Where can I learn more about Exchange Server's Auditing capability?
Why do I need LOGbinder for Exchange - can't Exchange send audit events to the Windows event log itself?
No. Exchange records mailbox audit events to a hidden folder on each mailbox and administrator audit events are logged to a special mailbox. Events are not written out to any kind of external log file.
What can I monitor with the Exchange auditing and LOGbinder for Exchange?
Will LOGbinder for Exchange slow down my Exchange Server?
You can run LOGbinder for Exchange on your Exchange Server and it's unlikely you will see a material impact to performance, but you can just as easily run LOGbinder for Exchange on a separate server so that no production server resources are spent executing LOGbinder for Exchange.
Will enabling the auditing on Exchange slow down my environment?
We have never observed a material impact to performance associated with mailbox or administrator logging. Exchange has special features to limit event flooding with mailbox auditing, and administrator auditing does not generate that many events in the first place. In comparison, the resources required by these 2 audit logs are tiny compared to Exchange "message tracking" which generates multiple records for every message sent or received.
How secure is LOGbinder for Exchange?
LOGbinder is fully integrated with Windows and Exchange security and complies with widely accepted secure design and coding techniques.
At installation, LOGbinder secures the folder permissions where the software files reside. To protect LOGbinder's configuration from tampering, LOGbinder encrypts its configuration data.
LOGbinder security requirements are greatly simplified since LOGbinder does not store your audit log data. LOGbinder is designed to quickly get audit events out of Exchange and to the destination of your choice, at which point your log management solution takes over. If you configure LOGbinder for Exchange to direct events to the Windows security log, you leverage the significant effort Microsoft has invested in protecting the security log. And if you are already collecting Windows security logs with your log management application, Exchange audit events will automatically be included when you install LOGbinder for Exchange.
LOGbinder for Exchange's design helps you fulfill separation of duty and audit trail integrity requirements by quickly getting audit events off the system where they are produced (and thus vulnerable to intruders or malicious administrators) and into your separate and secure log management system.
Does LOGbinder for Exchange require much configuration?
LOGbinder for Exchange installs in about 2 minutes and only requires a few settings:
- Specify an Exchange server for LOGbinder for Exchange to communicate with
- Specify the user account LOGbinder should run as
- Choose whether to output events to the custom LOGbinder EX event log, to the actual Windows Security Log, to syslog or, for ArcSight, CEF over syslog.
How do you monitor LOGbinder for Exchange’s health?
Check the Application log for warnings or errors from source "LOGbndEX".
Why doesn’t LOGbinder for Exchange include alerting or long term archival capability?
These are functions of a log management / SIEM solution. LOGbinder complements and enhances the value of your log management solution.
How does LOGbinder for Exchange integrate with my current log management solution?
With LOGbinder, any log management solution that supports Windows event logs or syslog can now collect, monitor, archive, and report on Exchange Server audit log activity. Also, see next Q&A.
Which output formats does LOGbinder for Exchange currently support?
LOGbinder can output to either the Windows Security Log, syslog, text file or a custom Windows event log called LOGbinder for Exchange.
How is LOGbinder for Exchange licensed?
Does LOGbinder for Exchange need to be installed on my Exchange Server?
No. See above questions on performance.
What user credentials must be assigned to LOGbinder for Exchange? Why?
The account needs to be authorized to run as a service, and if using the security log, must be authorized to write to the security log. The account requires minimal permissions inside Exchange.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!