Solved

Exchange 2016/2019 onprem logging

  • 15 February 2023
  • 2 replies
  • 250 views

Hi all,

What is the best way to ship Exchange onprem logs (OWA, SMTP and MSGTRK) to Logpoint?

The documentation is not very clear on this topic.

Thank you for your help.

Kind regards,

Dennis

icon

Best answer by markus.nebel@8com.de 16 February 2023, 09:50

View original

2 replies

Userlevel 4
Badge +8

We use nxlog for this, with the followin configuration snippet:

 

<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
Delimiter ' '
</Extension>

<Input messagetracking_in>
Module im_file
File '<PATH TO EXCHANGE LOGS>\MessageTracking\MSGTRK*.LOG'
PollInterval 1
Recursive True
SavePos True
ReadFromLast True
Exec $FileName = file_name();
Exec if ($raw_event == '') drop();
Exec if ($raw_event == ';') drop();
Exec $ModuleType = 'file_collection';
</Input>

<Input iis_in>
Module im_file
File '<PATH TO IIS LOGS>\inetpub\W3SVC1\u_ex*'
ReadFromLast True
Recursive True
PollInterval 1
SavePos True
# drop first line, which is CSV header line
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$raw_event = to_json(); \
}
</Input>
Userlevel 4
Badge +7

Equally, you should be able to just use the Logpoint Agent (and in the future AgentX) and set up a file collection for those locations, i.e. the Message Tracking log, the SMTP log and the IIS log for OWA. There is both a specific normaliser for Exchange IIS as well as the generic IIS compiled normaliser, there is a normaliser for on-premise Exchange Message Tracking logs, and there is a normaliser for the Exchange SMTP logs as well.

 

Just for completeness, unfortunately there isn’t an easy way of collecting on-premise Exchange Audit logs, i.e. who made changes to mailboxes, permissions etc. That’s trivial in Office 365, but on-premise it relies on either a custom script, a paid for module for NXlog, or another third party utility like LogBinder.

Reply