This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

MS Exchange 2k13 Integration

SoumyajitDhara
Beginner
Beginner

‎2016-08-10 04:45 AM

Hi All,

 

Does anyone have an experience on MS Exchange 2013 with RSA SA. Note that, scope of collection is only Transports Log via RSA SA SFTP Agent, not via LOG Binder. After reading the documentation of Log Integration Guide, it is bit difficult for me to understand what are the items need to perform.

 

Any kind of guidance or help will appreciate a lot.

 

 

0 Likes
8 REPLIES 8

AkramHamed
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2016-08-10 05:07 AM

Hello,

 

Exchange 2013 Configuration is normal SFTP agent config, as per Microsoft Exchange Server Event Source Configuration Guide page 15.

 

Can you please mention what exactly is not going ok with the integration?

 

Thanks,

Akram

0 Likes

SoumyajitDhara
Beginner
Beginner
In response to AkramHamed

‎2016-08-10 05:27 AM

Hi Akram,

 

in sasgtpagent.conf file the path of log collection is

dir0=C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking

 

Question is, this is the only path or any additional path do I need to add ?

0 Likes

AkramHamed
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to SoumyajitDhara

‎2016-08-10 06:58 AM

Hello,

 

It really depends on which logs do you have activated on the Exchange server.

 

Most commonly the logs are present at <Install Drive>\Microsoft\Exchange Server\V15\Logging

Depending on which modules you enabled for logging, you should see folders under this parent folder.

 

A sample example of the folders you can find here is as below.

 

3107.2.png

 

Try to consult your exchange admins on the logging they have enabled for your environment, and based upon this, you can configure the sftp collection.

 

Let me know if you need any assistance.

 

Thanks,

Akram

SoumyajitDhara
Beginner
Beginner
In response to AkramHamed

‎2016-08-11 04:47 AM

As of now Transport logs collection carried out.

 

Only issue with the service of sasftpagent. It get stopped automatically every after 1 min and need to restart again due to which collection interrupted. Service is running by a domain service account. But if the service start running with local account, no issue on collection.

 

Below is log, I just manipulate the customer details.

 

Aug 11 10:33:47 HOSTNAME.abcxyz.com MSWinEventLog,0,Security,8783,Thu Aug 11 10:33:46 2016,4689,Microsoft-Windows-Security-Auditing,ABCXYZ\santabanta,N/A,Success Audit,HOSTNAME.abcxyz.com,Process Termination,,A process has exited. Subject: Security ID: S-1-5-21-2293583632-4136463274-3555374956-21599 Account Name: santabanta Account Domain: ABCXYZ Logon ID: 0x704bf40 Process Information: Process ID: 0x10b8 Process Name: C:\sasftpagent\sasftpagent.exe Exit Status: 0x1,8365

AkramHamed
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2016-08-11 06:23 AM

Hello,

 

As per Install and Update the SFTP Agent

 

It states explicitly that the user should be a local admin, not a domain admin.

 

==Quote==

Note: The user account should be a member of the local admin group. The account must also have access to the files that are sent to Log Collector.

==UnQuote==

 

Thanks,
Akram

0 Likes

PedroQueiros
Beginner
Beginner

‎2018-03-21 06:34 AM

Hello all,

 

Sorry for digging this out, but I'm also a little confused regarding the "normal" config for an Exchange 2013 server.

 

The manual states different methods, but I'd really like to know is what kind of logs should we configure and how we can retrieve them.

 

In the manual you can find "Configure SMTP Protocol logging", "Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit", "Configure User Mailbox to enable or disable MAPI on Microsoft Exchange Server 2010 and 2013" and "Configure Collection from Microsoft Exchange Server 2013".

 

I understand that we should collect administrator and mailbox audit logs, but in an environment with hundreds of users, we must execute one command per mailbox?

Also, are we stuck with using LOGbinder EX to receive these logs? AFAIK, this isn't a free tool, right?

 

Surely SMTP protocol logging can also be interesting from a security POV, and if LOGbinder EX isn't free, are we stuck with only collecting these logs via SFTP Agent?

 

Thank you for your help!

 

Kind Regards,

Pedro Queirós

0 Likes

EricPartington
Employee
Employee

‎2018-07-04 08:58 AM

have you checked out NXLog?

 

Home | High Performance Log Management Solutions 

0 Likes

PedroQueiros
Beginner
Beginner
In response to EricPartington

‎2018-07-04 01:54 PM

No Eric, we haven't. Thank you for the reply, will check it out.

 

Kind Regards,

Pedro Queirós

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.