Copyright © 2012 EMC Corporation. All Rights Reserved.
Microsoft Exchange Server
Last Modified: Tuesday, March 11, 2014
Event Source (Device) Product Information
Vendor Microsoft
Event Source (Device) Exchange Server
Supported Versions 2003, 2007 (Windows Server 2003 and 2008), 2010, and 2013
Note: To support Exchange Auditing logs in
Microsoft Exchange 2007 SP2 or later, you need to install the EBF: ENV-36943. For details, contact RSA enVision Customer Support. Additional Downloads sftpagent.conf.msexchange,
sftpagent.conf.msexchange2k7, sftpagent.conf.msexchange2010, sftpagent.conf.msexchange2013, sftpagent.conf.MSExchangeSMTP
LOGbinder EX (for Exchange Server 2010 and 2013) RSA Product Information
Supported Version RSA enVision 4.0 and 4.1 Event Source (Device) Type msexchange, 64
Collection Method File reader and Windows event logs
Event Source (Device) Class.Subclass Host.Mail Servers
Content 2.0 Table Messaging
This document contains the following information for the Microsoft Exchange Server event source: l Configuration Instructions l Release Notes 20140311-145050 l Release Notes 20140213-121344 l Release Notes 20131211-220046 l Release Notes 20130731-180221 l Release Notes 20130625-110128 l Release Notes 20130501-153011 l Release Notes 20130326-113451 l Release Notes 20130228-133928 l Release Notes 20121227-120737 l Release Notes 20121024-162733 l Release Notes 20120927-104626
Important: If you use agentless Windows collection, you must first configure and discover Microsoft
Exchange Server with the NIC File Reader Service and mark it as multi-device. If you have already discovered agentless Windows collection, you must set agentless Windows collection to multi-device, manually add the Microsoft Exchange Server event source, and restart the NIC Collector Service. RSA enVision collects two sets of messages from Microsoft Exchange Server: one from the message tracking log file and one from the Windows application event log file. Therefore, you must set up two NIC services and select options in Microsoft Exchange Server.
Note: The Intelligent Message Filter feature in the message tracking log file is not supported.
Depending on your version of Microsoft Exchange Server, do one of the following: l Configure Collection from Microsoft Exchange Server 2003
l (Optional) Set Up Agentless Collection in Microsoft Exchange Server 2003 l Configure Collection from Microsoft Exchange Server 2007
l Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013 l Configure File Reader for Microsoft Exchange Server 2007 Service Pack 2 and Later l Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and
later
l Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit
l Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008
Configure Collection from Microsoft Exchange Server
2003
To configure Microsoft Exchange Server 2003:
1. To set up the NIC File Reader Service in enVision, follow these steps:
a. Add Microsoft Exchange Server to the NIC File Reader Service, and restart the service. For detailed instructions see the enVision Help topic "Set Up File Reader Service."
b. Install the NIC SFTP Agent on the host that is sending logs to enVision.
For instructions on installing the NIC SFTP Agent, see RSA enVision NIC SFTP Agent Configuration, which is available on SecurCare Online.
c. From the Window Services dialog box, start the NIC FTP Agent Service.
Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the
RSA enVision appliance. For details, see RSA enVision NIC SFTP Agent Configuration. 2. In enVision, set up the NIC Windows Service. For detailed instructions, see the enVision Help
topic "Set Up Windows Service."
3. To set up Windows Application event logging and collect Windows Application event log messages in Microsoft Exchange Server 2003, follow these steps:
a. Open the Exchange System Manager.
b. Click Administrative Group or Organization > Servers. c. Right-click the name of the server, and select Properties.
d. On the Diagnostics Logging tab, enable logging at the levels shown in the following table.
Note: Hardware platforms and server loads influence how much degradation your system
will experience if you enable logging.
Service Category Logging Level
IMAPSvc4 Connections Authentication General Maximum Maximum Maximum POPSvc4 Connections Authentication General Maximum Maximum Maximum
MSExchangeDSAccess General Maximum
MSExchangeIS - System Connections
General
Maximum Maximum
MSExchange - Public
Folders Logons Maximum
Service Category Logging Level General Access Control Maximum Maximum MSExchangeIS - Mailbox Logons General Access Control Maximum Maximum Maximum
MSExchangeSA Mailbox Management Maximum
e. Click OK.
4. To collect message tracking log messages, follow these steps: a. Open the Exchange System Manager.
b. Click Administrative Group or Organization > Servers.
c. In the Servers window, right-click the name of the server, and select Properties. d. Click the General tab.
e. Select Enable subject logging and display and Enable message tracking. f. Click OK.
Set Up Agentless Collection on Microsoft Windows
Server 2003
Use the legacy Windows Agentless collector to collect the audit logs for Microsoft Exchange Server running on Windows Server 2003.
To add the legacy Agentless Windows Collector service:
1. Log onto enVision and navigate to Services > Device Services > Windows Services > Manage
Windows Services.
2. Under Filtered Windows Services, click Add. 3. Set the following parameters:
l For the IP Address of Service, enter the IP Address of the Windows server for your Exchange Server.
l Unselect Security and System, leaving only Application selected. 4. Click Apply.
5. Enter the log on credentials for the Exchange Server system.
Configure Collection from Microsoft Exchange Server
2007
To configure Microsoft Exchange Server 2007:
1. To set up the NIC File Reader Service in enVision, follow these steps:
a. Add Microsoft Exchange Server to the NIC File Reader Service, and restart the service. For detailed instructions see the enVision Help topic "Set Up File Reader Service."
b. Install the NIC SFTP Agent on the host that is sending logs to enVision.
For instructions on installing the NIC SFTP Agent, see RSA enVision NIC SFTP Agent Configuration, which is available on SecurCare Online.
c. From the Window Services dialog box, start the NIC FTP Agent Service.
Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the
RSA enVision appliance. For details, see RSA enVision NIC SFTP Agent Configuration. 2. In enVision, set up the NIC Windows Service. For detailed instructions, see the enVision Help. 3. To collect Windows event log messages, using the Exchange Management Shell, configure the
logging services at the levels shown in the following table. Service Category Logging Level MSExchange ADAccess\ General Expert
MSExchangeIS\9002 System\Connections General Expert Expert MSExchangeIS\9001 Public\ Logons General Access Control Expert Expert Expert MSExchangeIS\9000 Private\ Logons General Access Control Expert Expert Expert
For more information, see the following articles on Microsoft TechNet: l Diagnostic Logging of Exchange Processes
l Processes with Configurable Event Logging Levels l Change Logging Levels for Exchange Processes
4. To confirm that message tracking logging is enabled, follow these steps: a. Open the Exchange Management Console.
b. From the Server Configuration section, right-click the name of the server, and select
Properties.
c. Click the Log Settings tab.
d. Ensure that Enable message tracking logging is selected. e. Click OK.
Configure SMTP Protocol logging on Microsoft
Exchange Server 2007, 2010 and 2013
To configure SMTP Protocol Logging on Microsoft Exchange Server 2007 and 2010:
1. To enable protocol logging on a Receiver Connector from Exchange Management Console (EMC): a. Expand the Server Configuration | Hub Transport node.
b. Select the Hub Transport server you want to configure, then select the Receive Connector > Properties tab.
c. On the General tab, change the Protocol Logging Level to Verbose.
2. To enable protocol logging on a Send Connector from Exchange Management Console (EMC): a. Expand the Organization Configuration | Hub Transport node.
b. On the Send Connectors tab, select the Send Connector > Properties tab. c. On the General tab, change the Protocol Logging Level to Verbose.
Note: The default location of the SMTP protocol logs:
Receive Connector logs are located in:
Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive Exchange 2007: \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive
Send Connector logs are located in:
Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend Exchange 2007: \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend
This location is used during Configuration of File Reader Collection of Exchange Server 2007 and 2010. Please refer to the additional download ‘sftpagent.conf.MSExchangeSMTP’. To configure SMTP Protocol Logging on Microsoft Exchange Server 2013:
1. To enable protocol logging on a Receiver Connector and Send Connector connector in the Transport service on a Mailbox server, or on a Receive connector in the Front End Transport service on a Client Access server from Exchange Administration Console (EAC):
a. In the EAC, navigate to Mail flow > Send connectors or Mail flow > Receive connectors. b. Select the connector you want to configure, and then click Edit.
c. On the General tab in the Protocol logging level section, select Verbose Protocol logging is enabled on the connector.
d. Click Save.
2. To configure the protocol log paths for the Send connectors and Receive connectors in the Transport service on a Mailbox server from Exchange Administration Console (EAC):
8 Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013
a. In the EAC, navigate to Servers > Servers.
b. Select the Mailbox server you want to configure, and then click Edit . c. On the server properties page, click Transport logs.
d. In the Protocol log section, change any of the following settings:
l Send protocol log path The value you specify must be on the local Exchange server. If the folder doesn't exist, it will be created for you when you click Save.
l Receive protocol log path The value you specify must be on the local Exchange server. If the folder doesn't exist, it will be created for you when you click Save. e. Click Save.
Note: This location is used in “Send protocol log path” and “Receive protocol log path”
should be used during Configuration of File Reader Collection of Exchange Server 2013. Please refer to the additional download ‘sftpagent.conf.MSExchangeSMTP’.
Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013
Configure File Reader for Microsoft Exchange Server
2007 Service Pack 2 and Later
Set up the NIC File Reader Service for the event source. For complete instructions, see the enVision Help topic "Set Up File Reader Service."
To set up the NIC File Reader Service:
1. In enVision, add the event source to the NIC File Reader Service. 2. Start the NIC File Reader Service.
For instructions, see the enVision Help.
3. In enVision, set up the FTP server (in multiple appliance sites, the FTP server is on an LC or RC). For instructions, see the enVision Help.
4. Install and set up the NIC SFTP Agent on the Microsoft Exchange host that send logs to enVision. Choose the appropriate configuration file depending upon your version:
l For Microsoft Exchange Server 2007 SP2, sftpagent.conf.msexchange2k7 l For Microsoft Exchange Server 2010, sftpagent.conf.msexchange2010 l For Microsoft Exchange Server 2013, sftpagent.conf.msexchange2013
l For SMTP protocol Logs from Microsoft Exchange Server 2007, 2010, and 2013,
sftpagent.conf.MSExchangeSMTP
Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the
RSA enVision appliance. For details, see RSA enVision NIC SFTP Agent Configuration. For instructions on installing the NIC SFTP Agent, see RSA enVision NIC SFTP Agent Configuration, which is available on SecurCare Online.
5. From the Windows Services window, start the NIC SFTP Agent Service.
10 Configure File Reader for Microsoft Exchange Server 2007 Service Pack 2 and Later
Configure Windows Collection from Microsoft
Exchange Server 2007 Service Pack 2 and Later
To configure Microsoft Exchange Server 2007 SP2 and later:1. In enVision, set up the NIC Windows Service. For detailed instructions, see the enVision Help. 2. To set up Windows Application event logging and collect Windows Application event log
messages, follow these steps:
a. Open the Exchange Management Console.
b. From the navigation menu, click Microsoft Exchange On-Premises > Server
Configuration.
c. In the Actions pane, click Manage Diagnostic Logging Properties. d. Select Update logging levels for services.
e. From the Configure Server Diagnostic Logging Properties list, enable logging of services at the levels shown in the following table.
Service Category Logging Level MSExchange ADAccess\ General Expert
MSExchangeIS\9002 System\Connections General Expert Expert MSExchangeIS\9001 Public\ Logons General Access Control Expert Expert Expert MSExchangeIS\9000 Private\ Logons General Access Control Expert Expert Expert f. Click Configure.
g. In the Completion window, check the status of the configuration.
If the configuration fails, use the Back button to make the necessary changes. h. Click Finish.
3. In Microsoft Exchange Server 2007, to confirm that message tracking logging is enabled, follow these steps:
a. Open the Exchange Management Console.
b. From the Server Configuration section, right-click your server, and select Properties. c. On the Log Settings tab, ensure that Enable message tracking logging is selected. d. Click OK.
In Microsoft Exchange Server 2010, to confirm that message tracking logging is enabled, follow these steps:
Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and Later
a. Open the Exchange Management Console.
b. From the navigation menu, click Microsoft Exchange On-Premises > Server
Configuration.
c. From the Server Configuration section, right-click your server, and select Properties. d. On the Log Settings tab, ensure that Enable message tracking log is selected.
e. Click OK.
4. To enable Microsoft Exchange Server 2007 Exchange Auditing, follow these steps:
Note: After you complete this step, you must complete the next section, "Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008." Exchange auditing is not yet available in Microsoft Exchange 2010 service packs.
a. Open the Exchange Management Console. b. Click Server Configuration > Mailbox.
c. In the Create Filter section, right-click the name of your server, and select Manage
Diagnostic Logging Properties.
d. Click ServerName > MSExchangeIS > 9000 Private.
e. Select Folder Access, Message Access, Extended Send As, and Extended Send On
Behalf Of, and set their logging levels to Expert.
f. Click Configure, then click Finish.
12 Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and Later
Configure Microsoft Exchange Server 2010 and 2013
for Administrator Audit and Mailbox Audit
To configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit: 1. To configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox
Audit:
a. Log on to the Microsoft Exchange Server 2010 and 2013 using Domain Privileges. b. Configure Exchange Mailbox Auditing using the link:
http://www.ultimatewindowssecurity.com/exchange/mailboxaudit/configure.aspx Please refer to the example command:
Set-Mailbox -Identity "John Smith" -AuditDelegate
SendAs,SendOnBehalf,MessageBind,FolderBind -AuditEnabled $true
in the link to Configure Mailbox Auditing for each of the users and their respective parameters for each user as per company requirements . Run this command using the “Exchange Management Shell” with administrator privileges.
c. Configure Exchange Administrator Auditing using the link:
http://www.ultimatewindowssecurity.com/exchange/adminaudit/configure.aspx Please refer to the sample command:
SetAdminAuditLogConfig AdminAuditLogEnabled $true AdminAuditLogCmdlets * -AdminAuditLogParameters * -AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule*
in the link to Configure Administrator Auditing for each of the users and their respective parameters for each user as per company requirements . Run this command using the “Exchange Management Shell” with administrator privileges.
d. Configure Microsoft Exchange for changing the Exchange audit search poll interval:
The value that controls the search poll interval timing is stored in an XML configuration file under the %ExchangeInstallPath% folder. The file is in the Bin folder, and called
Microsoft.Exchange.Servicehost.exe.config. Look for the following line inside the<appSettings> tag:
<add key="AuditLogSearchPollIntervalInMilliseconds" value="…" />
This value determines (in milliseconds) the search poll interval. Set the value to an appropriate number for the task.
2. To configure LOGbinder EX to send Administrator Audit and Mailbox Audit to enVision:
Note: To collect auditing events from Microsoft Exchange Server into the Windows Event
Viewer, you must download the third-party application LOGbinder EX from
http://www.logbinder.com. When configuring Exchange Server 2010 and 2013, you must download LOGbinder EX 2.0.
Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit
a. For Microsoft Exchange Server 2010 and 2013, download LOGbinder EX 2.0 from http://www.logbinder.com.
b. To configure the input settings, follow these steps: i. In the LOGbinder EX interface, click New Input.
ii. Refer to the Logbinder EX documentation to enter the fields "Powershell URL", "Exchange URL", and "Recipient" correctly.
iii. Click OK.
c. To configure the output settings, follow these steps: i. Click Output.
ii. Using LOGbinder EX 2.0, double-click LOGbinder EX Event Log and ensure that Send output to LOGbinder EX Event Log is selected.
iii. Deselect Include noise events and Include XML data. iv. Click OK.
d. To start the service, follow these steps: i. Click Service.
ii. Click Start.
Set Up Agentless Collection on Exchange server 2007
SP2 and later on Windows Server 2008
Beginning with the August 2010 Event Source Update, enVision provides a new agentless collector, the Windows Eventing Collection Service. For details, see the Microsoft Windows Eventing 6.0 Web Services API topic in the enVision Help.
Note: The Windows Eventing Collector Service can collect logs only from Microsoft Exchange Server
2010.
Prerequisites
You must install the Windows Eventing Collector Service. For more information, see the enVision Help topic "Setting Up the Windows Eventing Collector Service."
Disable the Legacy Collector
If you are using the Windows Eventing Collector Service, RSA recommends that you disable the legacy Windows agentless collector. Otherwise, event collection is duplicated, and enVision stores duplicate message data.
To disable the legacy agentless Windows collector:
1. In enVision, click Overview > System Configuration > Services > Device Services >
Windows Service > Manage Windows Service.
2. Select the Windows Agentless Collector Service for each Microsoft Exchange Server for which
14 Set Up Agentless Collection on Exchange server 2007 SP2 and later on Win-dows Server 2008
you will be using the Windows Eventing Collector Service. 3. Click Delete.
Enable Event Collection on Microsoft Exchange Server 2010 and 2013
To collect from the extended log channels for Microsoft Exchange:1. Add or update the alias for the event source.
Each event source has its own alias, which specifies the URL for the event source, as well as other details.
2. Open a new command shell, and change directories to the E:\nic\enVision version\node_
name\collection-services\winevent directory.
3. Do one of the following:
l To edit an existing alias, type: wineventconfig.exe -e l To add a new alias, type:
wineventconfig.exe -a
4. Respond to the prompts with your information. For details, see the enVision Help.
5. Using a comma as the delimiter between channel names, enter any of the following event channels to which you want to subscribe:
l Application l Exchange Auditing
Note: Exchange auditing is only available for Microsoft Exchange Server 2007 Service
Pack 2, and requires additional configuration. For details, seeConfigure the Exchange Auditing Channel. l Microsoft-Exchange-MailboxDatabaseFailureItems/Operational l Microsoft-Exchange-HighAvailability/Operational l Microsoft-Exchange-HighAvailability/Debug l LOGbndEX l MSExchange Management
Note: The LOGbndEX channel is for Admin Audit and Mailbox Audit for Microsoft Exchange
Server 2010 and 2013. You must enter the names as they appear in the preceding list. If you misspell any channel name, events from that channel will not be collected.
6. To test your configuration, run the following command: wineventconfig.exe -t
Set Up Agentless Collection on Exchange server 2007 SP2 and later on Win-dows Server 2008
Configure the Exchange Auditing Channel
To configure the Exchange Auditing channel, you must enable Windows Remote Management. This is described in the "Microsoft Windows Eventing 6.0 Web Services API" document, available from the RSA SecurCare Online (SCOL) web site.
Follow all directions in that document to enable Windows Remote Management, except that you must replace Security with Exchange Auditing when setting access to your channel.
That document describes the command to set read access to the Security Channel:
wevtutil gl Security
To configure the Exchange Auditing channel, replace Security with "Exchange Auditing" as shown here:
wevtutil gl "Exchange Auditing"
Microsoft Exchange Server Release Notes (20140311-145050)
What's New in This Release
RSA has updated configuration instructions for Microsoft Exchange to display Collection type information more clearly. RSA has also added support for SMTP protocol logs for Exchange 2007, 2010 and 2013.
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20140213-121344)
What's New in This Release
RSA has added support for Microsoft Exchange Server 2010 and 2013 Mailbox and Admin Audit using LOGbinder EX.RSA has also added support for the channel MS Exchange Management using Windows Event Collection.
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20131211-220046)
What's New in This Release
RSA has added support for Microsoft Exchange Server 2013.
Microsoft Exchange Server Release Notes (20130731-180221)
16 Set Up Agentless Collection on Exchange server 2007 SP2 and later on Win-dows Server 2008
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20130625-110128)
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20130501-153011)
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20130326-113451)
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20130228-133928)
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20121227-120737)
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20121024-162733)
What's New in This Release
RSA has added a clarification regarding the use of Exchange Auditing for Microsoft Exchange Server 2010. Exchange Auditing is not yet available to Exchange Server 2010 customers.
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
Microsoft Exchange Server Release Notes (20120927-104626)
Set Up Agentless Collection on Exchange server 2007 SP2 and later onWin-dows Server 2008
New and Updated Messages in Microsoft Exchange Server
For complete details on new and changed messages, see the Event Source Update Help.
18 Set Up Agentless Collection on Exchange server 2007 SP2 and later on Win-dows Server 2008