If you are doing auditing for Exchange server using the New-AdminAuditLogSearch and New-MailboxAuditLogSearch cmdlets, you might have noticed that it takes a while until Exchange delivers the audit reports. You might wonder: How long does it actually take to get the results? Is there any setting that determines this? If yes, can it be changed?

First of all, we must note that Microsoft says on their Overview of Administrator Audit Logging page for Exchange 2010 and on the Administrator Audit Logging page for Exchange 2013, that after you run the New-AdminAuditLogSearch cmdlet, Exchange may take up to 15 minutes to deliver the report to the specified recipient. However, in reality you will find that at times Exchange takes significantly more time than that to deliver the report. On Exchange 2013, it can take up to a day. This might not suit the need of all, so let’s see how we can change this behavior.

The value that controls this timing is stored in an XML configuration file under the %ExchangeInstallPath% folder. The file is in the Bin folder, and called Microsoft.Exchange.Servicehost.exe.config. Look for the following line inside the <appSettings> tag:

<add key="AuditLogSearchPollIntervalInMilliseconds" value="…" />

This value determines (in milliseconds) the frequency of audit log searches, affecting both the admin audit log search and the mailbox audit log search.  The default value for Exchange 2010 is 1800000 (that is 30 minutes). For Exchange 2013, the default value is 86400000 (that is 24 hours). This means that Exchange 2010 and 2013 will execute audit log search polls every 30 minutes and 24 hours, respectively.

If you would like to use a different value, you can simply change it in the config file using a text editor. Please note that you have to restart the Microsoft Exchange Service Host service for the change to take effect.

If you prefer to change the value more programmatically, you can do it from PowerShell, but running the following script (e.g. to change the interval to 10 minutes):

$cfgpath = $Env:ExchangeInstallPath + "Bin\Microsoft.Exchange.Servicehost.exe.config"

[xml]$cfg = Get-Content -Path $cfgpath

($cfg.configuration.appSettings.add | where key -Match "AuditLogSearchPollIntervalInMilliseconds").value = "600000"

$cfg.Save($cfgpath)

(Again, don’t forget to restart the service after the change.)

In this blog, we looked at how to determine and control the audit log search poll interval in Exchange 2010 and 2013. As a final note, please mind the implications this setting might have on your CPU usage, if you set the value too low.

I’m excited to announce the release of LOGbinder EX for Exchange Server which bridges the gap between Exchange and your SIEM. 

With today’s ever-growing compliance burden and threat-scape, obtaining visibility into the dominant messaging platform is crucial to security and business risk management for most organizations.

Thankfully, Exchange Server provides an audit trail of non-owner access to mailboxes as well as privileged activity by Exchange administrators.  

With mailbox auditing, you can detect

·         Users viewing an executive’s confidential email

·         Impersonated, fraudulent emails

·         Administrators exporting copies of entire mailboxes

·         Deletion of emails to cover up evidence

With administrator auditing, you can detect

·         Exports of mailboxes

·         Copies of entire mailbox databases

·         Security configuration changes to Exchange

·         Access control changes to groups, roles, and permissions

·         Modifications to Exchange policies involving retention, mobile device policy, information rights management, federation, and more

But, like many application audit logs today, the information is trapped within the application and specific to Exchange, audit logs are actually maintained in mailboxes. Applications benefit from internal audit capability but ultimately audit logs should be copied as frequently as possible to a separate, isolated log management system.

LOGbinder EX efficiently process native Exchange audit data and translates cryptic codes, yielding an easy-to-understand Exchange audit log to the Windows event log or syslog where any log management/SIEM solution can take over with collection, alerting, reporting, and secure archival. LOGbinder EX performs these functions on both the administrator audit log and the mailbox audit log.

LOGbinder EX can be installed on most any server in your domain; there's no need to install it on any of your Exchange servers thus preventing impact on production mail flow.

Exchange audit logs need to be monitored and they belong in your SIEM.  Use LOGbinder EX to bridge the gap.

This whitepaper by Randy Franklin Smith, provides an overview of the 3 different audit logs in Exchange and discusses their relative merits in terms of security value and how to integrate with your SIEM.

Download it now here.