Configuration Guide Microsoft Exchange Server Last Modified: Tuesday, March 11, 2014 Event Source (Device) Product Information Vendor Microsoft Event Source (Device) Exchange Server Supported Versions 2003, 2007 (Windows Server 2003 and 2008), 2010, and 2013 Note: To support Exchange Auditing logs in Microsoft Exchange 2007 SP2 or later, you need to install the EBF: ENV-36943. For details, contact RSA envision Customer Support. Additional Downloads sftpagent.conf.msexchange, sftpagent.conf.msexchange2k7, sftpagent.conf.msexchange2010, sftpagent.conf.msexchange2013, sftpagent.conf.msexchangesmtp LOGbinder EX (for Exchange Server 2010 and 2013) RSA Product Information Supported Version RSA envision 4.0 and 4.1 Event Source (Device) Type msexchange, 64 Collection Method File reader and Windows event logs Event Source (Device) Class.Subclass Host.Mail Servers Content 2.0 Table Messaging This document contains the following information for the Microsoft Exchange Server event source: Configuration Instructions Release Notes 20140311-145050 Release Notes 20140213-121344 Release Notes 20131211-220046 Release Notes 20130731-180221 Release Notes 20130625-110128 Release Notes 20130501-153011 Release Notes 20130326-113451 Release Notes 20130228-133928 Release Notes 20121227-120737 Release Notes 20121024-162733 Release Notes 20120927-104626 Microsoft Exchange Server Configuration Instructions Copyright 2012 EMC Corporation. All Rights Reserved.
Important: If you use agentless Windows collection, you must first configure and discover Microsoft Exchange Server with the NIC File Reader Service and mark it as multi-device. If you have already discovered agentless Windows collection, you must set agentless Windows collection to multi-device, manually add the Microsoft Exchange Server event source, and restart the NIC Collector Service. RSA envision collects two sets of messages from Microsoft Exchange Server: one from the message tracking log file and one from the Windows application event log file. Therefore, you must set up two NIC services and select options in Microsoft Exchange Server. Note: The Intelligent Message Filter feature in the message tracking log file is not supported. Depending on your version of Microsoft Exchange Server, do one of the following: Configure Collection from Microsoft Exchange Server 2003 (Optional) Set Up Agentless Collection in Microsoft Exchange Server 2003 Configure Collection from Microsoft Exchange Server 2007 Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013 Configure File Reader for Microsoft Exchange Server 2007 Service Pack 2 and Later Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and later Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008 2 Microsoft Exchange Server
Configure Collection from Microsoft Exchange Server 2003 To configure Microsoft Exchange Server 2003: 1. To set up the NIC File Reader Service in envision, follow these steps: a. Add Microsoft Exchange Server to the NIC File Reader Service, and restart the service. For detailed instructions see the envision Help topic "Set Up File Reader Service." b. Install the NIC SFTP Agent on the host that is sending logs to envision. For instructions on installing the NIC SFTP Agent, see RSA envision NIC SFTP Agent Configuration, which is available on SecurCare Online. c. From the Window Services dialog box, start the NIC FTP Agent Service. Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the RSA envision appliance. For details, see RSA envision NIC SFTP Agent Configuration. 2. In envision, set up the NIC Windows Service. For detailed instructions, see the envision Help topic "Set Up Windows Service." 3. To set up Windows Application event logging and collect Windows Application event log messages in Microsoft Exchange Server 2003, follow these steps: a. Open the Exchange System Manager. b. Click Administrative Group or Organization > Servers. c. Right-click the name of the server, and select Properties. d. On the Diagnostics Logging tab, enable logging at the levels shown in the following table. Note: Hardware platforms and server loads influence how much degradation your system will experience if you enable logging. Service Category Logging Level Connections IMAPSvc4 POPSvc4 Authentication Connections Authentication MSExchangeDSAccess MSExchangeIS - System Connections MSExchange - Public Folders Logons Configure Collection from Microsoft Exchange Server 2003 3
Service Category Logging Level MSExchangeIS - Mailbox Access Control Logons MSExchangeSA Access Control Mailbox Management e. Click OK. 4. To collect message tracking log messages, follow these steps: a. Open the Exchange System Manager. b. Click Administrative Group or Organization > Servers. c. In the Servers window, right-click the name of the server, and select Properties. d. Click the tab. e. Select Enable subject logging and display and Enable message tracking. f. Click OK. 4 Configure Collection from Microsoft Exchange Server 2003
Set Up Agentless Collection on Microsoft Windows Server 2003 Use the legacy Windows Agentless collector to collect the audit logs for Microsoft Exchange Server running on Windows Server 2003. To add the legacy Agentless Windows Collector service: 1. Log onto envision and navigate to Services > Device Services > Windows Services > Manage Windows Services. 2. Under Filtered Windows Services, click Add. 3. Set the following parameters: For the IP Address of Service, enter the IP Address of the Windows server for your Exchange Server. Unselect Security and System, leaving only Application selected. 4. Click Apply. 5. Enter the log on credentials for the Exchange Server system. Set Up Agentless Collection on Microsoft Windows Server 2003 5
Configure Collection from Microsoft Exchange Server 2007 To configure Microsoft Exchange Server 2007: 1. To set up the NIC File Reader Service in envision, follow these steps: a. Add Microsoft Exchange Server to the NIC File Reader Service, and restart the service. For detailed instructions see the envision Help topic "Set Up File Reader Service." b. Install the NIC SFTP Agent on the host that is sending logs to envision. For instructions on installing the NIC SFTP Agent, see RSA envision NIC SFTP Agent Configuration, which is available on SecurCare Online. c. From the Window Services dialog box, start the NIC FTP Agent Service. Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the RSA envision appliance. For details, see RSA envision NIC SFTP Agent Configuration. 2. In envision, set up the NIC Windows Service. For detailed instructions, see the envision Help. 3. To collect Windows event log messages, using the Exchange Management Shell, configure the logging services at the levels shown in the following table. Service Category Logging Level MSExchange ADAccess\ Expert MSExchangeIS\9002 System\ Connections Expert Expert Logons Expert MSExchangeIS\9001 Public\ MSExchangeIS\9000 Private\ Expert Access Control Expert Logons Expert Expert Access Control Expert For more information, see the following articles on Microsoft TechNet: Diagnostic Logging of Exchange Processes Processes with Configurable Event Logging Levels Change Logging Levels for Exchange Processes 4. To confirm that message tracking logging is enabled, follow these steps: a. Open the Exchange Management Console. b. From the Server Configuration section, right-click the name of the server, and select Properties. c. Click the Log Settings tab. 6 Configure Collection from Microsoft Exchange Server 2007
d. Ensure that Enable message tracking logging is selected. e. Click OK. Configure Collection from Microsoft Exchange Server 2007 7
Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013 To configure SMTP Protocol Logging on Microsoft Exchange Server 2007 and 2010: 1. To enable protocol logging on a Receiver Connector from Exchange Management Console (EMC): a. Expand the Server Configuration Hub Transport node. b. Select the Hub Transport server you want to configure, then select the Receive Connector > Properties tab. c. On the tab, change the Protocol Logging Level to Verbose. 2. To enable protocol logging on a Send Connector from Exchange Management Console (EMC): a. Expand the Organization Configuration Hub Transport node. b. On the Send Connectors tab, select the Send Connector > Properties tab. c. On the tab, change the Protocol Logging Level to Verbose. Note: The default location of the SMTP protocol logs: Receive Connector logs are located in: Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive Exchange 2007: \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive Send Connector logs are located in: Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend Exchange 2007: \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend This location is used during Configuration of File Reader Collection of Exchange Server 2007 and 2010. Please refer to the additional download sftpagent.conf.msexchangesmtp. To configure SMTP Protocol Logging on Microsoft Exchange Server 2013: 1. To enable protocol logging on a Receiver Connector and Send Connector connector in the Transport service on a Mailbox server, or on a Receive connector in the Front End Transport service on a Client Access server from Exchange Administration Console (EAC): a. In the EAC, navigate to Mail flow > Send connectors or Mail flow > Receive connectors. b. Select the connector you want to configure, and then click Edit. c. On the tab in the Protocol logging level section, select Verbose Protocol logging is enabled on the connector. d. Click Save. 2. To configure the protocol log paths for the Send connectors and Receive connectors in the Transport service on a Mailbox server from Exchange Administration Console (EAC): 8 Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013
a. In the EAC, navigate to Servers > Servers. b. Select the Mailbox server you want to configure, and then click Edit. c. On the server properties page, click Transport logs. d. In the Protocol log section, change any of the following settings: Send protocol log path The value you specify must be on the local Exchange server. If the folder doesn't exist, it will be created for you when you click Save. Receive protocol log path The value you specify must be on the local Exchange server. If the folder doesn't exist, it will be created for you when you click Save. e. Click Save. Note: This location is used in Send protocol log path and Receive protocol log path should be used during Configuration of File Reader Collection of Exchange Server 2013. Please refer to the additional download sftpagent.conf.msexchangesmtp. Configure SMTP Protocol logging on Microsoft Exchange Server 2007, 2010 and 2013 9
Configure File Reader for Microsoft Exchange Server 2007 Service Pack 2 and Later Set up the NIC File Reader Service for the event source. For complete instructions, see the envision Help topic "Set Up File Reader Service." To set up the NIC File Reader Service: 1. In envision, add the event source to the NIC File Reader Service. 2. Start the NIC File Reader Service. For instructions, see the envision Help. 3. In envision, set up the FTP server (in multiple appliance sites, the FTP server is on an LC or RC). For instructions, see the envision Help. 4. Install and set up the NIC SFTP Agent on the Microsoft Exchange host that send logs to envision. Choose the appropriate configuration file depending upon your version: For Microsoft Exchange Server 2007 SP2, sftpagent.conf.msexchange2k7 For Microsoft Exchange Server 2010, sftpagent.conf.msexchange2010 For Microsoft Exchange Server 2013, sftpagent.conf.msexchange2013 For SMTP protocol Logs from Microsoft Exchange Server 2007, 2010, and 2013, sftpagent.conf.msexchangesmtp Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the RSA envision appliance. For details, see RSA envision NIC SFTP Agent Configuration. For instructions on installing the NIC SFTP Agent, see RSA envision NIC SFTP Agent Configuration, which is available on SecurCare Online. 5. From the Windows Services window, start the NIC SFTP Agent Service. 10 Configure File Reader for Microsoft Exchange Server 2007 Service Pack 2 and Later
Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and Later To configure Microsoft Exchange Server 2007 SP2 and later: 1. In envision, set up the NIC Windows Service. For detailed instructions, see the envision Help. 2. To set up Windows Application event logging and collect Windows Application event log messages, follow these steps: a. Open the Exchange Management Console. b. From the navigation menu, click Microsoft Exchange On-Premises > Server Configuration. c. In the Actions pane, click Manage Diagnostic Logging Properties. d. Select Update logging levels for services. e. From the Configure Server Diagnostic Logging Properties list, enable logging of services at the levels shown in the following table. Service Category Logging Level MSExchange ADAccess\ Expert MSExchangeIS\9002 System\ Connections Expert Expert Logons Expert MSExchangeIS\9001 Public\ MSExchangeIS\9000 Private\ f. Click Configure. Expert Access Control Expert Logons Expert Expert Access Control Expert g. In the Completion window, check the status of the configuration. If the configuration fails, use the Back button to make the necessary changes. h. Click Finish. 3. In Microsoft Exchange Server 2007, to confirm that message tracking logging is enabled, follow these steps: a. Open the Exchange Management Console. b. From the Server Configuration section, right-click your server, and select Properties. c. On the Log Settings tab, ensure that Enable message tracking logging is selected. d. Click OK. In Microsoft Exchange Server 2010, to confirm that message tracking logging is enabled, follow these steps: Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and Later 11
a. Open the Exchange Management Console. b. From the navigation menu, click Microsoft Exchange On-Premises > Server Configuration. c. From the Server Configuration section, right-click your server, and select Properties. d. On the Log Settings tab, ensure that Enable message tracking log is selected. e. Click OK. 4. To enable Microsoft Exchange Server 2007 Exchange Auditing, follow these steps: Note: After you complete this step, you must complete the next section, "Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008." Exchange auditing is not yet available in Microsoft Exchange 2010 service packs. a. Open the Exchange Management Console. b. Click Server Configuration > Mailbox. c. In the Create Filter section, right-click the name of your server, and select Manage Diagnostic Logging Properties. d. Click ServerName > MSExchangeIS > 9000 Private. e. Select Folder Access, Message Access, Extended Send As, and Extended Send On Behalf Of, and set their logging levels to Expert. f. Click Configure, then click Finish. 12 Configure Windows Collection from Microsoft Exchange Server 2007 Service Pack 2 and Later
Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit To configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit: 1. To configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit: a. Log on to the Microsoft Exchange Server 2010 and 2013 using Domain Privileges. b. Configure Exchange Mailbox Auditing using the link: http://www.ultimatewindowssecurity.com/exchange/mailboxaudit/configure.aspx Please refer to the example command: Set-Mailbox -Identity "John Smith" -AuditDelegate SendAs,SendOnBehalf,MessageBind,FolderBind -AuditEnabled $true in the link to Configure Mailbox Auditing for each of the users and their respective parameters for each user as per company requirements. Run this command using the Exchange Management Shell with administrator privileges. c. Configure Exchange Administrator Auditing using the link: http://www.ultimatewindowssecurity.com/exchange/adminaudit/configure.aspx Please refer to the sample command: Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets * - AdminAuditLogParameters * -AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule* in the link to Configure Administrator Auditing for each of the users and their respective parameters for each user as per company requirements. Run this command using the Exchange Management Shell with administrator privileges. d. Configure Microsoft Exchange for changing the Exchange audit search poll interval: The value that controls the search poll interval timing is stored in an XML configuration file under the %ExchangeInstallPath% folder. The file is in the Bin folder, and called Microsoft.Exchange.Servicehost.exe.config. Look for the following line inside the<appsettings> tag: <add key="auditlogsearchpollintervalinmilliseconds" value=" " /> This value determines (in milliseconds) the search poll interval. Set the value to an appropriate number for the task. 2. To configure LOGbinder EX to send Administrator Audit and Mailbox Audit to envision: Note: To collect auditing events from Microsoft Exchange Server into the Windows Event Viewer, you must download the third-party application LOGbinder EX from http://www.logbinder.com. When configuring Exchange Server 2010 and 2013, you must download LOGbinder EX 2.0. Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit 13
a. For Microsoft Exchange Server 2010 and 2013, download LOGbinder EX 2.0 from http://www.logbinder.com. b. To configure the input settings, follow these steps: i. In the LOGbinder EX interface, click New Input. ii. Refer to the Logbinder EX documentation to enter the fields "Powershell URL", "Exchange URL", and "Recipient" correctly. iii. Click OK. c. To configure the output settings, follow these steps: i. Click Output. ii. Using LOGbinder EX 2.0, double-click LOGbinder EX Event Log and ensure that Send output to LOGbinder EX Event Log is selected. iii. Deselect Include noise events and Include XML data. iv. Click OK. d. To start the service, follow these steps: i. Click Service. ii. Click Start. Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008 Beginning with the August 2010 Event Source Update, envision provides a new agentless collector, the Windows Eventing Collection Service. For details, see the Microsoft Windows Eventing 6.0 Web Services API topic in the envision Help. Note: The Windows Eventing Collector Service can collect logs only from Microsoft Exchange Server 2010. Prerequisites You must install the Windows Eventing Collector Service. For more information, see the envision Help topic "Setting Up the Windows Eventing Collector Service." Disable the Legacy Collector If you are using the Windows Eventing Collector Service, RSA recommends that you disable the legacy Windows agentless collector. Otherwise, event collection is duplicated, and envision stores duplicate message data. To disable the legacy agentless Windows collector: 1. In envision, click Overview > System Configuration > Services > Device Services > Windows Service > Manage Windows Service. 2. Select the Windows Agentless Collector Service for each Microsoft Exchange Server for which 14 Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008
you will be using the Windows Eventing Collector Service. 3. Click Delete. Enable Event Collection on Microsoft Exchange Server 2010 and 2013 To collect from the extended log channels for Microsoft Exchange: 1. Add or update the alias for the event source. Each event source has its own alias, which specifies the URL for the event source, as well as other details. 2. Open a new command shell, and change directories to the E:\nic\enVision version\node_ name\collection-services\winevent directory. 3. Do one of the following: To edit an existing alias, type: wineventconfig.exe -e To add a new alias, type: wineventconfig.exe -a 4. Respond to the prompts with your information. For details, see the envision Help. 5. Using a comma as the delimiter between channel names, enter any of the following event channels to which you want to subscribe: Application Exchange Auditing Note: Exchange auditing is only available for Microsoft Exchange Server 2007 Service Pack 2, and requires additional configuration. For details, see Configure the Exchange Auditing Channel. Microsoft-Exchange-MailboxDatabaseFailureItems/Operational Microsoft-Exchange-HighAvailability/Operational Microsoft-Exchange-HighAvailability/Debug LOGbndEX MSExchange Management Note: The LOGbndEX channel is for Admin Audit and Mailbox Audit for Microsoft Exchange Server 2010 and 2013. You must enter the names as they appear in the preceding list. If you misspell any channel name, events from that channel will not be collected. 6. To test your configuration, run the following command: wineventconfig.exe -t Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008 15
Configure the Exchange Auditing Channel To configure the Exchange Auditing channel, you must enable Windows Remote Management. This is described in the "Microsoft Windows Eventing 6.0 Web Services API" document, available from the RSA SecurCare Online (SCOL) web site. Follow all directions in that document to enable Windows Remote Management, except that you must replace Security with Exchange Auditing when setting access to your channel. That document describes the command to set read access to the Security Channel: wevtutil gl Security To configure the Exchange Auditing channel, replace Security with "Exchange Auditing" as shown here: wevtutil gl "Exchange Auditing" Microsoft Exchange Server Release Notes (20140311-145050) What's New in This Release RSA has updated configuration instructions for Microsoft Exchange to display Collection type information more clearly. RSA has also added support for SMTP protocol logs for Exchange 2007, 2010 and 2013. Microsoft Exchange Server Release Notes (20140213-121344) What's New in This Release RSA has added support for Microsoft Exchange Server 2010 and 2013 Mailbox and Admin Audit using LOGbinder EX.RSA has also added support for the channel MS Exchange Management using Windows Event Collection. Microsoft Exchange Server Release Notes (20131211-220046) What's New in This Release RSA has added support for Microsoft Exchange Server 2013. Microsoft Exchange Server Release Notes (20130731-180221) 16 Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008
Microsoft Exchange Server Release Notes (20130625-110128) Microsoft Exchange Server Release Notes (20130501-153011) Microsoft Exchange Server Release Notes (20130326-113451) Microsoft Exchange Server Release Notes (20130228-133928) Microsoft Exchange Server Release Notes (20121227-120737) Microsoft Exchange Server Release Notes (20121024-162733) What's New in This Release RSA has added a clarification regarding the use of Exchange Auditing for Microsoft Exchange Server 2010. Exchange Auditing is not yet available to Exchange Server 2010 customers. Microsoft Exchange Server Release Notes (20120927-104626) Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008 17
18 Set Up Agentless Collection on Exchange server 2007 SP2 and later on Windows Server 2008