Getting Started Guide

(1)

www.logbinder.com

Getting Started Guide

Document version 1

Installing LOGbinder for Exchange

LOGbinder for Exchange runs as a Windows service on a server belonging to the same domain as your Exchange environment. It translates audit log entries in Exchange, and outputs them to the LOGbinder EX event log, the Windows Security Log, Syslog, or Syslog in CEF.

For more information, please visit our web site

https://www.logbinder.com/products/logbinderex/.

There you will find a rich set of resources to guide you in setting audit policy, setting up audit log reporting and archiving, and so forth.

To open a case with our support staff, please email support@logbinder.com. Installing LOGbinder for Exchange involves 3 simple steps:*

 Step 1 – Check Software Requirements

 Step 2 – Check User Accounts and Authority

 Step 3 – Run the Installer Subsequent sections cover:

 Configuring LOGbinder for Exchange

 24-hour Delay in Mailbox Audit Logs

 Mailbox Audit Policy management

 Monitoring LOGbinder for Exchange

Step 1 – Check Software Requirements

Software Requirements

 Microsoft Windows server 2003 or later

 Microsoft .NET Framework 3.5 SP1

 Microsoft Exchange 2010 SP1 or later

Exchange Auditing Requirements

Exchange has two types of audit logs: Administrator Audit Log, and Mailbox Audit Log. For LOGbinder for Exchange to be able to process audit events from these audit logs, they need to be enabled.†

Please visit https://www.ultimatewindowssecurity.com/exchange/ for more information on these audit logs, as well as on how to enable, configure, manage, and use them.

*_{If LOGbinder has been used on another server in the same environment where it is now installed, refer}

to the Transferring settings to a new server section below, in order to preserve a complete audit trail.

(4)

Step 2 – Check User Accounts and Authority

Two user accounts are involved with LOGbinder for Exchange.

User

Account Description Authority Required

Your account The account you are logged on as when you install and configure LOGbinder for Exchange.

 Member of the local Administrators group

o Windows UAC sometimes interferes with this setting. It is recommended that you use the “Run as Administrator” option when running LOGbinder. You may also need to your account as well as the service account modify permissions to the C:\ProgramData folder as described in the third bullet point below.

Service account The account that the LOGbinder for Exchange service will run as. This domain account must be created before installing LOGbinder for Exchange. This account does not need to be a local or domain administrator; the LOGbinder for Exchange service can run in a least-privilege environment.

See Appendix A: Assigning Permissions for details on granting these permissions

 Exchange administrator roles: o View-Only Audit Logs o View-Only Configuration o View-Only Recipients

o Audit Logs (Only needed if using the LOGbinder’s Mailbox Audit Policy management wizard)

 Privilege “log on as a service”

 Permission to create, read, modify files in

{Common Application Data}\LOGbinder EX (i.e. C:\Documents and Settings\All Users\Application Data\LOGbinder EX or C:\ProgramData\LOGbinder EX)

o Please note that the ProgramData folder is a hidden folder, and it is not the same as the Program Files folder. o This LOGbinder EX folder will be created after

LOGbinder is installed and the LOGbinder control panel is first started.

If outputting to Windows Security log

 Privilege "Generate Security Audit" (SeAuditPrivilege)

 Setting audit policy o Windows 2003:

 Enable “Audit object access” o Windows 2008 or later:

 Enable “Audit: Force audit policy subcategory

settings (Windows Vista or later) to override audit policy category settings” security option

 Enable “Audit Application Generated” audit subcategory

(5)

Step 3 – Run the Installer

Run the installer. On the page "Specify User Account," enter the user account name, including both domain name and user name (i.e. domain\username) of the service account (the user account that will run the LOGbinder for Exchange service). The rights outlined above must be granted to the account before running the installer, or else LOGbinder for Exchange will not install properly.

On the page "Select Installation Folder," it is recommended that you use the default setting, C:\Program Files\LOGbndEX.

If a dialog box "Set Service Login" appears, then the user account information entered previously was not valid. Confirm the account name and password, and re-enter the information.

Transferring settings to a new server

If LOGbinder was running in your environment before, but it now has to be installed on a different server, the following steps can be followed to transfer the settings to the new server.*_{This not only saves setup}

time and reduces setup problems, but this will ensure audit log collection to be continued where LOGbinder left off so as to preserve a complete audit trail:

1. Make sure that on both the source (where LOGbinder was run before) and target (the new LOGbinder server) servers, the LOGbinder service is not running and the LOGbinder control panel is not open.

2. Go to the {Common Application Data}\LOGbinder EX folder on the source server, i.e. C:\Documents and Settings\ All Users\Application Data\LOGbinder EX or C:\ProgramData\LOGbinder EX.

o Please note that the ProgramData folder is a hidden folder, and it is not the same as the

Program Files folder.

3. Copy all *.stg and *.xml files to the same folder on the target server.

(6)

Configuring LOGbinder for Exchange

Open the "LOGbinder EX" link in the Windows start menu, which appears by default in the “LOGbinder” folder.

To use LOGbinder for Exchange, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for Exchange control panel is closed before restarting the service, the

changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.

Configure Input

LOGbinder for Exchange uses these methods to connect to the Exchange server: (a) Exchange Management Shell (PowerShell), and (b) Exchange Web Services Managed API 1.2.

To get started, select the menu File\New Input, where you will need to enter three pieces of information: Powershell URL, Exchange URL, and Recipient.

Figure 1: An example Input

Powershell URL: The URL to access Exchange Management Shell cmdlets (via PowerShell). The

default value is “http://” + FQDN of server + “/Powershell”. This should be a server with both PowerShell and client access roles functioning. The Autofill button will use the current server to fill in this value. You might need to changethis if you are not installing LOGbinder for Exchange on an Exchange server.

Exchange URL: The URL to access the Exchange web service. The default value is “https://” + FQDN of

server + “/EWS/Exchange.asmx”. If the Powershell URL is correct, the Autofill button will try to identify the correct Exchange URL.

Recipient: The mail address used for processing audit logs. This will be the mailbox associated with the

user (or administrator) in whose context the Exchange Management Shell runs, preferably the mailbox of the LOGbinder for Exchange service account.

(7)

The "Last Processed" box shows the date and time audit events were last retrieved from Exchange. After installing it the first time, LOGbinder starts processing admin audit logs from the time of the installation onward, and mailbox audit logs with a 24-hour delay, that is 24 hours before the time of the installation.* For further information on this 24-hour buffer period for mailbox audit events, please see below section

24-hour Delay in Mailbox Audit Logs.

If some of the backlog events are also to be processed, the start date can be set in the Last Processed boxes. It is recommended that once LOGbinder is in operation, this date not be changed manually, as it could result in skipping some audit events in Exchange, or double-handling, resulting in events appearing twice in the event log. If the date needs to be adjusted, check the box next to the date, and then the date can be adjusted.

After the LOGbinder for Exchange service has been running, the Transactions list will show a list of audit log searches sent to the Exchange server, the start and end period for which logs have been requested, and the time LOGbinder finished processing the audit logs. This information is read-only. After the Exchange server sends back the result of the audit log search, LOGbinder for Exchange will process the event logs and forwards them to the output(s) specified. (See next subheading.) Once the results are received and forwarded to the output(s), the File Name and

Completed columns are populated with the appropriate

values.

Configure Output

LOGbinder supports multiple output formats. LOGbinder for Exchange allows output to go to

 LOGbinder EX Event Log: a custom event log under Applications and Services Logs.

 Security Log: the Windows Security log. (Please remember to set the additional privileges as

described in section Step 2 – Check User Accounts and Authority when using this feature.)

 Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.

 Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.

 Syslog-Generic: a Syslog server using the generic Syslog format.

 Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.

 Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.

 Syslog-Generic (File): a Syslog file using the generic Syslog format.

At least one of these must be enabled in order for the LOGbinder service to start.

*_{If this is not the first installation of LOGbinder on the same server, it will continue audit log processing}

from the date and time it finished its last run with the previous installation. If LOGbinder was installed on another server in the same environment before, you might want to refer to the section above about

Transferring settings to a new server.

Audit Log Search Poll Interval:

It might take a considerable time for the Exchange server to send back the search results. By default, Exchange checks if there are any audit log searches every 30 minutes to 24 hours, depending on the Exchange version. However, this frequency can be adjusted in an Exchange configuration file. Please refer to our blog titled Changing the Exchange audit search poll interval on how to adjust this setting.

(8)

To enable an output and adjust the settings, select it and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."

Select the "Include noise events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (Exchange) that contains only misleading

information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected.

For some output formats, LOGbinder for Exchange can preserve the original data extracted from Exchange, along with details as to how the entry was translated by LOGbinder. Check the option “Include XML data” in order to include these details in the event log. Including this data will make the size of

the log grow more quickly. If the option does not appear, then it is not supported for that output format. For the output format "LOGbinder EX Event Log," the entries are placed in a custom log named

“LOGbinder EX.” When the log is created by LOGbinder, by default the maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for “Include XML data.” In this way you will ensure that your audit trail is complete.

Configure Service

To start, stop, and restart the LOGbinder for Exchange service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.

Although you can use the Services window in the Windows Control Panel to start and stop the service, it is

recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that (a) at least one Exchange server has been selected for monitoring and (b) at least one output

(i.e. LOGbinder EX Event Log, Windows Security Log) has been selected.

While attempting to start the LOGbinder for Exchange service, a problem may be encountered—perhaps that the service account does not have sufficient authority. The details of the problem are written to the Application Event Log. These events can also be viewed inside of the LOGbinder control panel, by selecting the “LOGbinder Diagnostic Events” view.

See the section “Monitoring LOGbinder for Exchange” for more information on how to handle issues that may arise when starting the LOGbinder for Exchange service.

Configure Options

Use buttons on the panel, or the menu File\Options, to change LOGbinder's options.

The Enable 24-hour delay in searching for mailbox audit events option is enabled by default. For further information on this 24-hour buffer period for mailbox audit events, please see below section 24-hour

Delay in Mailbox Audit Logs.

The Service Account lists the user account that runs the LOGbinder for Exchange service. This is the account you specified when installing LOGbinder for Exchange. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).

Figure 2: Output properties window

Figure 3: Message indicating outputs not configured

(9)

If the box “Do not write informational

messages to the Application log” is checked,

then event “551 – LOGbinder agent successful” (See Appendix C: Diagnostic Events) will not be written to the Application log.

The Logging options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the “Logging

Level” is set to None. If necessary, the Logging Level can be set to Level 1 or Level 2. Level 1 generates standard level of

detail of logging. Level 2 will generate more

detailed logging. Level 2 should be selected only if specifically requested by LOGbinder support;

otherwise performance will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named Control Panel.log, Service.log, Service Controller.log and Service Processor.log in the

Log location folder.

The “Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder EX (i.e. C:\ProgramData\LOGbinder

EX). Please note that the Alternate Output Data Folder needs the same permissions as the Common

Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.

Status Bar

The status bar will show information about the operation of LOGbinder.

Displays the status of the service. The image shown indicates the service is stopped. The service may also be running, or in an 'unknown' state. Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar.

Indicates that settings have been changed. In order to apply the changes, the LOGbinder for Exchange service must be restarted. If the LOGbinder for Exchange service is running and the LOGbinder for Exchange control panel is closed, the changes will be discarded.

(10)

License

Use the menu File\License to view information about your license for LOGbinder.*_{If you have purchased LOGbinder for}

Exchange and need to obtain a license, follow these steps:

 For Unit/Server Count, enter the number of active mailboxes in your Exchange system. (The minimum number of mailboxes requiring licensing will be filled out automatically by LOGbinder.)

 Press the Copy button, and paste the contents into an email addressed to licensing@logbinder.com.

 When the license key is received, copy it to the clipboard and press the Paste button.

If you are properly licensed, the license window will redisplay

and show that you are properly licensed. If there is a problem, respond immediately to

licensing@logbinder.com.

(11)

24-hour Delay in Mailbox Audit Logs

According to a recent discovery, the PowerShell cmdlets used for retrieving mailbox audit logs have a flaw that produces inconsistent audit results if used to retrieve audit logs in less than 24 hours.

We informed Microsoft of our findings and they confirmed the bug after their own investigation. They also told us they had no timeline to fix the bug and suggested that users simply request audit logs some twenty-four hours after the event took place. We will continue to work with Microsoft on this issue and hope they do resolve it.

In the meantime, the only way we can guarantee audit trail integrity is if we follow Microsoft’s

recommendation and don’t ask for mailbox audit logs for the past 24-hour period. Therefore LOGbinder will not process events until 24 hours after the Last Processed value for mailbox auditing in the input settings (see Configure Input).

If you do not want to have this 24-hour delay, you can turn it off in the options (see Configure Options), but we strongly advise against it.

To see how we feel about this issue, what we are doing to mitigate the impact of this bug and what you can do, please follow our latest communications on this at

(12)

Mailbox Audit Policy management

An administrator can specify a mailbox audit policy, select groups and/or organization units, and then the LOGbinder service will set mailbox audit policy for the mailboxes in those groups and organizational units. The LOGbinder service will regularly enforce this policy, in case new mailboxes were added to the groups and organizational units—or if the policy had been changed for a mailbox.

Using LOGbinder Control Panel to set mailbox audit policy

To set mailbox audit policy, open the Input properties window, and click on the link “Mailbox Audit Policy.” (The same link is available in the Options window.)

NOTE: If the link in Options is disabled, it is because you have not yet created an Input pointing to an Exchange installation. After creating an Input you can set mailbox audit policy.

The first window (see Figure 6) gives an overview of the existing mailbox audit policy that has been set in LOGbinder. This will be empty if this is your first time setting audit policy. In the next windows, you can (1) select Exchange groups that the policy should apply to, (2) select organizational units that the policy should apply to, and (3) specify the audit policy.

Figure 6: Overview - Mailbox Audit Policy

Pressing Next will present the Add/Remove Groups window. (See Figure 7.) You must first filter groups. Enter at least the first three characters of the groups’ names—then press the Filter button. The list of groups that match will show in the list. Select one or more groups and press the Add to Selected button. The Selected Groups list will contain the groups to which the policy will be applied. You may repeat the filtering as many times as needed.

If you press the Filter button with no text in the Filter Groups box, then all groups will be listed. This is not recommended if you have a large number of groups.

(13)

Figure 7: Add/Remove Groups - Mailbox Audit Policy

Press Next to specify organizational units. (See Figure 8.) The list of all organizational units will be shown in the list. If you wish to apply to policy to organizational units, select one or more items and press the Add to Selected button.

Figure 8: Add/Remove Organizational Units - Mailbox Audit Policy

Press Next to set the audit policy. (See Figure 9.) Select the actions under the appropriate columns: Administrator, Delegate, and Owner. If you select None, all the other boxes will be unchecked and that type of mailbox access will not be audited.

Click the link “Set default audit policy” to use Microsoft’s default mailbox audit policy. You can continue to adjust the policy to suit the needs of your organization.

(14)

A recommendation from LOGbinder: Do not audit Owner access, leave it set to None. Auditing what a user does in his own mailbox will create a huge number of audit events, events that have very little value, and will choke your Exchange installation—as well as the LOGbinder service.

Figure 9: Set Policy - Mailbox Audit Policy

Press Next to see a confirmation window of your mailbox audit policy settings. You may use the Back button to review and adjust your selections. When you press Finish, LOGbinder will save the adjustments to your mailbox audit policy.

Enforcing Mailbox audit policy

Every night, the LOGbinder service will enforce your mailbox audit policy. It will find the mailboxes that are contained in the groups and/or organizational units. If the mailbox’s audit policy does not match, LOGbinder will change its policy. LOGbinder will report on the number of mailboxes that have been adjusted. Please note that you must set the “Audit Log” management role to use this feature – See

Check User Accounts and Authority table on page 4.

NOTE: For performance considerations, it is recommended that you use as few groups and/or

organizational units as possible. The greater the number of groups and organizational units, the longer it will take to inspect audit policy.

(15)

Monitoring LOGbinder for Exchange

When installing, configuring, and running LOGbinder for Exchange, the software writes diagnostic events to the Windows Application Event Log. Most of these will be from the source "LOGbndSE" and the category "LOGbinder." You may use the Windows Event Viewer to examine these events. Also, the LOGbinder control panel includes a set of views that lists these events, choose “LOGbinder Diagnostic Events,” or drill down to one of the nested views.

Figure 10: LOGbinder Diagnostic Events view

During Installation and Configuration

During installation and configuration, you will find these entries:

 After installation, there may be an entry from the source MsiInstaller: "Product: LOGbinder EX -- Installation completed successfully."

 When the configuration of LOGbinder for Exchange changes, you will see one or more entries entitled "LOGbinder settings changed." See Appendix C: Diagnostic Events: “553 – LOGbinder settings changed” for information about these events.

 When the service starts, there may be an entry from the source LOGbinder EX: "Service started successfully." (Entries are also written when the service is stopped.)

You can monitor these events to ensure that LOGbinder for Exchange continues to be configured properly, and that unauthorized changes do not occur.

After configuring LOGbinder for Exchange and starting the service, it automatically performs a check to ensure that LOGbinder's settings are valid and that the account running the Windows service has sufficient authority. If there is a problem, the LOGbinder for Exchange service will not start and a message will be presented to the user. In most cases, the details of the problem are written to the Application log. Common problems include:

 Input/output not configured properly. See the previous section “Configuring LOGbinder for

Exchange” for more information.

 Insufficient authority. If the service account does not have adequate authority, then the service

will not run. An entry is written to the Application log. See Appendix C: Diagnostic Events “556 – LOGbinder insufficient authority” for more details. Some of the common missing permissions include:

o Account does not have authority to log on as a Windows service o Account does not have necessary permissions in Exchange.

o The account does not have authority to write to the Security event log. (If this output destination has not been selected, then it is not necessary to grant this permission.)

(16)

 License invalid. If the license is not valid or has expired, then the LOGbinder for Exchange

service will not run. An entry may be written to the Application log. See Appendix C: Diagnostic Events: “557 – License for LOGbinder invalid” for details.

 Other errors will be found in entries entitled "LOGbinder error." See Appendix C: Diagnostic Events: “555 – LOGbinder error” for more information.

If any of these errors are encountered, the LOGbinder for Exchange service will not run.

While LOGbinder for Exchange is Running

While LOGbinder for Exchange is running, you will see information entries in the Application log as follows:

 Entries 'exported' from Exchange. For each Exchange server being monitored, this message indicates the number of audit entries that LOGbinder for Exchange has processed.

 Entries 'imported' into the Windows event log. This indicates that the audit entries have been placed in the enabled output formats. There will be one message event if multiple output formats have been selected (i.e. you have selected both Windows Security Log and Windows Event Log as output formats). The 'export'/'import' entries are complementary: there should be a

corresponding 'import' entry for each 'export.'

These log entries are informational in nature. Generally no action is required. If more entries are being processed than what appear in the event logs or in your log management solution, it could be that the log size is too small and entries are being overwritten. See Appendix C: Diagnostic Events “551 – LOGbinder agent successful” for more information on these events.

If LOGbinder for Exchange has an error, an entry will be created in the Application log. If permissions are removed, or if the license expires, you may receive a "556 – LOGbinder insufficient authority" or "557 – License for LOGbinder invalid" error, which are explained above. Other errors will be entitled "555 – LOGbinder error." If you cannot resolve the problem, please submit the issue to the LOGbinder support

(17)

Appendix A: Assigning Permissions

Exchange Administrator Roles

1. Add a new administrator role group, containing the following roles: o View-Only Audit Logs

o View-Only Configuration o View-Only Recipients

o Audit Logs (Only needed if using the LOGbinder Mailbox Audit Policy Management

wizard – See page 10)

2. Make the LOGbinder service account a member of this role group.

The above two steps can be achieved, for example, through the Exchange Admin Center (https://<hostname>/ecp) interface, or using an Exchange Management Shell cmdlet, such as

New-RoleGroup "LOGbinderEX" -Roles "View-Only Audit Logs", "View-Only Configuration", "View-Only Recipients", “Audit Logs” -Members

"lbex_svc"

where lbex_svc is to be replaced by the name of the LOGbinder for Exchange service account.

Local Security Policy Changes

The following chart summarizes the changes to be made in the Local Security Policy. Detailed explanations are found after the chart.

Local Security Policy (secpol.msc)

settings summary

Windows

Server

2003

Windows

Server

2008/2012

Security Settings Local Policies User Rights Assignment Log on as a service add service account add service account This always needs to be set Generate security audits add service account add service account These need to be set if outputting to Windows Security log

Audit Policy Audit object

access set Success N/A Security Options Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

N/A set Enabled

Advanced Audit Policy Configuration Object Access Audit Application Generated

N/A set Success

Log On as a Service

(18)

 Select Security Settings\Local Policies\User Rights Assignment

 Open "Log on as a service" and add user

 NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Generate Security Audits (SeAuditPrivilege)

 Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.

 Select Security Settings\Local Policies\User Rights Assignment

 Open "Generate security audits" and add user

Audit Policy

Windows Server 2003

 Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.

 Select Security Settings\Local Policies\Audit Policy

 Edit "Audit object access," ensuring that "Success" is enabled. (LOGbinder for Exchange does not require that the "Failure" option be enabled.)

Windows Server 2008/2012

Audit policy can be configured with the original top level categories as described above for Windows 2003 but most environments have migrated to the new more granular audit sub-categories available in

Windows 2008 aka (Advanced Audit Policy).

Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)

 First, ensure that ‘basic’ and ‘advanced’ audit policy settings are not used at the same time: o Microsoft gives this warning: “Using both the basic audit policy settings under Local

Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (

http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)

o Select Security Settings\Local Policies\Security Options

o Open and enable “Audit: Force audit policy subcategory settings (Windows Vista or

later) to override audit policy category settings”

 To enable LOGbinder events to be sent to the security log:

(19)

o Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for Exchange does not require that the “Failure” option be enabled.)

(20)

Appendix B: LOGbinder Event List

LOGbinder for Exchange Events

https://www.logbinder.com/products/logbinderex/resources/eventlist.aspx

Diagnostic Events

551 – LOGbinder agent successful 552 – LOGbinder warning

553 – LOGbinder settings changed

554 – LOGbinder agent produced unexpected results 555 – LOGbinder error

556 – LOGbinder insufficient authority 557 – License for LOGbinder invalid

(21)

Appendix C: Diagnostic Events

551 – LOGbinder agent successful

This event occurs when LOGbinder for Exchange successfully translates log entries. Usually appearing in pairs, as one indicates that log entries have been 'exported' from their source (for example, Exchange), and the other that entries have been 'imported' to their destination (for example, the Windows event log). This event is informational in nature.

This event is written to the Windows Application log. Example A

LOGbinder EX exported 3 entries from Exchange site http://MySite Example B

LOGbinder EX imported 3 entries to Security event log Example C

LOGbinder EX imported 3 entries to LOGbinder EX event log

552 – LOGbinder warning

This event occurs when LOGbinder for Exchange does not find information as expected. In most cases, it does not indicate a serious problem, but is provided so as to complete the audit trail. This event is written to Windows application log.

For example, as LOGbinder for Exchange translates entries, it performs various lookups to provide complete information. If the related item was deleted, a "LOGbinder warning" is generated.

Example A

LOGbinder warning

Lookup failed. Could not find Scope Item with ID of 89de71fe-1442-48ff-9a6e-052bddda3440.

Example B

LOGbinder warning

Lookup failed. Could not find User with ID of 19.

553 – LOGbinder settings changed

This event occurs when the LOGbinder settings are changed. This event is written to Windows Application log.

For LOGbinder for Exchange, this includes which Exchange servers are monitored, which audit event types are handled, and the date and time LOGbinder last translated log entries. In addition, the settings for output formats are included.

(22)

Example A

LOGbinder settings changed

Output to Security log enabled. Noise events included. Example B

LOGbinder settings changed Input has been enabled.

554 – LOGbinder agent produced unexpected results

This event occurs when LOGbinder for Exchange encounters something unexpected when translating a log entry. At times it may be from a custom log entry.

This event is written to Windows Application log.

You can help us improve LOGbinder by reporting these events to the LOGbinder support team so that the LOGbinder product may be improved. Private data will not be shared.

Example

In this example, the developer used an existing event type, "Workflow," but included non-standard event data.

LOGbinder agent produced unexpected results

As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the

LOGbinder support team.

<LogEntry siteName="http://shpnt" itemType="List Item" userName="Robert Solomon" locationType="Url" occurred="2009-06-29T21:49:11"

eventType="Workflow"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemType="ListItem" userId="1" documentLocation="Cache

Profiles/1_.000" locationType="Url" occurred="633819089510000000" event="Workflow"

eventSource="ObjectModel"><EventData>http://shpnt/docLib/CopiedFile.e xt</EventData></RawData><Details /></LogEntry>

555 – LOGbinder error

This event occurs when the LOGbinder service encounters a problem that needs attention. This event is written to Windows Application log. In most cases this gives enough information for you to address the problem successfully. Otherwise, please contact LOGbinder support for assistance.

Example A

In this example, the error indicates that the LOGbinder for Exchange service cannot run because the Exchange web service has not been configured properly.

LOGbinder error

(23)

Example B

In this example, a program assembly used by LOGbinder for Exchange does not exist, indicating that the LOGbinder software is no longer installed properly.

LOGbinder error

Exporter assembly does not exist: C:\Program Files\LOGbndEX\MTG.LOGbinder.Exchange.dll Example C

In this example, a certificate error is indicated. The Exchange URL set for the inputs should open in Internet Explorer without any certificate error. Certificate errors often occur when using a self-signed certificate.

Could not retrieve mail messages from Exchange mailbox. Details: The request failed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.; The underlying connection was closed: Could not establish trust

relationship for the SSL/TLS secure channel.; The remote certificate is invalid according to the validation procedure.

Action: Add the self-signed certificate to the trusted root store.

556 – LOGbinder insufficient authority

This event occurs when the LOGbinder for Exchange service cannot run because of invalid or inadequate permissions. The event will include the module lacking the permission, the name or description of the permission, as well as relevant details. Each example below also includes the action needed in order to correct it.

Example A: No permission to write to security log LOGbinder insufficient authority

The LOGbinder agent cannot operate normally because it lacks sufficient authority.

Source: Security Log

Privilege: SeAuditPrivilege

Details: The LOGbinder agent does not have the necessary rights to configure the security log

Action: The service account needs the "Generate security audits" privilege

(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Generate-security-audits), or do

not enable LOGbinder to output to the Windows Security log. Example B: Attempt to write to security log from invalid location

One measure to protect the security log is to write security events only from authorized locations. When LOGbinder is configured, it registers its program location with the security log. If this error occurs, then LOGbinder had been reinstalled to a different location, and the previous location was not removed properly.

(24)

LOGbinder insufficient authority

Source: Security Log

Privilege: Invalid Location

Details: Cannot write to because the program location does not match what has been previously configured

Action: Recommended to delete the registry key manually. First ensure that LOGbinder is not open. Then

delete the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LOGbndES. Be careful not to delete other parts of the registry, as it can cause the server to be unstable. When you reopen the LOGbinder control panel, it will reconfigure its ability to write to the security log.

Example C: Internal error

Source: Security Log Privilege: Internal Error

Details: The security account database contains an internal inconsistency

Action: One factor that can cause an internal error is if the LOGbinder program path is too long. By

default, LOGbinder is installed to C:\Program Files\LOGbndEX. It is recommended that the default be used. If the software has been installed to a different location with a longer program path, to correct this error it will be necessary to reinstall LOGbinder.

Example D: Log on as service

Source: LOGbinder service Privilege: Log on as service

Details: Account running LOGbinder agent does not have user right "Logon as a service"

Action: The service account needs to be assigned the "Logon as a service" user right.

(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Log-on-as-a-service)

Example E: Cannot start LOGbinder control panel LOGbinder insufficient authority

Source: LOGbinder Manager Privilege: File Permissions

Details: Account running LOGbinder Control Panel needs to be a member of the local Administrators group

Action: Ensure that the user account used to run the LOGbinder for Exchange control panel has local

(25)

557 – License for LOGbinder invalid

Occurs when the license for LOGbinder is not valid and an attempt is made to start the service. This event is written to the Application log.

If the license is not valid, the LOGbinder for Exchange control panel continues to operate as normal. However, the LOGbinder service will not start if the license is invalid. Follow the instructions in the control panel, in the menu File\License, in order to obtain a license to the software.

Example

License for LOGbinder invalid

The license for LOGbinder has expired or is invalid. Details: Trial period has expired.

(26)

Appendix D: Troubleshooting

Initial checks

Check the Inputs in LOGbinder for Exchange control panel:

1. If there are entries under Transaction, then the Powershell URL is set good.

2. If the Completed column is filled, then the Exchange URL and Recipient are set good.

Verifying Mailbox Access

(In the following steps, some examples are shown. Please replace the bold parts with the appropriate details of your environment.)

1.

Open Internet Explorer and logon as the LOGbinder service account, to the mailbox via Outlook Web Access using the server name specified in LOGbinder for Exchange control panel, such as

https://ex1.acme.com/owa

You should see emails in the Inbox or in Deleted Items from Microsoft Exchange with subjects, such as “Administrator Audit Log Search …” and “Mailbox Audit Log Search …”

2.

In Internet Explorer go to the Exchange URL of your Input setting, such as

https://ex1.acme.com/ews/exchange.asmx

You should get the WSDL xml for Exchange, something like this:

…

If it doesn’t work, you could try to identify the correct URL by executing the following PowerShell command from the Exchange Management Shell on the Exchange server:

Get-WebServicesVirtualDirectory | fl *url

Verifying PowerShell Connectivity and Exchange Authority

(In the following steps, some examples are shown. Please replace the bold parts with the appropriate details of your environment.)

1. Double-check what account LOGbinder for Exchange service is configured to Logon as. 2. Logon to the desktop using that account.

Verifying PowerShell Connectivity

3. Open PowerShell – Not the Exchange Management Shell 4. Run:

a. whoami

b. $Session = NewPSSession ConfigurationName Microsoft.Exchange -ConnectionUri http://ex1.acme.com/PowerShell/

(27)

Verifying Exchange Authority

5. After the previous steps, run the following commands (insert a valid email address in c and d): a. $startdate = Get-Date (Get-Date).AddMinutes(-10) -Format

"MM/dd/yyyy hh:mm"

b. $enddate = Get-Date -Format "MM/dd/yyyy hh:mm"

c. New-AdminAuditLogSearch -StartDate $startdate -EndDate $enddate -Name LOGbinder-test -StatusMailRecipients administrator@acme.com d. New-MailboxAuditLogSearch -StartDate $startdate -EndDate $enddate -Name LOGbinder-test -StatusMailRecipients administrator@acme.com 6. After sufficient time elapsed, you should see emails in the Inbox or in Deleted Items from

Microsoft Exchange with subjects, such as “Administrator Audit Log Search …” and “Mailbox Audit Log Search …”

Note: Exchange server might take up to 15 minutes (or more) to generate the audit report.

Additional notes

On the server where LOGbinder for Exchange is installed, what version of Windows are you running? Windows Server 2003, 2008, 2008 R2, etc.?

 Windows Management Framework 2.0 is integrated with Windows Server 2008 R2.

 If you have Windows Server 2003 or Windows Server 2008 (but not R2), have you installed the Windows Management Framework 2.0?

http://technet.microsoft.com/en-us/library/dd335083.aspx

Note the requirements for Exchange 2010:

o Windows Management Framework installed

 Windows Management Framework includes Windows PowerShell V2 and Windows Remote Management (WinRM) 2.0.

o The fully qualified domain name (FQDN) of an Exchange 2010 server in your organization

o The domain this server is joined to must be trusted by the domain where the Exchange server resides.

o TCP port 80 must be open between your computer and the remote Exchange 2010 server, and the port must be allowed through Windows Firewall on the Exchange 2010 server.

Getting Started Guide