1. Logpoint Service Desk
  2. Community
  3. Logpoint for SAP

Exchange 2016/2019 onprem logging

Avatar
Follow
0

Hi all,

What is the best way to ship Exchange onprem logs (OWA, SMTP and MSGTRK) to Logpoint?

The documentation is not very clear on this topic.

Thank you for your help.

Kind regards,

Dennis

Share This Post:

2 comments

Date Votes
0
Avatar
Markus Nebel

We use nxlog for this, with the followin configuration snippet: 

<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
    FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter ' '
</Extension>

<Input messagetracking_in>
    Module 	 im_file
    File 	 '<PATH TO EXCHANGE LOGS>\MessageTracking\MSGTRK*.LOG'
    PollInterval 1
    Recursive True
    SavePos True
    ReadFromLast True
    Exec 	 $FileName = file_name();
    Exec 	 if ($raw_event == '') drop();
    Exec 	 if ($raw_event == ';') drop();
    Exec 	 $ModuleType = 'file_collection';
</Input>

<Input iis_in>  
    Module    im_file
    File      '<PATH TO IIS LOGS>\inetpub\W3SVC1\u_ex*'
    ReadFromLast True
    Recursive True
    PollInterval 1
    SavePos True
    # drop first line, which is CSV header line
    Exec if $raw_event =~ /^#/ drop();                      \
       else                                                 \
       {                                                    \
            w3c->parse_csv();                               \
            $EventTime = parsedate($date + " " + $time);    \
            $SourceName = "IIS";                            \
            $raw_event = to_json();                         \
       }
</Input>
0
Avatar
Nils Krumrey

Equally, you should be able to just use the Logpoint Agent (and in the future AgentX) and set up a file collection for those locations, i.e. the Message Tracking log, the SMTP log and the IIS log for OWA. There is both a specific normaliser for Exchange IIS as well as the generic IIS compiled normaliser, there is a normaliser for on-premise Exchange Message Tracking logs, and there is a normaliser for the Exchange SMTP logs as well.

Just for completeness, unfortunately there isn’t an easy way of collecting on-premise Exchange Audit logs, i.e. who made changes to mailboxes, permissions etc. That’s trivial in Office 365, but on-premise it relies on either a custom script, a paid for module for NXlog, or another third party utility like LogBinder.

Please sign in to leave a comment.