MS Exchange 2k13 Integration
Does anyone have an experience on MS Exchange 2013 with RSA SA. Note that, scope of collection is only Transports Log via RSA SA SFTP Agent, not via LOG Binder. After reading the documentation of Log Integration Guide, it is bit difficult for me to understand what are the items need to perform.
Any kind of guidance or help will appreciate a lot.
- Community Thread
- Forum Thread
- integration guide
- RSA NetWitness
- RSA NetWitness Platform
- rsa sa
Exchange 2013 Configuration is normal SFTP agent config, as per Microsoft Exchange Server Event Source Configuration Guide page 15.
Can you please mention what exactly is not going ok with the integration?
in sasgtpagent.conf file the path of log collection is
dir0=C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking
Question is, this is the only path or any additional path do I need to add ?
It really depends on which logs do you have activated on the Exchange server.
Most commonly the logs are present at <Install Drive>\Microsoft\Exchange Server\V15\Logging
Depending on which modules you enabled for logging, you should see folders under this parent folder.
A sample example of the folders you can find here is as below.
Try to consult your exchange admins on the logging they have enabled for your environment, and based upon this, you can configure the sftp collection.
Let me know if you need any assistance.
As of now Transport logs collection carried out.
Only issue with the service of sasftpagent. It get stopped automatically every after 1 min and need to restart again due to which collection interrupted. Service is running by a domain service account. But if the service start running with local account, no issue on collection.
Below is log, I just manipulate the customer details.
Aug 11 10:33:47 HOSTNAME.abcxyz.com MSWinEventLog,0,Security,8783,Thu Aug 11 10:33:46 2016,4689,Microsoft-Windows-Security-Auditing,ABCXYZ\santabanta,N/A,Success Audit,HOSTNAME.abcxyz.com,Process Termination,,A process has exited. Subject: Security ID: S-1-5-21-2293583632-4136463274-3555374956-21599 Account Name: santabanta Account Domain: ABCXYZ Logon ID: 0x704bf40 Process Information: Process ID: 0x10b8 Process Name: C:\sasftpagent\sasftpagent.exe Exit Status: 0x1,8365
It states explicitly that the user should be a local admin, not a domain admin.
Note: The user account should be a member of the local admin group. The account must also have access to the files that are sent to Log Collector.
Sorry for digging this out, but I'm also a little confused regarding the "normal" config for an Exchange 2013 server.
The manual states different methods, but I'd really like to know is what kind of logs should we configure and how we can retrieve them.
In the manual you can find "Configure SMTP Protocol logging", "Configure Microsoft Exchange Server 2010 and 2013 for Administrator Audit and Mailbox Audit", "Configure User Mailbox to enable or disable MAPI on Microsoft Exchange Server 2010 and 2013" and "Configure Collection from Microsoft Exchange Server 2013".
I understand that we should collect administrator and mailbox audit logs, but in an environment with hundreds of users, we must execute one command per mailbox?
Also, are we stuck with using LOGbinder EX to receive these logs? AFAIK, this isn't a free tool, right?
Surely SMTP protocol logging can also be interesting from a security POV, and if LOGbinder EX isn't free, are we stuck with only collecting these logs via SFTP Agent?
Thank you for your help!