Menu

Search

LOGbinder Support


1. Installing LOGbinder for Exchange


Support
Getting Started

Part 2: Configuring LOGbinder for Exchange
Part 3: Mailbox Audit Policy Management
Part 4: Monitoring LOGbinder for Exchange
Part 5: Appendix

***Note: 24-hour Delay in Mailbox Audit Logs***

According to a recent discovery, the PowerShell cmdlets used for retrieving mailbox audit logs have a flaw that produces inconsistent audit results if used to retrieve audit logs in less than 24 hours.

We informed Microsoft of our findings and they confirmed the bug after their own investigation. They also told us they had no timeline to fix the bug and suggested that users simply request audit logs some twenty-four hours after the event took place. We will continue to work with Microsoft on this issue and hope they do resolve it.

In the meantime, the only way we can guarantee audit trail integrity is if we follow Microsoft’s recommendation and don’t ask for mailbox audit logs for the past 24-hour period. Therefore LOGbinder will not process events until 24 hours after the Last Processed value for mailbox auditing in the input settings (see Configure Input).

If you do not want to have this 24-hour delay, you can turn it off in the options (see Configure Options), but we strongly advise against it.

To see how we feel about this issue, what we are doing to mitigate the impact of this bug and what you can do, please follow our latest communications on this at https://www.logbinder.com/support/ExchangeMailboxAuditBug

Installing LOGbinder for Exchange

LOGbinder for Exchange runs as a Windows service on a server belonging to the same domain as your Exchange environment. It translates audit log entries in Exchange, and outputs them to the LOGbinder EX event log, the Windows Security Log, a Syslog server or Syslog files.

For more information, please visit our web site https://www.logbinder.com/products/logbinderex/.
There you will find a rich set of resources to guide you in setting audit policy, setting up audit log reporting and archiving, and so forth.

To open a case with our support staff, please submit a ticket at https://support.logbinder.com/.

Installing LOGbinder for Exchange involves 3 simple steps. (If LOGbinder has been used on another server in the same environment where it is now installed, refer to the Transferring settings to a new server section below, in order to preserve a complete audit trail.)

Subsequent sections cover:

Step 1 – Check Software Requirements

Select Server

LOGbinder for Exchange should be installed on a server belonging to the same domain as your Exchange environment.

Software Requirements

  • Microsoft Windows server 2003 or later
  • Microsoft .NET Framework 3.5 SP1
  • Microsoft Exchange 2010, 2013, 2016 (Exchange 2016 is supported starting CU6)

Exchange Auditing Requirements

Exchange has two types of audit logs: Administrator Audit Log, and Mailbox Audit Log. For LOGbinder for Exchange to be able to process audit events from these audit logs, they need to be enabled. Note:

  • Administrator Audit Log is usually enabled by default.
  • Mailbox audit logging can be managed by LOGbinder for Exchange using the Mailbox Audit Policy Management wizard.

Please visit https://www.ultimatewindowssecurity.com/exchange/ for more information on these audit logs, as well as on how to enable, configure, manage, and use them.

Audit Log Search Poll Interval should be set to no greater than 15 minutes. (See box Audit Log Search Poll Interval for explanation.)

Step 2 – Check User Accounts and Authority

Two user accounts are involved with LOGbinder for Exchange.

  1. Your account
    • The account you are logged on as when you install and configure LOGbinder for Exchange.
    • Authority Required:
      • Member of the local Administrators group
        • Windows UAC sometimes interferes with this setting. It is recommended that you use the “Run as Administrator” option when running LOGbinder. You may also need to your account as well as the service account modify permissions to the C:\ProgramData folder as described in the third bullet point below.
  2. Service account
    • The account that the LOGbinder for Exchange service will run as. This domain account must be created before installing LOGbinder for Exchange. This account does not need to be a local or domain administrator; the LOGbinder for Exchange service can run in a least-privilege environment.
    • Authority Required: (See Appendix A: Assigning Permissions for details on granting these permissions)
      • Exchange administrator roles:
      • Permissions to access the inbox of the Recipient (configured under Input), if different from the service account.
      • Privilege “log on as a service” (The installer will set this prerequisite.)
      • Permission to create, read, modify files in C:\ProgramData\LOGbinder EX (The installer will set this prerequisite.)
        • Please note that the ProgramData folder is a hidden folder, and it is not the same as the Program Files folder.
        • This LOGbinder EX folder will be created while LOGbinder is installed.

If outputting to Windows Security log

  • Privilege "Generate Security Audit" (SeAuditPrivilege)
  • Setting audit policy
    • Windows 2003:
      • Enable “Audit object access
    • Windows 2008 or later:
      • Enable “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”security option
      • Enable “Audit Application Generated” audit subcategory

Step 3 – Run the Installer

Download and run the installer. On the "Logon Information" page, enter the user account name, domain name and password of the service account (the user account that will run the LOGbinder for Exchange service). The rights outlined above must be granted to the account before running the installer, or else LOGbinder for Exchange will not install properly.

If a dialog box "Set Service Login" appears, then the user account information entered previously was not valid. Confirm the account name and password, and re-enter the information.

Transferring settings to a new server

If LOGbinder was running in your environment before, but it now has to be installed on a different server, the following steps can be followed to transfer the settings to the new server. (Please note that LOGbinder is not recommended to be run on two servers at the same time in the same environment.) This not only saves setup time and reduces setup problems, but this will ensure audit log collection to be continued where LOGbinder left off so as to preserve a complete audit trail:

  1. Make sure that on both the source (where LOGbinder was run before) and target (the new LOGbinder server) servers, the LOGbinder service is not running and the LOGbinder control panel is not open.
  2. Go to the {Common Application Data}\LOGbinder EX folder on the source server, i.e. C:\ProgramData\LOGbinder EX.
    • Please note that the ProgramData folder is a hidden folder, and it is not the same as the Program Files folder.
  3. Copy all *.stg and *.xml files to the same folder on the target server.

On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket