Menu

Search

LOGbinder Support


2. Configuring LOGbinder for Exchange


Support
Getting Started

Part 1: Installing LOGbinder for Exchange
Part 3: Mailbox Audit Policy Management
Part 4: Monitoring LOGbinder for Exchange
Part 5: Appendix

Configuring LOGbinder for Exchange

Open the "LOGbinder for Exchange" link in the Windows start menu, which appears by default in the “LOGbinder” folder.

To use LOGbinder for Exchange, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for Exchange control panel is closed before restarting the service, the changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.

Configure Input

LOGbinder for Exchange uses these methods to connect to the Exchange server: (a) Exchange Management Shell (PowerShell), and (b) Exchange Web Services Managed API 1.2.

To get started, select the menu File\New Input, where you will need to enter three pieces of information: Powershell URL, Exchange URL, and Recipient.


Figure 1: An example Input

Powershell URL: The URL to access Exchange Management Shell cmdlets (via PowerShell). The default value is “http://” + FQDN of server + “/Powershell”. This should be a server with both PowerShell and client access roles functioning. At the moment you are not able to provide a load balancer here; it has to be one of the actual servers. The Autofill button will use the current server to fill in this value. You might need to change this if you are not installing LOGbinder for Exchange on an Exchange server.

Exchange URL: The URL to access the Exchange web service. The default value is “https://” + FQDN of server + “/EWS/Exchange.asmx”. If the Powershell URL is correct, the Autofill button will try to identify the correct Exchange URL. There should be no certificate error when this URL is opened in Internet Explorer. (If a self-signed certificate is being used, the self-signed certificate will need to be added to the trusted root store.)

Recipient: The mail address used for processing audit logs. This will be the mailbox associated with the user (or administrator) in whose context the Exchange Management Shell runs. If this account is different from the LOGbinder for Exchange service account, the service account needs to have the necessary permissions to access the recipient's mailbox.

The Last Processed box shows the date and time audit events were last retrieved from Exchange. After installing it the first time, LOGbinder starts processing admin audit logs from the time of the installation onward, and mailbox audit logs with a 24-hour delay, that is 24 hours before the time of the installation.[1] For further information on this 24-hour buffer period for mailbox audit events, please see the note and blog on the 24-hour Delay in Mailbox Audit Logs.

If some of the backlog events are also to be processed, the start date can be set in the Last Processed boxes. It is recommended that once LOGbinder is in operation, this date not be changed manually, as it could result in skipping some audit events in Exchange, or double-handling, resulting in events appearing twice in the event log. If the date needs to be adjusted, check the box next to the date, and then the date can be adjusted.

Audit Log Search Poll Interval:

It might take a considerable time for the Exchange server to send back the search results. By default, Exchange checks if there are any audit log searches every 30 minutes to 24 hours, depending on the Exchange version. However, this frequency can be adjusted in an Exchange configuration file. Please refer to our blog titled Changing the Exchange audit search poll interval on how to adjust this setting.
For LOGbinder to be able to function properly, this should be set to not greater than 15 minutes.

After the LOGbinder for Exchange service has been running, the Transactions list will show a list of audit log searches sent to the Exchange server, the start and end period for which logs have been requested, and the time LOGbinder finished processing the audit logs. This information is read-only. After the Exchange server sends back the result of the audit log search, LOGbinder for Exchange will process the event logs and forwards them to the output(s) specified. (See next subheading.) Once the results are received and forwarded to the output(s), the File Name and Completed columns are populated with the appropriate values. If the audit search request was successful, the File Name will be the name of the XML file that Exchange had returned. It is typically in the format of SearchResult_<GUID>.xml. If there is an error, LOGbinder will give a general description of the error, such as:

File Name message Reason LOGbinder's solution
FAILED-ERROR Exchange returned with a "completed with errors" message for some unexplained reason. LOGbinder will try the same search again.
ABORTED-SEARCH_FAILED It is the second time that the same search comes back with error. LOGbinder will send a warning that this search could not be completed.
FAILED-LARGE_RESULTS Exchange says that there were too many results in the search criteria, that needs to be restricted or narrowed down to get results. LOGbinder will try to reduce the search interval and try again.
NOT EXISTS The file name LOGbinder will try the same search again.

Configure Output

LOGbinder supports multiple output formats. LOGbinder for Exchange allows output to go to

  • LOGbinder EX Event Log: a custom event log under Applications and Services Logs.
  • Security Log: the Windows Security log. (Please remember to set the additional privileges as described under the Check User Accounts and Authority section when using this feature.)
  • Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.
  • Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.
  • Syslog-Generic: a Syslog server using the generic Syslog format.
  • Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.
  • Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.
  • Syslog-Generic (File): a Syslog file using the generic Syslog format.

At least one of these must be enabled in order for the LOGbinder service to start.

To enable an output and adjust the settings, select it and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."

Select the "Include noise events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (Exchange) that contains only misleading information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected.


Figure 2: Output properties window

For some output formats, LOGbinder for Exchange can preserve the original data extracted from Exchange, along with details as to how the entry was translated by LOGbinder. Check the option “Include XML data” in order to include these details in the event log. Including this data will make the size of the log grow more quickly. If the option does not appear, then it is not supported for that output format.

For the output format "LOGbinder EX Event Log," the entries are placed in a custom log named “LOGbinder EX.” When the log is created by LOGbinder, by default the maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for “Include XML data.” In this way you will ensure that your audit trail is complete.

For file based outputs, such as Syslog (File), the output file is stored, by default, in the "C:\ProgramData\LOGbinder EX" folder, or in the folder specified by the “Alternate Output Data Folder” option under File\Options. (See section below on Configure Options.)

Configure Service

To start, stop, and restart the LOGbinder for Exchange service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.


Figure 3: Message indicating outputs not configured

Although you can use the Services window in the Windows Control Panel to start and stop the service, it is recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that (a) at least one Exchange server has been selected for monitoring and (b) at least one output (i.e. LOGbinder EX Event Log, Windows Security Log) has been selected.

While attempting to start the LOGbinder for Exchange service, a problem may be encountered—perhaps that the service account does not have sufficient authority. The details of the problem are written to the Application Event Log.

See the Monitoring LOGbinder for Exchange article for more information on how to handle issues that may arise when starting the LOGbinder for Exchange service.

Configure Options

Use buttons on the panel, or the menu File\Options, to change LOGbinder's options.

The Enable 24-hour delay in searching for mailbox audit events option is enabled by default. For further information on this 24-hour buffer period for mailbox audit events, please see see the note and blog on the 24-hour Delay in Mailbox Audit Logs.

The Service Account lists the user account that runs the LOGbinder for Exchange service. This is the account you specified when installing LOGbinder for Exchange. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).

If the box “Do not write informational messages to the Application log” is checked, then event “551 – LOGbinder agent successful” (See Appendix C: Diagnostic Events) will not be written to the Application log.


Figure 4: Options window

The Logging options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the “Logging Level” is set to None. If necessary, the Logging Level can be set to Level 1 or Level 2. Level 1 generates standard level of detail of logging. Level 2 will generate more detailed logging. Level 2 should be selected only if specifically requested by LOGbinder support; otherwise performance will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named Control Panel.log, Service.log, Service Controller.log and Service Processor.log in the Log location folder.

The “Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder EX (i.e. C:\ProgramData\LOGbinder EX). Please note that the Alternate Output Data Folder needs the same permissions as the Common Application Data folder as specified under the Check User Accounts and Authority section .

Status Bar

The status bar will show information about the operation of LOGbinder.

Displays the status of the service. The image shown indicates the service is stopped (). The service may also be running (), or in an 'unknown' state ().
Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar.
Indicates that settings have been changed. In order to apply the changes, the LOGbinder for Exchange service must be restarted. If the LOGbinder for Exchange service is running and the LOGbinder for Exchange control panel is closed, the changes will be discarded.

License

Use the menu File\License to view information about your license for LOGbinder.[2] If you have purchased LOGbinder for Exchange and need to obtain a license, follow these steps:

  • For Unit/Server Count, enter the number of active mailboxes in your Exchange system. (The minimum number of mailboxes requiring licensing will be filled out automatically by LOGbinder.)
  • Press the Copy button, and paste the contents into a support ticket opened at https://support.logbinder.com.
  • When the license key is received, copy it to the clipboard and press the Paste button.


Figure 5: License window

If you are properly licensed, the license window will display and show that you are properly licensed. If there is a problem, respond to your license request ticket immediately at https://support.logbinder.com.



[1] If this is not the first installation of LOGbinder on the same server, it will continue audit log processing from the date and time it finished its last run with the previous installation. If LOGbinder was installed on another server in the same environment before, you might want to refer to the section above about Transferring settings to a new server.

[2] The License menu might be disabled for a few minutes while collecting information needed for licensing.


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket