release Notes (20140311-145050)

What's New in This Release

RSA has updated configuration instructions for Microsoft Exchange to display Collection type information more clearly. RSA has also added support for SMTP protocol logs for Exchange 2007, 2010 and 2013.

New and Updated Messages in Microsoft Exchange Server

For complete details on new and changed messages, see the Event Source Update Help.

Microsoft Exchange Server Release Notes (20140213-121344)

What's New in This Release

RSA has added support for Microsoft Exchange Server 2010 and 2013 Mailbox and Admin Audit using LOGbinder EX.RSA has also added support for the channel MS Exchange Management using Windows Event Collection.

New and Updated Messages in Microsoft Exchange Server

Microsoft Exchange Server Release Notes (20131211-220046)

What's New in This Release

RSA has added support for Microsoft Exchange Server 2013.

Microsoft Exchange Server Release Notes (20130731-180221)

(17)

New and Updated Messages in Microsoft Exchange Server

Microsoft Exchange Server Release Notes (20130625-110128)

New and Updated Messages in Microsoft Exchange Server

Microsoft Exchange Server Release Notes (20130501-153011)

New and Updated Messages in Microsoft Exchange Server

Microsoft Exchange Server Release Notes (20130326-113451)

New and Updated Messages in Microsoft Exchange Server

Microsoft Exchange Server Release Notes (20130228-133928)

New and Updated Messages in Microsoft Exchange Server

Microsoft Exchange Server Release Notes (20121227-120737)

New and Updated Messages in Microsoft Exchange Server

Microsoft Exchange Server Release Notes (20121024-162733)

What's New in This Release

RSA has added a clarification regarding the use of Exchange Auditing for Microsoft Exchange Server 2010. Exchange Auditing is not yet available to Exchange Server 2010 customers.

New and Updated Messages in Microsoft Exchange Server

Microsoft Exchange Server Release Notes (20120927-104626)

Set Up Agentless Collection on Exchange server 2007 SP2 and later on

Win-dows Server 2008

(18)