www.logbinder.com
Getting Started Guide
Document version 1
Contents
Installing LOGbinder for Exchange ... 3
Step 1 – Check Software Requirements ... 3
Software Requirements ... 3
Exchange Auditing Requirements ... 3
Step 2 – Check User Accounts and Authority ... 4
If outputting to Windows Security log ... 4
Step 3 – Run the Installer ... 5
Transferring settings to a new server ... 5
Configuring LOGbinder for Exchange ... 6
Configure Input ... 6 Configure Output ... 7 Configure Service ... 8 Configure Options ... 8 Status Bar... 9 License ... 10
24-hour Delay in Mailbox Audit Logs ... 11
Mailbox Audit Policy management ... 12
Using LOGbinder Control Panel to set mailbox audit policy ... 12
Enforcing Mailbox audit policy... 14
Monitoring LOGbinder for Exchange ... 15
During Installation and Configuration ... 15
While LOGbinder for Exchange is Running ... 16
Appendix A: Assigning Permissions ... 17
Exchange Administrator Roles ... 17
Local Security Policy Changes... 17
Log On as a Service ... 17
Generate Security Audits (SeAuditPrivilege) ... 18
Audit Policy ... 18
Appendix B: LOGbinder Event List ... 20
LOGbinder for Exchange Events ... 20
Diagnostic Events ... 20
Appendix C: Diagnostic Events ... 21
551 – LOGbinder agent successful ... 21
552 – LOGbinder warning ... 21
553 – LOGbinder settings changed ... 21
554 – LOGbinder agent produced unexpected results ... 22
555 – LOGbinder error ... 22
556 – LOGbinder insufficient authority ... 23
557 – License for LOGbinder invalid ... 25
Appendix D: Troubleshooting ... 26
Initial checks ... 26
Verifying Mailbox Access ... 26
Verifying PowerShell Connectivity and Exchange Authority ... 26
Installing LOGbinder for Exchange
LOGbinder for Exchange runs as a Windows service on a server belonging to the same domain as your Exchange environment. It translates audit log entries in Exchange, and outputs them to the LOGbinder EX event log, the Windows Security Log, Syslog, or Syslog in CEF.
For more information, please visit our web site
https://www.logbinder.com/products/logbinderex/.
There you will find a rich set of resources to guide you in setting audit policy, setting up audit log reporting and archiving, and so forth.
To open a case with our support staff, please email support@logbinder.com. Installing LOGbinder for Exchange involves 3 simple steps:*
Step 1 – Check Software Requirements
Step 2 – Check User Accounts and Authority
Step 3 – Run the Installer Subsequent sections cover:
Configuring LOGbinder for Exchange
24-hour Delay in Mailbox Audit Logs
Mailbox Audit Policy management
Monitoring LOGbinder for Exchange
Step 1 – Check Software Requirements
Software Requirements
Microsoft Windows server 2003 or later
Microsoft .NET Framework 3.5 SP1
Microsoft Exchange 2010 SP1 or later
Exchange Auditing Requirements
Exchange has two types of audit logs: Administrator Audit Log, and Mailbox Audit Log. For LOGbinder for Exchange to be able to process audit events from these audit logs, they need to be enabled.†
Please visit https://www.ultimatewindowssecurity.com/exchange/ for more information on these audit logs, as well as on how to enable, configure, manage, and use them.
* If LOGbinder has been used on another server in the same environment where it is now installed, refer
to the Transferring settings to a new server section below, in order to preserve a complete audit trail.
Step 2 – Check User Accounts and Authority
Two user accounts are involved with LOGbinder for Exchange.
User
Account Description Authority Required
Your account The account you are logged on as when you install and configure LOGbinder for Exchange.
Member of the local Administrators group
o Windows UAC sometimes interferes with this setting. It is recommended that you use the “Run as Administrator” option when running LOGbinder. You may also need to your account as well as the service account modify permissions to the C:\ProgramData folder as described in the third bullet point below.
Service account The account that the LOGbinder for Exchange service will run as. This domain account must be created before installing LOGbinder for Exchange. This account does not need to be a local or domain administrator; the LOGbinder for Exchange service can run in a least-privilege environment.
See Appendix A: Assigning Permissions for details on granting these permissions
Exchange administrator roles: o View-Only Audit Logs o View-Only Configuration o View-Only Recipients
o Audit Logs (Only needed if using the LOGbinder’s Mailbox Audit Policy management wizard)
Privilege “log on as a service”
Permission to create, read, modify files in
{Common Application Data}\LOGbinder EX (i.e. C:\Documents and Settings\All Users\Application Data\LOGbinder EX or C:\ProgramData\LOGbinder EX)
o Please note that the ProgramData folder is a hidden folder, and it is not the same as the Program Files folder. o This LOGbinder EX folder will be created after
LOGbinder is installed and the LOGbinder control panel is first started.
If outputting to Windows Security log
Privilege "Generate Security Audit" (SeAuditPrivilege)
Setting audit policy o Windows 2003:
Enable “Audit object access” o Windows 2008 or later:
Enable “Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings” security option
Enable “Audit Application Generated” audit subcategory
Step 3 – Run the Installer
Run the installer. On the page "Specify User Account," enter the user account name, including both domain name and user name (i.e. domain\username) of the service account (the user account that will run the LOGbinder for Exchange service). The rights outlined above must be granted to the account before running the installer, or else LOGbinder for Exchange will not install properly.
On the page "Select Installation Folder," it is recommended that you use the default setting, C:\Program Files\LOGbndEX.
If a dialog box "Set Service Login" appears, then the user account information entered previously was not valid. Confirm the account name and password, and re-enter the information.
Transferring settings to a new server
If LOGbinder was running in your environment before, but it now has to be installed on a different server, the following steps can be followed to transfer the settings to the new server.* This not only saves setup
time and reduces setup problems, but this will ensure audit log collection to be continued where LOGbinder left off so as to preserve a complete audit trail:
1. Make sure that on both the source (where LOGbinder was run before) and target (the new LOGbinder server) servers, the LOGbinder service is not running and the LOGbinder control panel is not open.
2. Go to the {Common Application Data}\LOGbinder EX folder on the source server, i.e. C:\Documents and Settings\ All Users\Application Data\LOGbinder EX or C:\ProgramData\LOGbinder EX.
o Please note that the ProgramData folder is a hidden folder, and it is not the same as the
Program Files folder.
3. Copy all *.stg and *.xml files to the same folder on the target server.
Configuring LOGbinder for Exchange
Open the "LOGbinder EX" link in the Windows start menu, which appears by default in the “LOGbinder” folder.
To use LOGbinder for Exchange, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for Exchange control panel is closed before restarting the service, the
changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.
Configure Input
LOGbinder for Exchange uses these methods to connect to the Exchange server: (a) Exchange Management Shell (PowerShell), and (b) Exchange Web Services Managed API 1.2.
To get started, select the menu File\New Input, where you will need to enter three pieces of information: Powershell URL, Exchange URL, and Recipient.
Figure 1: An example Input
Powershell URL: The URL to access Exchange Management Shell cmdlets (via PowerShell). The
default value is “http://” + FQDN of server + “/Powershell”. This should be a server with both PowerShell and client access roles functioning. The Autofill button will use the current server to fill in this value. You might need to changethis if you are not installing LOGbinder for Exchange on an Exchange server.
Exchange URL: The URL to access the Exchange web service. The default value is “https://” + FQDN of
server + “/EWS/Exchange.asmx”. If the Powershell URL is correct, the Autofill button will try to identify the correct Exchange URL.
Recipient: The mail address used for processing audit logs. This will be the mailbox associated with the
user (or administrator) in whose context the Exchange Management Shell runs, preferably the mailbox of the LOGbinder for Exchange service account.
The "Last Processed" box shows the date and time audit events were last retrieved from Exchange. After installing it the first time, LOGbinder starts processing admin audit logs from the time of the installation onward, and mailbox audit logs with a 24-hour delay, that is 24 hours before the time of the installation.* For further information on this 24-hour buffer period for mailbox audit events, please see below section
24-hour Delay in Mailbox Audit Logs.
If some of the backlog events are also to be processed, the start date can be set in the Last Processed boxes. It is recommended that once LOGbinder is in operation, this date not be changed manually, as it could result in skipping some audit events in Exchange, or double-handling, resulting in events appearing twice in the event log. If the date needs to be adjusted, check the box next to the date, and then the date can be adjusted.
After the LOGbinder for Exchange service has been running, the Transactions list will show a list of audit log searches sent to the Exchange server, the start and end period for which logs have been requested, and the time LOGbinder finished processing the audit logs. This information is read-only. After the Exchange server sends back the result of the audit log search, LOGbinder for Exchange will process the event logs and forwards them to the output(s) specified. (See next subheading.) Once the results are received and forwarded to the output(s), the File Name and
Completed columns are populated with the appropriate
values.
Configure Output
LOGbinder supports multiple output formats. LOGbinder for Exchange allows output to go to
LOGbinder EX Event Log: a custom event log under Applications and Services Logs.
Security Log: the Windows Security log. (Please remember to set the additional privileges as
described in section Step 2 – Check User Accounts and Authority when using this feature.)
Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.
Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.
Syslog-Generic: a Syslog server using the generic Syslog format.
Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.
Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.
Syslog-Generic (File): a Syslog file using the generic Syslog format.
At least one of these must be enabled in order for the LOGbinder service to start.
* If this is not the first installation of LOGbinder on the same server, it will continue audit log processing
from the date and time it finished its last run with the previous installation. If LOGbinder was installed on another server in the same environment before, you might want to refer to the section above about
Transferring settings to a new server.
Audit Log Search Poll Interval:
It might take a considerable time for the Exchange server to send back the search results. By default, Exchange checks if there are any audit log searches every 30 minutes to 24 hours, depending on the Exchange version. However, this frequency can be adjusted in an Exchange configuration file. Please refer to our blog titled Changing the Exchange audit search poll interval on how to adjust this setting.
To enable an output and adjust the settings, select it and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."
Select the "Include noise events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (Exchange) that contains only misleading
information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected.
For some output formats, LOGbinder for Exchange can preserve the original data extracted from Exchange, along with details as to how the entry was translated by LOGbinder. Check the option “Include XML data” in order to include these details in the event log. Including this data will make the size of
the log grow more quickly. If the option does not appear, then it is not supported for that output format. For the output format "LOGbinder EX Event Log," the entries are placed in a custom log named
“LOGbinder EX.” When the log is created by LOGbinder, by default the maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for “Include XML data.” In this way you will ensure that your audit trail is complete.
Configure Service
To start, stop, and restart the LOGbinder for Exchange service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.
Although you can use the Services window in the Windows Control Panel to start and stop the service, it is
recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that (a) at least one Exchange server has been selected for monitoring and (b) at least one output
(i.e. LOGbinder EX Event Log, Windows Security Log) has been selected.
While attempting to start the LOGbinder for Exchange service, a problem may be encountered—perhaps that the service account does not have sufficient authority. The details of the problem are written to the Application Event Log. These events can also be viewed inside of the LOGbinder control panel, by selecting the “LOGbinder Diagnostic Events” view.
See the section “Monitoring LOGbinder for Exchange” for more information on how to handle issues that may arise when starting the LOGbinder for Exchange service.
Configure Options
Use buttons on the panel, or the menu File\Options, to change LOGbinder's options.
The Enable 24-hour delay in searching for mailbox audit events option is enabled by default. For further information on this 24-hour buffer period for mailbox audit events, please see below section 24-hour
Delay in Mailbox Audit Logs.
The Service Account lists the user account that runs the LOGbinder for Exchange service. This is the account you specified when installing LOGbinder for Exchange. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).
Figure 2: Output properties window
Figure 3: Message indicating outputs not configured
If the box “Do not write informational
messages to the Application log” is checked,
then event “551 – LOGbinder agent successful” (See Appendix C: Diagnostic Events) will not be written to the Application log.
The Logging options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the “Logging
Level” is set to None. If necessary, the Logging Level can be set to Level 1 or Level 2. Level 1 generates standard level of
detail of logging. Level 2 will generate more
detailed logging. Level 2 should be selected only if specifically requested by LOGbinder support;
otherwise performance will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named Control Panel.log, Service.log, Service Controller.log and Service Processor.log in the
Log location folder.
The “Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder EX (i.e. C:\ProgramData\LOGbinder
EX). Please note that the Alternate Output Data Folder needs the same permissions as the Common
Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.
Status Bar
The status bar will show information about the operation of LOGbinder.
Displays the status of the service. The image shown indicates the service is stopped. The service may also be running, or in an 'unknown' state. Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar.
Indicates that settings have been changed. In order to apply the changes, the LOGbinder for Exchange service must be restarted. If the LOGbinder for Exchange service is running and the LOGbinder for Exchange control panel is closed, the changes will be discarded.
License
Use the menu File\License to view information about your license for LOGbinder.* If you have purchased LOGbinder for
Exchange and need to obtain a license, follow these steps:
For Unit/Server Count, enter the number of active mailboxes in your Exchange system. (The minimum number of mailboxes requiring licensing will be filled out automatically by LOGbinder.)
Press the Copy button, and paste the contents into an email addressed to licensing@logbinder.com.
When the license key is received, copy it to the clipboard and press the Paste button.
If you are properly licensed, the license window will redisplay
and show that you are properly licensed. If there is a problem, respond immediately to
licensing@logbinder.com.
24-hour Delay in Mailbox Audit Logs
According to a recent discovery, the PowerShell cmdlets used for retrieving mailbox audit logs have a flaw that produces inconsistent audit results if used to retrieve audit logs in less than 24 hours.
We informed Microsoft of our findings and they confirmed the bug after their own investigation. They also told us they had no timeline to fix the bug and suggested that users simply request audit logs some twenty-four hours after the event took place. We will continue to work with Microsoft on this issue and hope they do resolve it.
In the meantime, the only way we can guarantee audit trail integrity is if we follow Microsoft’s
recommendation and don’t ask for mailbox audit logs for the past 24-hour period. Therefore LOGbinder will not process events until 24 hours after the Last Processed value for mailbox auditing in the input settings (see Configure Input).
If you do not want to have this 24-hour delay, you can turn it off in the options (see Configure Options), but we strongly advise against it.
To see how we feel about this issue, what we are doing to mitigate the impact of this bug and what you can do, please follow our latest communications on this at
Mailbox Audit Policy management
An administrator can specify a mailbox audit policy, select groups and/or organization units, and then the LOGbinder service will set mailbox audit policy for the mailboxes in those groups and organizational units. The LOGbinder service will regularly enforce this policy, in case new mailboxes were added to the groups and organizational units—or if the policy had been changed for a mailbox.
Using LOGbinder Control Panel to set mailbox audit policy
To set mailbox audit policy, open the Input properties window, and click on the link “Mailbox Audit Policy.” (The same link is available in the Options window.)
NOTE: If the link in Options is disabled, it is because you have not yet created an Input pointing to an Exchange installation. After creating an Input you can set mailbox audit policy.
The first window (see Figure 6) gives an overview of the existing mailbox audit policy that has been set in LOGbinder. This will be empty if this is your first time setting audit policy. In the next windows, you can (1) select Exchange groups that the policy should apply to, (2) select organizational units that the policy should apply to, and (3) specify the audit policy.
Figure 6: Overview - Mailbox Audit Policy
Pressing Next will present the Add/Remove Groups window. (See Figure 7.) You must first filter groups. Enter at least the first three characters of the groups’ names—then press the Filter button. The list of groups that match will show in the list. Select one or more groups and press the Add to Selected button. The Selected Groups list will contain the groups to which the policy will be applied. You may repeat the filtering as many times as needed.
If you press the Filter button with no text in the Filter Groups box, then all groups will be listed. This is not recommended if you have a large number of groups.
Figure 7: Add/Remove Groups - Mailbox Audit Policy
Press Next to specify organizational units. (See Figure 8.) The list of all organizational units will be shown in the list. If you wish to apply to policy to organizational units, select one or more items and press the Add to Selected button.
Figure 8: Add/Remove Organizational Units - Mailbox Audit Policy
Press Next to set the audit policy. (See Figure 9.) Select the actions under the appropriate columns: Administrator, Delegate, and Owner. If you select None, all the other boxes will be unchecked and that type of mailbox access will not be audited.
Click the link “Set default audit policy” to use Microsoft’s default mailbox audit policy. You can continue to adjust the policy to suit the needs of your organization.
A recommendation from LOGbinder: Do not audit Owner access, leave it set to None. Auditing what a user does in his own mailbox will create a huge number of audit events, events that have very little value, and will choke your Exchange installation—as well as the LOGbinder service.
Figure 9: Set Policy - Mailbox Audit Policy
Press Next to see a confirmation window of your mailbox audit policy settings. You may use the Back button to review and adjust your selections. When you press Finish, LOGbinder will save the adjustments to your mailbox audit policy.
Enforcing Mailbox audit policy
Every night, the LOGbinder service will enforce your mailbox audit policy. It will find the mailboxes that are contained in the groups and/or organizational units. If the mailbox’s audit policy does not match, LOGbinder will change its policy. LOGbinder will report on the number of mailboxes that have been adjusted. Please note that you must set the “Audit Log” management role to use this feature – See
Check User Accounts and Authority table on page 4.
NOTE: For performance considerations, it is recommended that you use as few groups and/or
organizational units as possible. The greater the number of groups and organizational units, the longer it will take to inspect audit policy.
Monitoring LOGbinder for Exchange
When installing, configuring, and running LOGbinder for Exchange, the software writes diagnostic events to the Windows Application Event Log. Most of these will be from the source "LOGbndSE" and the category "LOGbinder." You may use the Windows Event Viewer to examine these events. Also, the LOGbinder control panel includes a set of views that lists these events, choose “LOGbinder Diagnostic Events,” or drill down to one of the nested views.
Figure 10: LOGbinder Diagnostic Events view
During Installation and Configuration
During installation and configuration, you will find these entries:
After installation, there may be an entry from the source MsiInstaller: "Product: LOGbinder EX -- Installation completed successfully."
When the configuration of LOGbinder for Exchange changes, you will see one or more entries entitled "LOGbinder settings changed." See Appendix C: Diagnostic Events: “553 – LOGbinder settings changed” for information about these events.
When the service starts, there may be an entry from the source LOGbinder EX: "Service started successfully." (Entries are also written when the service is stopped.)
You can monitor these events to ensure that LOGbinder for Exchange continues to be configured properly, and that unauthorized changes do not occur.
After configuring LOGbinder for Exchange and starting the service, it automatically performs a check to ensure that LOGbinder's settings are valid and that the account running the Windows service has sufficient authority. If there is a problem, the LOGbinder for Exchange service will not start and a message will be presented to the user. In most cases, the details of the problem are written to the Application log. Common problems include:
Input/output not configured properly. See the previous section “Configuring LOGbinder for
Exchange” for more information.
Insufficient authority. If the service account does not have adequate authority, then the service
will not run. An entry is written to the Application log. See Appendix C: Diagnostic Events “556 – LOGbinder insufficient authority” for more details. Some of the common missing permissions include:
o Account does not have authority to log on as a Windows service o Account does not have necessary permissions in Exchange.
o The account does not have authority to write to the Security event log. (If this output destination has not been selected, then it is not necessary to grant this permission.)
License invalid. If the license is not valid or has expired, then the LOGbinder for Exchange
service will not run. An entry may be written to the Application log. See Appendix C: Diagnostic Events: “557 – License for LOGbinder invalid” for details.
Other errors will be found in entries entitled "LOGbinder error." See Appendix C: Diagnostic Events: “555 – LOGbinder error” for more information.
If any of these errors are encountered, the LOGbinder for Exchange service will not run.
While LOGbinder for Exchange is Running
While LOGbinder for Exchange is running, you will see information entries in the Application log as follows:
Entries 'exported' from Exchange. For each Exchange server being monitored, this message indicates the number of audit entries that LOGbinder for Exchange has processed.
Entries 'imported' into the Windows event log. This indicates that the audit entries have been placed in the enabled output formats. There will be one message event if multiple output formats have been selected (i.e. you have selected both Windows Security Log and Windows Event Log as output formats). The 'export'/'import' entries are complementary: there should be a
corresponding 'import' entry for each 'export.'
These log entries are informational in nature. Generally no action is required. If more entries are being processed than what appear in the event logs or in your log management solution, it could be that the log size is too small and entries are being overwritten. See Appendix C: Diagnostic Events “551 – LOGbinder agent successful” for more information on these events.
If LOGbinder for Exchange has an error, an entry will be created in the Application log. If permissions are removed, or if the license expires, you may receive a "556 – LOGbinder insufficient authority" or "557 – License for LOGbinder invalid" error, which are explained above. Other errors will be entitled "555 – LOGbinder error." If you cannot resolve the problem, please submit the issue to the LOGbinder support
Appendix A: Assigning Permissions
Exchange Administrator Roles
1. Add a new administrator role group, containing the following roles: o View-Only Audit Logs
o View-Only Configuration o View-Only Recipients
o Audit Logs (Only needed if using the LOGbinder Mailbox Audit Policy Management
wizard – See page 10)
2. Make the LOGbinder service account a member of this role group.
The above two steps can be achieved, for example, through the Exchange Admin Center (https://<hostname>/ecp) interface, or using an Exchange Management Shell cmdlet, such as
New-RoleGroup "LOGbinderEX" -Roles "View-Only Audit Logs", "View-Only Configuration", "View-Only Recipients", “Audit Logs” -Members
"lbex_svc"
where lbex_svc is to be replaced by the name of the LOGbinder for Exchange service account.
Local Security Policy Changes
The following chart summarizes the changes to be made in the Local Security Policy. Detailed explanations are found after the chart.
Local Security Policy (secpol.msc)
settings summary
Windows
Server
2003
Windows
Server
2008/2012
Security Settings Local Policies User Rights Assignment Log on as a service add service account add service account This always needs to be set Generate security audits add service account add service account These need to be set if outputting to Windows Security logAudit Policy Audit object
access set Success N/A Security Options Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
N/A set Enabled
Advanced Audit Policy Configuration Object Access Audit Application Generated
N/A set Success
Log On as a Service
Select Security Settings\Local Policies\User Rights Assignment
Open "Log on as a service" and add user
NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.
Generate Security Audits (SeAuditPrivilege)
Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
Select Security Settings\Local Policies\User Rights Assignment
Open "Generate security audits" and add user
NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.
Audit Policy
Windows Server 2003
Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
Select Security Settings\Local Policies\Audit Policy
Edit "Audit object access," ensuring that "Success" is enabled. (LOGbinder for Exchange does not require that the "Failure" option be enabled.)
NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.
Windows Server 2008/2012
Audit policy can be configured with the original top level categories as described above for Windows 2003 but most environments have migrated to the new more granular audit sub-categories available in
Windows 2008 aka (Advanced Audit Policy).
Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)
First, ensure that ‘basic’ and ‘advanced’ audit policy settings are not used at the same time: o Microsoft gives this warning: “Using both the basic audit policy settings under Local
Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (
http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)
o Select Security Settings\Local Policies\Security Options
o Open and enable “Audit: Force audit policy subcategory settings (Windows Vista or
later) to override audit policy category settings”
To enable LOGbinder events to be sent to the security log:
o Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for Exchange does not require that the “Failure” option be enabled.)
Appendix B: LOGbinder Event List
LOGbinder for Exchange Events
https://www.logbinder.com/products/logbinderex/resources/eventlist.aspx
Diagnostic Events
551 – LOGbinder agent successful 552 – LOGbinder warning
553 – LOGbinder settings changed
554 – LOGbinder agent produced unexpected results 555 – LOGbinder error
556 – LOGbinder insufficient authority 557 – License for LOGbinder invalid
Appendix C: Diagnostic Events
551 – LOGbinder agent successful
This event occurs when LOGbinder for Exchange successfully translates log entries. Usually appearing in pairs, as one indicates that log entries have been 'exported' from their source (for example, Exchange), and the other that entries have been 'imported' to their destination (for example, the Windows event log). This event is informational in nature.
This event is written to the Windows Application log. Example A
LOGbinder EX exported 3 entries from Exchange site http://MySite Example B
LOGbinder EX imported 3 entries to Security event log Example C
LOGbinder EX imported 3 entries to LOGbinder EX event log
552 – LOGbinder warning
This event occurs when LOGbinder for Exchange does not find information as expected. In most cases, it does not indicate a serious problem, but is provided so as to complete the audit trail. This event is written to Windows application log.
For example, as LOGbinder for Exchange translates entries, it performs various lookups to provide complete information. If the related item was deleted, a "LOGbinder warning" is generated.
Example A
LOGbinder warning
Lookup failed. Could not find Scope Item with ID of 89de71fe-1442-48ff-9a6e-052bddda3440.
Example B
LOGbinder warning
Lookup failed. Could not find User with ID of 19.
553 – LOGbinder settings changed
This event occurs when the LOGbinder settings are changed. This event is written to Windows Application log.
For LOGbinder for Exchange, this includes which Exchange servers are monitored, which audit event types are handled, and the date and time LOGbinder last translated log entries. In addition, the settings for output formats are included.
Example A
LOGbinder settings changed
Output to Security log enabled. Noise events included. Example B
LOGbinder settings changed Input has been enabled.
554 – LOGbinder agent produced unexpected results
This event occurs when LOGbinder for Exchange encounters something unexpected when translating a log entry. At times it may be from a custom log entry.
This event is written to Windows Application log.
You can help us improve LOGbinder by reporting these events to the LOGbinder support team so that the LOGbinder product may be improved. Private data will not be shared.
Example
In this example, the developer used an existing event type, "Workflow," but included non-standard event data.
LOGbinder agent produced unexpected results
As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the
LOGbinder support team.
<LogEntry siteName="http://shpnt" itemType="List Item" userName="Robert Solomon" locationType="Url" occurred="2009-06-29T21:49:11"
eventType="Workflow"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemType="ListItem" userId="1" documentLocation="Cache
Profiles/1_.000" locationType="Url" occurred="633819089510000000" event="Workflow"
eventSource="ObjectModel"><EventData>http://shpnt/docLib/CopiedFile.e xt</EventData></RawData><Details /></LogEntry>
555 – LOGbinder error
This event occurs when the LOGbinder service encounters a problem that needs attention. This event is written to Windows Application log. In most cases this gives enough information for you to address the problem successfully. Otherwise, please contact LOGbinder support for assistance.
Example A
In this example, the error indicates that the LOGbinder for Exchange service cannot run because the Exchange web service has not been configured properly.
LOGbinder error
Example B
In this example, a program assembly used by LOGbinder for Exchange does not exist, indicating that the LOGbinder software is no longer installed properly.
LOGbinder error
Exporter assembly does not exist: C:\Program Files\LOGbndEX\MTG.LOGbinder.Exchange.dll Example C
In this example, a certificate error is indicated. The Exchange URL set for the inputs should open in Internet Explorer without any certificate error. Certificate errors often occur when using a self-signed certificate.
Could not retrieve mail messages from Exchange mailbox. Details: The request failed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.; The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel.; The remote certificate is invalid according to the validation procedure.
Action: Add the self-signed certificate to the trusted root store.
556 – LOGbinder insufficient authority
This event occurs when the LOGbinder for Exchange service cannot run because of invalid or inadequate permissions. The event will include the module lacking the permission, the name or description of the permission, as well as relevant details. Each example below also includes the action needed in order to correct it.
Example A: No permission to write to security log LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log
Privilege: SeAuditPrivilege
Details: The LOGbinder agent does not have the necessary rights to configure the security log
Action: The service account needs the "Generate security audits" privilege
(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Generate-security-audits), or do
not enable LOGbinder to output to the Windows Security log. Example B: Attempt to write to security log from invalid location
One measure to protect the security log is to write security events only from authorized locations. When LOGbinder is configured, it registers its program location with the security log. If this error occurs, then LOGbinder had been reinstalled to a different location, and the previous location was not removed properly.
LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log
Privilege: Invalid Location
Details: Cannot write to because the program location does not match what has been previously configured
Action: Recommended to delete the registry key manually. First ensure that LOGbinder is not open. Then
delete the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LOGbndES. Be careful not to delete other parts of the registry, as it can cause the server to be unstable. When you reopen the LOGbinder control panel, it will reconfigure its ability to write to the security log.
Example C: Internal error
LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log Privilege: Internal Error
Details: The security account database contains an internal inconsistency
Action: One factor that can cause an internal error is if the LOGbinder program path is too long. By
default, LOGbinder is installed to C:\Program Files\LOGbndEX. It is recommended that the default be used. If the software has been installed to a different location with a longer program path, to correct this error it will be necessary to reinstall LOGbinder.
Example D: Log on as service
LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: LOGbinder service Privilege: Log on as service
Details: Account running LOGbinder agent does not have user right "Logon as a service"
Action: The service account needs to be assigned the "Logon as a service" user right.
(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Log-on-as-a-service)
Example E: Cannot start LOGbinder control panel LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: LOGbinder Manager Privilege: File Permissions
Details: Account running LOGbinder Control Panel needs to be a member of the local Administrators group
Action: Ensure that the user account used to run the LOGbinder for Exchange control panel has local
557 – License for LOGbinder invalid
Occurs when the license for LOGbinder is not valid and an attempt is made to start the service. This event is written to the Application log.
If the license is not valid, the LOGbinder for Exchange control panel continues to operate as normal. However, the LOGbinder service will not start if the license is invalid. Follow the instructions in the control panel, in the menu File\License, in order to obtain a license to the software.
Example
License for LOGbinder invalid
The license for LOGbinder has expired or is invalid. Details: Trial period has expired.
Appendix D: Troubleshooting
Initial checks
Check the Inputs in LOGbinder for Exchange control panel:
1. If there are entries under Transaction, then the Powershell URL is set good.
2. If the Completed column is filled, then the Exchange URL and Recipient are set good.
Verifying Mailbox Access
(In the following steps, some examples are shown. Please replace the bold parts with the appropriate details of your environment.)
1.
Open Internet Explorer and logon as the LOGbinder service account, to the mailbox via Outlook Web Access using the server name specified in LOGbinder for Exchange control panel, such ashttps://ex1.acme.com/owa
You should see emails in the Inbox or in Deleted Items from Microsoft Exchange with subjects, such as “Administrator Audit Log Search …” and “Mailbox Audit Log Search …”
2.
In Internet Explorer go to the Exchange URL of your Input setting, such ashttps://ex1.acme.com/ews/exchange.asmx
You should get the WSDL xml for Exchange, something like this:
…
If it doesn’t work, you could try to identify the correct URL by executing the following PowerShell command from the Exchange Management Shell on the Exchange server:
Get-WebServicesVirtualDirectory | fl *url
Verifying PowerShell Connectivity and Exchange Authority
(In the following steps, some examples are shown. Please replace the bold parts with the appropriate details of your environment.)
1. Double-check what account LOGbinder for Exchange service is configured to Logon as. 2. Logon to the desktop using that account.
Verifying PowerShell Connectivity
3. Open PowerShell – Not the Exchange Management Shell 4. Run:
a. whoami
b. $Session = NewPSSession ConfigurationName Microsoft.Exchange -ConnectionUri http://ex1.acme.com/PowerShell/
Verifying Exchange Authority
5. After the previous steps, run the following commands (insert a valid email address in c and d): a. $startdate = Get-Date (Get-Date).AddMinutes(-10) -Format
"MM/dd/yyyy hh:mm"
b. $enddate = Get-Date -Format "MM/dd/yyyy hh:mm"
c. New-AdminAuditLogSearch -StartDate $startdate -EndDate $enddate -Name LOGbinder-test -StatusMailRecipients administrator@acme.com d. New-MailboxAuditLogSearch -StartDate $startdate -EndDate $enddate -Name LOGbinder-test -StatusMailRecipients administrator@acme.com 6. After sufficient time elapsed, you should see emails in the Inbox or in Deleted Items from
Microsoft Exchange with subjects, such as “Administrator Audit Log Search …” and “Mailbox Audit Log Search …”
Note: Exchange server might take up to 15 minutes (or more) to generate the audit report.
Additional notes
On the server where LOGbinder for Exchange is installed, what version of Windows are you running? Windows Server 2003, 2008, 2008 R2, etc.?
Windows Management Framework 2.0 is integrated with Windows Server 2008 R2.
If you have Windows Server 2003 or Windows Server 2008 (but not R2), have you installed the Windows Management Framework 2.0?
http://technet.microsoft.com/en-us/library/dd335083.aspx
Note the requirements for Exchange 2010:
o Windows Management Framework installed
Windows Management Framework includes Windows PowerShell V2 and Windows Remote Management (WinRM) 2.0.
o The fully qualified domain name (FQDN) of an Exchange 2010 server in your organization
o The domain this server is joined to must be trusted by the domain where the Exchange server resides.
o TCP port 80 must be open between your computer and the remote Exchange 2010 server, and the port must be allowed through Windows Firewall on the Exchange 2010 server.