Getting Started Guide

www.lgbinder.cm Getting Started Guide Dcument versin 1 Cntents Installing LOGbinder fr Exchange... 3 Step 1 Check Sftware Requirements... 3 Sftware Requirements... 3 Exchange Auditing Requirements... 3 Step 2 Check User Accunts and Authrity... 4 If utputting t Windws Security lg... 4 Step 3 Run the Installer... 5 Transferring settings t a new server... 5 Cnfiguring LOGbinder fr Exchange... 6 Cnfigure Input... 6 Cnfigure Output... 7 Cnfigure Service... 8 Cnfigure Optins... 8 Status Bar... 9 License... 10 24-hur Delay in Mailbx Audit Lgs... 11 Mailbx Audit Plicy management... 12 Using LOGbinder Cntrl Panel t set mailbx audit plicy... 12 Enfrcing Mailbx audit plicy... 14 Mnitring LOGbinder fr Exchange... 15 During Installatin and Cnfiguratin... 15 While LOGbinder fr Exchange is Running... 16 Appendix A: Assigning Permissins... 17 Exchange Administratr Rles... 17 Lcal Security Plicy Changes... 17 Lg On as a Service... 17 Generate Security Audits (SeAuditPrivilege)... 18 Audit Plicy... 18 LOGbinder fr Exchange Versin 3 Page 1

Appendix B: LOGbinder Event List... 20 LOGbinder fr Exchange Events... 20 Diagnstic Events... 20 Appendix C: Diagnstic Events... 21 551 LOGbinder agent successful... 21 552 LOGbinder warning... 21 553 LOGbinder settings changed... 21 554 LOGbinder agent prduced unexpected results... 22 555 LOGbinder errr... 22 556 LOGbinder insufficient authrity... 23 557 License fr LOGbinder invalid... 25 Appendix D: Trubleshting... 26 Initial checks... 26 Verifying Mailbx Access... 26 Verifying PwerShell Cnnectivity and Exchange Authrity... 26 Additinal ntes... 27 LOGbinder fr Exchange Versin 3 Page 2

Installing LOGbinder fr Exchange LOGbinder fr Exchange runs as a Windws service n a server belnging t the same dmain as yur Exchange envirnment. It translates audit lg entries in Exchange, and utputs them t the LOGbinder EX event lg, the Windws Security Lg, Syslg, r Syslg in CEF. Fr mre infrmatin, please visit ur web site https://www.lgbinder.cm/prducts/lgbinderex/. There yu will find a rich set f resurces t guide yu in setting audit plicy, setting up audit lg reprting and archiving, and s frth. T pen a case with ur supprt staff, please email supprt@lgbinder.cm. Installing LOGbinder fr Exchange invlves 3 simple steps: * Step 1 Check Sftware Requirements Step 2 Check User Accunts and Authrity Step 3 Run the Installer Subsequent sectins cver: Cnfiguring LOGbinder fr Exchange 24-hur Delay in Mailbx Audit Lgs Mailbx Audit Plicy management Mnitring LOGbinder fr Exchange Step 1 Check Sftware Requirements Sftware Requirements Micrsft Windws server 2003 r later Micrsft.NET Framewrk 3.5 SP1 Micrsft Exchange 2010 SP1 r later Exchange Auditing Requirements Exchange has tw types f audit lgs: Administratr Audit Lg, and Mailbx Audit Lg. Fr LOGbinder fr Exchange t be able t prcess audit events frm these audit lgs, they need t be enabled. Please visit https://www.ultimatewindwssecurity.cm/exchange/ fr mre infrmatin n these audit lgs, as well as n hw t enable, cnfigure, manage, and use them. * If LOGbinder has been used n anther server in the same envirnment where it is nw installed, refer t the Transferring settings t a new server sectin belw, in rder t preserve a cmplete audit trail. Administratr Audit Lg is usually enabled by default. LOGbinder fr Exchange Versin 3 Page 3

Step 2 Check User Accunts and Authrity Tw user accunts are invlved with LOGbinder fr Exchange. User Accunt Descriptin Authrity Required Yur accunt The accunt yu are lgged n as when yu install and cnfigure LOGbinder fr Exchange. Member f the lcal Administratrs grup Windws UAC smetimes interferes with this setting. It is recmmended that yu use the Run as Administratr ptin when running LOGbinder. Yu may als need t yur accunt as well as the service accunt mdify permissins t the C:\PrgramData flder as described in the third bullet pint belw. Service accunt The accunt that the LOGbinder fr Exchange service will run as. This dmain accunt must be created befre installing LOGbinder fr Exchange. This accunt des nt need t be a lcal r dmain administratr; the LOGbinder fr Exchange service can run in a leastprivilege envirnment. See Appendix A: Assigning Permissins fr details n granting these permissins Exchange administratr rles: View-Only Audit Lgs View-Only Cnfiguratin View-Only Recipients Audit Lgs (Only needed if using the LOGbinder s Mailbx Audit Plicy management wizard) Privilege lg n as a service Permissin t create, read, mdify files in {Cmmn Applicatin Data}\LOGbinder EX (i.e. C:\Dcuments and Settings\All Users\Applicatin Data\LOGbinder EX r C:\PrgramData\LOGbinder EX) Please nte that the PrgramData flder is a hidden flder, and it is nt the same as the Prgram Files flder. This LOGbinder EX flder will be created after LOGbinder is installed and the LOGbinder cntrl panel is first started. If utputting t Windws Security lg Privilege "Generate Security Audit" (SeAuditPrivilege) Setting audit plicy Windws 2003: Enable Audit bject access Windws 2008 r later: Enable Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings security ptin Enable Audit Applicatin Generated audit subcategry LOGbinder fr Exchange Versin 3 Page 4

Step 3 Run the Installer Run the installer. On the page "Specify User Accunt," enter the user accunt name, including bth dmain name and user name (i.e. dmain\username) f the service accunt (the user accunt that will run the LOGbinder fr Exchange service). The rights utlined abve must be granted t the accunt befre running the installer, r else LOGbinder fr Exchange will nt install prperly. On the page "Select Installatin Flder," it is recmmended that yu use the default setting, C:\Prgram Files\LOGbndEX. If a dialg bx "Set Service Lgin" appears, then the user accunt infrmatin entered previusly was nt valid. Cnfirm the accunt name and passwrd, and re-enter the infrmatin. Transferring settings t a new server If LOGbinder was running in yur envirnment befre, but it nw has t be installed n a different server, the fllwing steps can be fllwed t transfer the settings t the new server. * This nt nly saves setup time and reduces setup prblems, but this will ensure audit lg cllectin t be cntinued where LOGbinder left ff s as t preserve a cmplete audit trail: 1. Make sure that n bth the surce (where LOGbinder was run befre) and target (the new LOGbinder server) servers, the LOGbinder service is nt running and the LOGbinder cntrl panel is nt pen. 2. G t the {Cmmn Applicatin Data}\LOGbinder EX flder n the surce server, i.e. C:\Dcuments and Settings\ All Users\Applicatin Data\LOGbinder EX r C:\PrgramData\LOGbinder EX. Please nte that the PrgramData flder is a hidden flder, and it is nt the same as the Prgram Files flder. 3. Cpy all *.stg and *.xml files t the same flder n the target server. * LOGbinder is nt recmmended t be run n tw servers at the same time in the same envirnment. LOGbinder fr Exchange Versin 3 Page 5

Cnfiguring LOGbinder fr Exchange Open the "LOGbinder EX" link in the Windws start menu, which appears by default in the LOGbinder flder. T use LOGbinder fr Exchange, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied nly when the service is restarted. If the LOGbinder fr Exchange cntrl panel is clsed befre restarting the service, the changes will be discarded. On the ther hand, if the service is already stpped, the changes are saved autmatically. Cnfigure Input LOGbinder fr Exchange uses these methds t cnnect t the Exchange server: (a) Exchange Management Shell (PwerShell), and (b) Exchange Web Services Managed API 1.2. T get started, select the menu File\New Input, where yu will need t enter three pieces f infrmatin: Pwershell URL, Exchange URL, and Recipient. Figure 1: An example Input Pwershell URL: The URL t access Exchange Management Shell cmdlets (via PwerShell). The default value is http:// + FQDN f server + /Pwershell. This shuld be a server with bth PwerShell and client access rles functining. The Autfill buttn will use the current server t fill in this value. Yu might need t changethis if yu are nt installing LOGbinder fr Exchange n an Exchange server. Exchange URL: The URL t access the Exchange web service. The default value is https:// + FQDN f server + /EWS/Exchange.asmx. If the Pwershell URL is crrect, the Autfill buttn will try t identify the crrect Exchange URL. Recipient: The mail address used fr prcessing audit lgs. This will be the mailbx assciated with the user (r administratr) in whse cntext the Exchange Management Shell runs, preferably the mailbx f the LOGbinder fr Exchange service accunt. LOGbinder fr Exchange Versin 3 Page 6

The "Last Prcessed" bx shws the date and time audit events were last retrieved frm Exchange. After installing it the first time, LOGbinder starts prcessing admin audit lgs frm the time f the installatin nward, and mailbx audit lgs with a 24-hur delay, that is 24 hurs befre the time f the installatin. * Fr further infrmatin n this 24-hur buffer perid fr mailbx audit events, please see belw sectin 24-hur Delay in Mailbx Audit Lgs. If sme f the backlg events are als t be prcessed, the start date can be set in the Last Prcessed bxes. It is recmmended that nce LOGbinder is in peratin, this date nt be changed manually, as it culd result in skipping sme audit events in Exchange, r duble-handling, resulting in events appearing twice in the event lg. If the date needs t be adjusted, check the bx next t the date, and then the date can be adjusted. After the LOGbinder fr Exchange service has been running, the Transactins list will shw a list f audit lg searches sent t the Exchange server, the start and end perid fr which lgs have been requested, and the time LOGbinder finished prcessing the audit lgs. This infrmatin is read-nly. After the Exchange server sends back the result f the audit lg search, LOGbinder fr Exchange will prcess the event lgs and frwards them t the utput(s) specified. (See next subheading.) Once the results are received and frwarded t the utput(s), the File Name and Cmpleted clumns are ppulated with the apprpriate values. Audit Lg Search Pll Interval: It might take a cnsiderable time fr the Exchange server t send back the search results. By default, Exchange checks if there are any audit lg searches every 30 minutes t 24 hurs, depending n the Exchange versin. Hwever, this frequency can be adjusted in an Exchange cnfiguratin file. Please refer t ur blg titled Changing the Exchange audit search pll interval n hw t adjust this setting. Cnfigure Output LOGbinder supprts multiple utput frmats. LOGbinder fr Exchange allws utput t g t LOGbinder EX Event Lg: a custm event lg under Applicatins and Services Lgs. Security Lg: the Windws Security lg. (Please remember t set the additinal privileges as described in sectin Step 2 Check User Accunts and Authrity when using this feature.) Syslg-CEF: a Syslg server using ArcSight s Cmmn Event Frmat. Syslg-LEEF: a Syslg server using IBM Security QRadar s Lg Event Extended Frmat. Syslg-Generic: a Syslg server using the generic Syslg frmat. Syslg-CEF (File): a Syslg file using ArcSight s Cmmn Event Frmat. Syslg-LEEF (File): a Syslg file using IBM Security QRadar s Lg Event Extended Frmat. Syslg-Generic (File): a Syslg file using the generic Syslg frmat. At least ne f these must be enabled in rder fr the LOGbinder service t start. * If this is nt the first installatin f LOGbinder n the same server, it will cntinue audit lg prcessing frm the date and time it finished its last run with the previus installatin. If LOGbinder was installed n anther server in the same envirnment befre, yu might want t refer t the sectin abve abut Transferring settings t a new server. LOGbinder fr Exchange Versin 3 Page 7

T enable an utput and adjust the settings, select it and use the menu Actin\Prperties, r duble-click n the item. T enable it, check the bx "Send utput t [name f utput frmat]." Select the "Include nise events" if yu want t include these in the event lg. A nise event is a lg entry generated frm the input (Exchange) that cntains nly misleading infrmatin. This ptin is included in case it is essential t preserve a cmplete audit trail; by default this ptin is nt selected. Fr sme utput frmats, LOGbinder fr Exchange can preserve the riginal data extracted frm Exchange, alng with details as t hw the entry was translated by LOGbinder. Check the ptin Include XML data in rder t include these Figure 2: Output prperties windw details in the event lg. Including this data will make the size f the lg grw mre quickly. If the ptin des nt appear, then it is nt supprted fr that utput frmat. Fr the utput frmat "LOGbinder EX Event Lg," the entries are placed in a custm lg named LOGbinder EX. When the lg is created by LOGbinder, by default the maximum lg size is set t 16MB, and it will verwrite events as needed. If changing these settings, balance the lg size settings with the needs f yur lg management sftware as well as the setting fr Include XML data. In this way yu will ensure that yur audit trail is cmplete. Cnfigure Service T start, stp, and restart the LOGbinder fr Exchange service, use the buttns n this panel. Yu may als use the items in the Actin menu, r the tlbar. Althugh yu can use the Services windw in the Windws Cntrl Panel t start and stp the service, it is recmmended that yu use LOGbinder's user interface t cntrl the service. Befre starting the service, LOGbinder will cnfirm that (a) at least ne Exchange server has been selected fr mnitring and (b) at least ne utput (i.e. LOGbinder EX Event Lg, Windws Security Lg) has been selected. While attempting t start the LOGbinder fr Exchange service, a prblem may be encuntered perhaps that the service accunt des nt have sufficient authrity. The details f the prblem are written t the Applicatin Event Lg. These events can als be viewed inside f the LOGbinder cntrl panel, by selecting the LOGbinder Diagnstic Events view. See the sectin Mnitring LOGbinder fr Exchange fr mre infrmatin n hw t handle issues that may arise when starting the LOGbinder fr Exchange service. Cnfigure Optins Use buttns n the panel, r the menu File\Optins, t change LOGbinder's ptins. Figure 3: Message indicating utputs nt cnfigured The Enable 24-hur delay in searching fr mailbx audit events ptin is enabled by default. Fr further infrmatin n this 24-hur buffer perid fr mailbx audit events, please see belw sectin 24-hur Delay in Mailbx Audit Lgs. The Service Accunt lists the user accunt that runs the LOGbinder fr Exchange service. This is the accunt yu specified when installing LOGbinder fr Exchange. If it is necessary t change the accunt, use the Services management tl (in Windws Administrative Tls). LOGbinder fr Exchange Versin 3 Page 8

Figure 4: Optins windw If the bx D nt write infrmatinal messages t the Applicatin lg is checked, then event 551 LOGbinder agent successful (See Appendix C: Diagnstic Events) will nt be written t the Applicatin lg. The Lgging ptins can be utilized fr diagnstic purpses if experiencing prblems with LOGbinder. By default, the Lgging Level is set t Nne. If necessary, the Lgging Level can be set t Level 1 r Level 2. Level 1 generates standard level f detail f lgging. Level 2 will generate mre detailed lgging. Level 2 shuld be selected nly if specifically requested by LOGbinder supprt; therwise perfrmance will be adversely affected. Bth Level 1 and Level 2 lgging ptins will generate lg files named Cntrl Panel.lg, Service.lg, Service Cntrller.lg and Service Prcessr.lg in the Lg lcatin flder. The Alternate Output Data Flder specifies the data flder used fr the utput data. This is the flder where LOGbinder stres utput that are written in files, such as the Syslg-Generic (File), as well as the abve mentined diagnstic files. The flder path can be set using drive letter r UNC, if it is a netwrk lcatin. The default flder is {Cmmn Applicatin Data}\LOGbinder EX (i.e. C:\PrgramData\LOGbinder EX). Please nte that the Alternate Output Data Flder needs the same permissins as the Cmmn Applicatin Data flder as specified abve in sectin Step 2 Check User Accunts and Authrity. Status Bar The status bar will shw infrmatin abut the peratin f LOGbinder. Displays the status f the service. The image shwn indicates the service is stpped. The service may als be running, r in an 'unknwn' state. Shws the status f the license fr LOGbinder. If LOGbinder is nt fully licensed, a message will appear in the status bar. Indicates that settings have been changed. In rder t apply the changes, the LOGbinder fr Exchange service must be restarted. If the LOGbinder fr Exchange service is running and the LOGbinder fr Exchange cntrl panel is clsed, the changes will be discarded. LOGbinder fr Exchange Versin 3 Page 9

License Use the menu File\License t view infrmatin abut yur license fr LOGbinder. * If yu have purchased LOGbinder fr Exchange and need t btain a license, fllw these steps: Fr Unit/Server Cunt, enter the number f active mailbxes in yur Exchange system. (The minimum number f mailbxes requiring licensing will be filled ut autmatically by LOGbinder.) Press the Cpy buttn, and paste the cntents int an email addressed t licensing@lgbinder.cm. When the license key is received, cpy it t the clipbard and press the Paste buttn. If yu are prperly licensed, the license windw will redisplay and shw that yu are prperly licensed. If there is a prblem, respnd immediately t licensing@lgbinder.cm. Figure 5: License windw * The License menu might be disabled fr a few minutes while cllecting infrmatin needed fr licensing. LOGbinder fr Exchange Versin 3 Page 10

24-hur Delay in Mailbx Audit Lgs Accrding t a recent discvery, the PwerShell cmdlets used fr retrieving mailbx audit lgs have a flaw that prduces incnsistent audit results if used t retrieve audit lgs in less than 24 hurs. We infrmed Micrsft f ur findings and they cnfirmed the bug after their wn investigatin. They als tld us they had n timeline t fix the bug and suggested that users simply request audit lgs sme twenty-fur hurs after the event tk place. We will cntinue t wrk with Micrsft n this issue and hpe they d reslve it. In the meantime, the nly way we can guarantee audit trail integrity is if we fllw Micrsft s recmmendatin and dn t ask fr mailbx audit lgs fr the past 24-hur perid. Therefre LOGbinder will nt prcess events until 24 hurs after the Last Prcessed value fr mailbx auditing in the input settings (see Cnfigure Input). If yu d nt want t have this 24-hur delay, yu can turn it ff in the ptins (see Cnfigure Optins), but we strngly advise against it. T see hw we feel abut this issue, what we are ding t mitigate the impact f this bug and what yu can d, please fllw ur latest cmmunicatins n this at https://www.lgbinder.cm/supprt/exchangemailbxauditbug LOGbinder fr Exchange Versin 3 Page 11

Mailbx Audit Plicy management An administratr can specify a mailbx audit plicy, select grups and/r rganizatin units, and then the LOGbinder service will set mailbx audit plicy fr the mailbxes in thse grups and rganizatinal units. The LOGbinder service will regularly enfrce this plicy, in case new mailbxes were added t the grups and rganizatinal units r if the plicy had been changed fr a mailbx. Using LOGbinder Cntrl Panel t set mailbx audit plicy T set mailbx audit plicy, pen the Input prperties windw, and click n the link Mailbx Audit Plicy. (The same link is available in the Optins windw.) NOTE: If the link in Optins is disabled, it is because yu have nt yet created an Input pinting t an Exchange installatin. After creating an Input yu can set mailbx audit plicy. The first windw (see Figure 6) gives an verview f the existing mailbx audit plicy that has been set in LOGbinder. This will be empty if this is yur first time setting audit plicy. In the next windws, yu can (1) select Exchange grups that the plicy shuld apply t, (2) select rganizatinal units that the plicy shuld apply t, and (3) specify the audit plicy. Figure 6: Overview - Mailbx Audit Plicy Pressing Next will present the Add/Remve Grups windw. (See Figure 7.) Yu must first filter grups. Enter at least the first three characters f the grups names then press the Filter buttn. The list f grups that match will shw in the list. Select ne r mre grups and press the Add t Selected buttn. The Selected Grups list will cntain the grups t which the plicy will be applied. Yu may repeat the filtering as many times as needed. If yu press the Filter buttn with n text in the Filter Grups bx, then all grups will be listed. This is nt recmmended if yu have a large number f grups. LOGbinder fr Exchange Versin 3 Page 12

Figure 7: Add/Remve Grups - Mailbx Audit Plicy Press Next t specify rganizatinal units. (See Figure 8.) The list f all rganizatinal units will be shwn in the list. If yu wish t apply t plicy t rganizatinal units, select ne r mre items and press the Add t Selected buttn. Figure 8: Add/Remve Organizatinal Units - Mailbx Audit Plicy Press Next t set the audit plicy. (See Figure 9.) Select the actins under the apprpriate clumns: Administratr, Delegate, and Owner. If yu select Nne, all the ther bxes will be unchecked and that type f mailbx access will nt be audited. Click the link Set default audit plicy t use Micrsft s default mailbx audit plicy. Yu can cntinue t adjust the plicy t suit the needs f yur rganizatin. LOGbinder fr Exchange Versin 3 Page 13

A recmmendatin frm LOGbinder: D nt audit Owner access, leave it set t Nne. Auditing what a user des in his wn mailbx will create a huge number f audit events, events that have very little value, and will chke yur Exchange installatin as well as the LOGbinder service. Figure 9: Set Plicy - Mailbx Audit Plicy Press Next t see a cnfirmatin windw f yur mailbx audit plicy settings. Yu may use the Back buttn t review and adjust yur selectins. When yu press Finish, LOGbinder will save the adjustments t yur mailbx audit plicy. Enfrcing Mailbx audit plicy Every night, the LOGbinder service will enfrce yur mailbx audit plicy. It will find the mailbxes that are cntained in the grups and/r rganizatinal units. If the mailbx s audit plicy des nt match, LOGbinder will change its plicy. LOGbinder will reprt n the number f mailbxes that have been adjusted. Please nte that yu must set the Audit Lg management rle t use this feature See Check User Accunts and Authrity table n page 4. NOTE: Fr perfrmance cnsideratins, it is recmmended that yu use as few grups and/r rganizatinal units as pssible. The greater the number f grups and rganizatinal units, the lnger it will take t inspect audit plicy. LOGbinder fr Exchange Versin 3 Page 14

Mnitring LOGbinder fr Exchange When installing, cnfiguring, and running LOGbinder fr Exchange, the sftware writes diagnstic events t the Windws Applicatin Event Lg. Mst f these will be frm the surce "LOGbndSE" and the categry "LOGbinder." Yu may use the Windws Event Viewer t examine these events. Als, the LOGbinder cntrl panel includes a set f views that lists these events, chse LOGbinder Diagnstic Events, r drill dwn t ne f the nested views. Figure 10: LOGbinder Diagnstic Events view During Installatin and Cnfiguratin During installatin and cnfiguratin, yu will find these entries: After installatin, there may be an entry frm the surce MsiInstaller: "Prduct: LOGbinder EX -- Installatin cmpleted successfully." When the cnfiguratin f LOGbinder fr Exchange changes, yu will see ne r mre entries entitled "LOGbinder settings changed." See Appendix C: Diagnstic Events: 553 LOGbinder settings changed fr infrmatin abut these events. When the service starts, there may be an entry frm the surce LOGbinder EX: "Service started successfully." (Entries are als written when the service is stpped.) Yu can mnitr these events t ensure that LOGbinder fr Exchange cntinues t be cnfigured prperly, and that unauthrized changes d nt ccur. After cnfiguring LOGbinder fr Exchange and starting the service, it autmatically perfrms a check t ensure that LOGbinder's settings are valid and that the accunt running the Windws service has sufficient authrity. If there is a prblem, the LOGbinder fr Exchange service will nt start and a message will be presented t the user. In mst cases, the details f the prblem are written t the Applicatin lg. Cmmn prblems include: Input/utput nt cnfigured prperly. See the previus sectin Cnfiguring LOGbinder fr Exchange fr mre infrmatin. Insufficient authrity. If the service accunt des nt have adequate authrity, then the service will nt run. An entry is written t the Applicatin lg. See Appendix C: Diagnstic Events 556 LOGbinder insufficient authrity fr mre details. Sme f the cmmn missing permissins include: Accunt des nt have authrity t lg n as a Windws service Accunt des nt have necessary permissins in Exchange. The accunt des nt have authrity t write t the Security event lg. (If this utput destinatin has nt been selected, then it is nt necessary t grant this permissin.) LOGbinder fr Exchange Versin 3 Page 15

License invalid. If the license is nt valid r has expired, then the LOGbinder fr Exchange service will nt run. An entry may be written t the Applicatin lg. See Appendix C: Diagnstic Events: 557 License fr LOGbinder invalid fr details. Other errrs will be fund in entries entitled "LOGbinder errr." See Appendix C: Diagnstic Events: 555 LOGbinder errr fr mre infrmatin. If any f these errrs are encuntered, the LOGbinder fr Exchange service will nt run. While LOGbinder fr Exchange is Running While LOGbinder fr Exchange is running, yu will see infrmatin entries in the Applicatin lg as fllws: Entries 'exprted' frm Exchange. Fr each Exchange server being mnitred, this message indicates the number f audit entries that LOGbinder fr Exchange has prcessed. Entries 'imprted' int the Windws event lg. This indicates that the audit entries have been placed in the enabled utput frmats. There will be ne message event if multiple utput frmats have been selected (i.e. yu have selected bth Windws Security Lg and Windws Event Lg as utput frmats). The 'exprt'/'imprt' entries are cmplementary: there shuld be a crrespnding 'imprt' entry fr each 'exprt.' These lg entries are infrmatinal in nature. Generally n actin is required. If mre entries are being prcessed than what appear in the event lgs r in yur lg management slutin, it culd be that the lg size is t small and entries are being verwritten. See Appendix C: Diagnstic Events 551 LOGbinder agent successful fr mre infrmatin n these events. If LOGbinder fr Exchange has an errr, an entry will be created in the Applicatin lg. If permissins are remved, r if the license expires, yu may receive a "556 LOGbinder insufficient authrity" r "557 License fr LOGbinder invalid" errr, which are explained abve. Other errrs will be entitled "555 LOGbinder errr." If yu cannt reslve the prblem, please submit the issue t the LOGbinder supprt team. LOGbinder fr Exchange Versin 3 Page 16

Appendix A: Assigning Permissins Exchange Administratr Rles 1. Add a new administratr rle grup, cntaining the fllwing rles: View-Only Audit Lgs View-Only Cnfiguratin View-Only Recipients Audit Lgs (Only needed if using the LOGbinder Mailbx Audit Plicy Management wizard See page 10) 2. Make the LOGbinder service accunt a member f this rle grup. The abve tw steps can be achieved, fr example, thrugh the Exchange Admin Center (https://<hstname>/ecp) interface, r using an Exchange Management Shell cmdlet, such as New-RleGrup "LOGbinderEX" -Rles "View-Only Audit Lgs", "View-Only Cnfiguratin", "View-Only Recipients", Audit Lgs -Members "lbex_svc" where lbex_svc is t be replaced by the name f the LOGbinder fr Exchange service accunt. Lcal Security Plicy Changes The fllwing chart summarizes the changes t be made in the Lcal Security Plicy. Detailed explanatins are fund after the chart. Lcal Security Plicy (secpl.msc) settings summary Security Settings Lcal Plicies Advanced Audit Plicy Cnfiguratin User Rights Assignment Audit Plicy Security Optins Object Access Lg n as a service Generate security audits Audit bject access Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings Audit Applicatin Generated Windws Server 2003 add service accunt add service accunt set Success N/A N/A Windws Server 2008/2012 add service accunt add service accunt N/A set Enabled set Success This always needs t be set These need t be set if utputting t Windws Security lg Lg On as a Service Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. LOGbinder fr Exchange Versin 3 Page 17

Select Security Settings\Lcal Plicies\User Rights Assignment Open "Lg n as a service" and add user NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Generate Security Audits (SeAuditPrivilege) Audit Plicy Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. Select Security Settings\Lcal Plicies\User Rights Assignment Open "Generate security audits" and add user NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Windws Server 2003 Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. Select Security Settings\Lcal Plicies\Audit Plicy Edit "Audit bject access," ensuring that "Success" is enabled. (LOGbinder fr Exchange des nt require that the "Failure" ptin be enabled.) NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Windws Server 2008/2012 Audit plicy can be cnfigured with the riginal tp level categries as described abve fr Windws 2003 but mst envirnments have migrated t the new mre granular audit sub-categries available in Windws 2008 aka (Advanced Audit Plicy). Using Advanced Audit Plicy Cnfiguratin allws fr mre granular cntrl f the number and types f events that are audited n the server. (NOTE: The steps described here are fr Windws Server 2008 R2; see TechNet fr infrmatin n earlier releases.) First, ensure that basic and advanced audit plicy settings are nt used at the same time: Micrsft gives this warning: Using bth the basic audit plicy settings under Lcal Plicies\Audit Plicy and the advanced settings under Advanced Audit Plicy Cnfiguratin can cause unexpected results. Therefre, the tw sets f audit plicy settings shuld nt be cmbined. If yu use Advanced Audit Plicy Cnfiguratin settings, yu shuld enable the Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings plicy setting under Lcal Plicies\Security Optins. This will prevent cnflicts between similar settings by frcing basic security auditing t be ignred. (http://technet.micrsft.cm/enus/library/dd692792(ws.10).aspx) Select Security Settings\Lcal Plicies\Security Optins Open and enable Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings T enable LOGbinder events t be sent t the security lg: Select Security Settings\Advanced Audit Plicy Cnfiguratin\Object Access LOGbinder fr Exchange Versin 3 Page 18

Edit Audit Applicatin Generated, ensuring that Success is enabled. (LOGbinder fr Exchange des nt require that the Failure ptin be enabled.) NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. LOGbinder fr Exchange Versin 3 Page 19

Appendix B: LOGbinder Event List LOGbinder fr Exchange Events https://www.lgbinder.cm/prducts/lgbinderex/resurces/eventlist.aspx Diagnstic Events 551 LOGbinder agent successful 552 LOGbinder warning 553 LOGbinder settings changed 554 LOGbinder agent prduced unexpected results 555 LOGbinder errr 556 LOGbinder insufficient authrity 557 License fr LOGbinder invalid LOGbinder fr Exchange Versin 3 Page 20

Appendix C: Diagnstic Events 551 LOGbinder agent successful This event ccurs when LOGbinder fr Exchange successfully translates lg entries. Usually appearing in pairs, as ne indicates that lg entries have been 'exprted' frm their surce (fr example, Exchange), and the ther that entries have been 'imprted' t their destinatin (fr example, the Windws event lg). This event is infrmatinal in nature. This event is written t the Windws Applicatin lg. Example A Example B Example C LOGbinder EX exprted 3 entries frm Exchange site http://mysite LOGbinder EX imprted 3 entries t Security event lg LOGbinder EX imprted 3 entries t LOGbinder EX event lg 552 LOGbinder warning This event ccurs when LOGbinder fr Exchange des nt find infrmatin as expected. In mst cases, it des nt indicate a serius prblem, but is prvided s as t cmplete the audit trail. This event is written t Windws applicatin lg. Fr example, as LOGbinder fr Exchange translates entries, it perfrms varius lkups t prvide cmplete infrmatin. If the related item was deleted, a "LOGbinder warning" is generated. Example A Example B LOGbinder warning Lkup failed. Culd nt find Scpe Item with ID f 89de71fe-1442-48ff- 9a6e-052bddda3440. LOGbinder warning Lkup failed. Culd nt find User with ID f 19. 553 LOGbinder settings changed This event ccurs when the LOGbinder settings are changed. This event is written t Windws Applicatin lg. Fr LOGbinder fr Exchange, this includes which Exchange servers are mnitred, which audit event types are handled, and the date and time LOGbinder last translated lg entries. In additin, the settings fr utput frmats are included. LOGbinder fr Exchange Versin 3 Page 21

Example A Example B LOGbinder settings changed Output t Security lg enabled. Nise events included. LOGbinder settings changed Input has been enabled. 554 LOGbinder agent prduced unexpected results This event ccurs when LOGbinder fr Exchange encunters smething unexpected when translating a lg entry. At times it may be frm a custm lg entry. This event is written t Windws Applicatin lg. Yu can help us imprve LOGbinder by reprting these events t the LOGbinder supprt team s that the LOGbinder prduct may be imprved. Private data will nt be shared. Example In this example, the develper used an existing event type, "Wrkflw," but included nn-standard event data. LOGbinder agent prduced unexpected results As the LOGbinder agent translated this entry, it encuntered data is culd nt handle prperly. It culd have been caused by a custm r undcumented feature. S that LOGbinder can handle these entries in the future, it is suggested that yu submit the entry t the LOGbinder supprt team. <LgEntry sitename="http://shpnt" itemtype="list Item" username="rbert Slmn" lcatintype="url" ccurred="2009-06-29t21:49:11" eventtype="wrkflw"><rawdata siteid="3b7fb82c-f30d-4604-99c0- df8325e9cff4" itemid="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemtype="listitem" userid="1" dcumentlcatin="cache Prfiles/1_.000" lcatintype="url" ccurred="633819089510000000" event="wrkflw" eventsurce="objectmdel"><eventdata>http://shpnt/dclib/cpiedfile.e xt</eventdata></rawdata><details /></LgEntry> 555 LOGbinder errr This event ccurs when the LOGbinder service encunters a prblem that needs attentin. This event is written t Windws Applicatin lg. In mst cases this gives enugh infrmatin fr yu t address the prblem successfully. Otherwise, please cntact LOGbinder supprt fr assistance. Example A In this example, the errr indicates that the LOGbinder fr Exchange service cannt run because the Exchange web service has nt been cnfigured prperly. LOGbinder errr Cannt start LOGbinder EX service, Exchange web service nt cnfigured. LOGbinder fr Exchange Versin 3 Page 22

Example B In this example, a prgram assembly used by LOGbinder fr Exchange des nt exist, indicating that the LOGbinder sftware is n lnger installed prperly. Example C LOGbinder errr Exprter assembly des nt exist: C:\Prgram Files\LOGbndEX\MTG.LOGbinder.Exchange.dll In this example, a certificate errr is indicated. The Exchange URL set fr the inputs shuld pen in Internet Explrer withut any certificate errr. Certificate errrs ften ccur when using a self-signed certificate. Culd nt retrieve mail messages frm Exchange mailbx. Details: The request failed. The underlying cnnectin was clsed: Culd nt establish trust relatinship fr the SSL/TLS secure channel.; The underlying cnnectin was clsed: Culd nt establish trust relatinship fr the SSL/TLS secure channel.; The remte certificate is invalid accrding t the validatin prcedure. Actin: Add the self-signed certificate t the trusted rt stre. 556 LOGbinder insufficient authrity This event ccurs when the LOGbinder fr Exchange service cannt run because f invalid r inadequate permissins. The event will include the mdule lacking the permissin, the name r descriptin f the permissin, as well as relevant details. Each example belw als includes the actin needed in rder t crrect it. Example A: N permissin t write t security lg LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: SeAuditPrivilege Details: The LOGbinder agent des nt have the necessary rights t cnfigure the security lg Actin: The service accunt needs the "Generate security audits" privilege (https://www.ultimatewindwssecurity.cm/wiki/windwssecuritysettings/generate-security-audits), r d nt enable LOGbinder t utput t the Windws Security lg. Example B: Attempt t write t security lg frm invalid lcatin One measure t prtect the security lg is t write security events nly frm authrized lcatins. When LOGbinder is cnfigured, it registers its prgram lcatin with the security lg. If this errr ccurs, then LOGbinder had been reinstalled t a different lcatin, and the previus lcatin was nt remved prperly. LOGbinder fr Exchange Versin 3 Page 23

LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: Invalid Lcatin Details: Cannt write t because the prgram lcatin des nt match what has been previusly cnfigured Actin: Recmmended t delete the registry key manually. First ensure that LOGbinder is nt pen. Then delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\Eventlg\Security\LOGbndES. Be careful nt t delete ther parts f the registry, as it can cause the server t be unstable. When yu repen the LOGbinder cntrl panel, it will recnfigure its ability t write t the security lg. Example C: Internal errr LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: Internal Errr Details: The security accunt database cntains an internal incnsistency Actin: One factr that can cause an internal errr is if the LOGbinder prgram path is t lng. By default, LOGbinder is installed t C:\Prgram Files\LOGbndEX. It is recmmended that the default be used. If the sftware has been installed t a different lcatin with a lnger prgram path, t crrect this errr it will be necessary t reinstall LOGbinder. Example D: Lg n as service LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: LOGbinder service Privilege: Lg n as service Details: Accunt running LOGbinder agent des nt have user right "Lgn as a service" Actin: The service accunt needs t be assigned the "Lgn as a service" user right. (https://www.ultimatewindwssecurity.cm/wiki/windwssecuritysettings/lg-n-as-a-service) Example E: Cannt start LOGbinder cntrl panel LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: LOGbinder Manager Privilege: File Permissins Details: Accunt running LOGbinder Cntrl Panel needs t be a member f the lcal Administratrs grup Actin: Ensure that the user accunt used t run the LOGbinder fr Exchange cntrl panel has lcal administratr access. LOGbinder fr Exchange Versin 3 Page 24

557 License fr LOGbinder invalid Occurs when the license fr LOGbinder is nt valid and an attempt is made t start the service. This event is written t the Applicatin lg. If the license is nt valid, the LOGbinder fr Exchange cntrl panel cntinues t perate as nrmal. Hwever, the LOGbinder service will nt start if the license is invalid. Fllw the instructins in the cntrl panel, in the menu File\License, in rder t btain a license t the sftware. Example License fr LOGbinder invalid The license fr LOGbinder has expired r is invalid. Details: Trial perid has expired. LOGbinder fr Exchange Versin 3 Page 25

Appendix D: Trubleshting Initial checks Check the Inputs in LOGbinder fr Exchange cntrl panel: 1. If there are entries under Transactin, then the Pwershell URL is set gd. 2. If the Cmpleted clumn is filled, then the Exchange URL and Recipient are set gd. Verifying Mailbx Access (In the fllwing steps, sme examples are shwn. Please replace the bld parts with the apprpriate details f yur envirnment.) 1. Open Internet Explrer and lgn as the LOGbinder service accunt, t the mailbx via Outlk Web Access using the server name specified in LOGbinder fr Exchange cntrl panel, such as https://ex1.acme.cm/wa Yu shuld see emails in the Inbx r in Deleted Items frm Micrsft Exchange with subjects, such as Administratr Audit Lg Search and Mailbx Audit Lg Search 2. In Internet Explrer g t the Exchange URL f yur Input setting, such as https://ex1.acme.cm/ews/exchange.asmx Yu shuld get the WSDL xml fr Exchange, smething like this: If it desn t wrk, yu culd try t identify the crrect URL by executing the fllwing PwerShell cmmand frm the Exchange Management Shell n the Exchange server: Get-WebServicesVirtualDirectry fl *url Verifying PwerShell Cnnectivity and Exchange Authrity (In the fllwing steps, sme examples are shwn. Please replace the bld parts with the apprpriate details f yur envirnment.) 1. Duble-check what accunt LOGbinder fr Exchange service is cnfigured t Lgn as. 2. Lgn t the desktp using that accunt. Verifying PwerShell Cnnectivity 3. Open PwerShell Nt the Exchange Management Shell 4. Run: a. whami b. $Sessin = New-PSSessin -CnfiguratinName Micrsft.Exchange - CnnectinUri http://ex1.acme.cm/pwershell/ c. Imprt-PSSessin $Sessin LOGbinder fr Exchange Versin 3 Page 26

Verifying Exchange Authrity 5. After the previus steps, run the fllwing cmmands (insert a valid email address in c and d): a. $startdate = Get-Date (Get-Date).AddMinutes(-10) -Frmat "MM/dd/yyyy hh:mm" b. $enddate = Get-Date -Frmat "MM/dd/yyyy hh:mm" c. New-AdminAuditLgSearch -StartDate $startdate -EndDate $enddate -Name LOGbinder-test -StatusMailRecipients administratr@acme.cm d. New-MailbxAuditLgSearch -StartDate $startdate -EndDate $enddate -Name LOGbinder-test -StatusMailRecipients administratr@acme.cm 6. After sufficient time elapsed, yu shuld see emails in the Inbx r in Deleted Items frm Micrsft Exchange with subjects, such as Administratr Audit Lg Search and Mailbx Audit Lg Search Nte: Exchange server might take up t 15 minutes (r mre) t generate the audit reprt. Additinal ntes On the server where LOGbinder fr Exchange is installed, what versin f Windws are yu running? Windws Server 2003, 2008, 2008 R2, etc.? Windws Management Framewrk 2.0 is integrated with Windws Server 2008 R2. If yu have Windws Server 2003 r Windws Server 2008 (but nt R2), have yu installed the Windws Management Framewrk 2.0? http://technet.micrsft.cm/en-us/library/dd335083.aspx Nte the requirements fr Exchange 2010: Windws Management Framewrk installed Windws Management Framewrk includes Windws PwerShell V2 and Windws Remte Management (WinRM) 2.0. The fully qualified dmain name (FQDN) f an Exchange 2010 server in yur rganizatin The dmain this server is jined t must be trusted by the dmain where the Exchange server resides. TCP prt 80 must be pen between yur cmputer and the remte Exchange 2010 server, and the prt must be allwed thrugh Windws Firewall n the Exchange 2010 server. A user that's enabled fr remte Shell LOGbinder fr Exchange Versin 3 Page 27