NetWitness Community

Anonymous · ‎2016-06-06

Dears,

Is there another way to get admin audit logs for exchange server? because Logbinder is not a free software. We need to buy a license, in addition windows parser that is used to parse logbinder cannot parse all the events.

DavidWaugh1 · ‎2016-06-06

Hi the only way I know of is to use Log Binder for Exchange.

Anonymous · ‎2016-06-06

Did you try it?

parsing is not correct!

DavidWaugh1 · ‎2016-06-06

Hi check that all the steps in the event source integration guide has been followed:

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/03_Supported_Event_Sources

I would also check that the version of Exchange is one we officially support.

If there are additional unknown messages then the parser will need to be updated.

The official way is to open a support ticket with examples of the unknown or miss parsed messages.

This will then eventually be updated in a future parser.

The alternative is to modify the parser yourself to parse the messages correctly.

SoumyajitDhara · ‎2016-06-07

If target to get Transport logs only, you can go ahead with SFTP Collection.

XavierFerrier1 · ‎2016-06-20

Hello,

It looks like possible to use another way :

Get-SimpleAuditLogReport script

powershell - Write a small script to extract ms-exchange audit logs in csv format? - Stack Overflow

PowerShell Script to Generate a Report of Mailbox Audit Log Entries

SoumyajitDhara · ‎2016-06-20

Hi David,

Thanks for sharing this details. But practically, if someone follow this methods, actually not help customer to see un-parsed log after updating parser if it is officially supported.

I have one support case open on 8th October 2015 which is already tagged as RFE. After follow-up, I didn't get any update.

NetWitness Community

Exchange Logbinder