• Application security intelligence for Exchange
  • Fill the audit gap in your compliance efforts
  • Catch APTs that have penetrated upstream defenses
  • Detect data grabs by malicious insiders
  • Know what’s happening inside of Exchange including
    • Exports of mailboxes
    • Copies of entire mailbox databases
    • Security configuration changes to Exchange
    • Access control changes to groups, roles, and permissions
    • Modifications to Exchange policies involving retention, mobile device policy, information rights management, federation, and more
  • Correlate Exchange security activity with related events from the rest of your environment
  • No agent required; less pushback from Exchange admins
  • Ensure consistence mailbox audit policy
  • Fits neatly into your existing infrastructure between Exchange and your SIEM/BDSA
  • No data silos or additional consoles to monitor

LOGbinder for Exchange automatically manages the complicated process of requesting audit logs from Exchange every few minutes, watching for them to arrive by email, downloading the attachments and parsing the XML. LOGbinder for Exchange translates cryptic admin and mailbox audit data into easy-to-understand messages and sends the results to your SIEM/BDSA – where they belong. LOGbinder for Exchange does not require an agent to be installed on your Exchange servers. We simply bridge the gap by bringing application security intelligence from Exchange to your security operations center.

  • Translates cryptic Exchange audit data in to easy-to-understand events
  • Sends Exchange audit events to your SIEM
  • Safeguards audit log integrity
  • Manages mailbox audit policy

LOGbinder for Exchange is a small, efficient Windows service; there’s no agent to be installed on your Exchange servers.

Instead, a single instance of LOGbinder for Exchange, licensed for the total active mailboxes in the Exchange organization, runs on a given domain server. LOGbinder for Exchange periodically sends a light-weight request to one of your Exchange servers asking for the latest events. Then it watches its mailbox for the logs to arrive. Exchange internally schedules and optimizes audit log processing and send the results to LOGbinder for Exchange by email. There is no heavy communication between LOGbinder for Exchange and Exchange.

LOGbinder for Exchange parses the XML data it receives from Exchange into easy-to-understand mailbox and admin audit events and sends these events to your SIEM/BDSA using the best method for the target technology.

All LOGbinder for Exchange needs is

Where can I learn more about Exchange Server's Auditing capability?

Visit our Exchange Audit Background page for lots of help.

Why do I need LOGbinder for Exchange - can't Exchange send audit events to the Windows event log itself?

No. Exchange records mailbox audit events to a hidden folder on each mailbox and administrator audit events are logged to a special mailbox. Events are not written out to any kind of external log file.

What can I monitor with the Exchange auditing and LOGbinder for Exchange?

Will LOGbinder for Exchange slow down my Exchange Server?

You can run LOGbinder for Exchange on your Exchange Server and it's unlikely you will see a material impact to performance, but you can just as easily run LOGbinder for Exchange on a separate server so that no production server resources are spent executing LOGbinder for Exchange.

Will enabling the auditing on Exchange slow down my environment?

We have never observed a material impact to performance associated with mailbox or administrator logging. Exchange has special features to limit event flooding with mailbox auditing, and administrator auditing does not generate that many events in the first place. In comparison, the resources required by these 2 audit logs are tiny compared to Exchange "message tracking" which generates multiple records for every message sent or received.

How secure is LOGbinder for Exchange?

LOGbinder is fully integrated with Windows and Exchange security and complies with widely accepted secure design and coding techniques.

At installation, LOGbinder secures the folder permissions where the software files reside. To protect LOGbinder's configuration from tampering, LOGbinder encrypts its configuration data.

LOGbinder security requirements are greatly simplified since LOGbinder does not store your audit log data. LOGbinder is designed to quickly get audit events out of Exchange and to the destination of your choice, at which point your log management solution takes over. If you configure LOGbinder for Exchange to direct events to the Windows security log, you leverage the significant effort Microsoft has invested in protecting the security log. And if you are already collecting Windows security logs with your log management application, Exchange audit events will automatically be included when you install LOGbinder for Exchange.

LOGbinder for Exchange's design helps you fulfill separation of duty and audit trail integrity requirements by quickly getting audit events off the system where they are produced (and thus vulnerable to intruders or malicious administrators) and into your separate and secure log management system.

Does LOGbinder for Exchange require much configuration?

LOGbinder for Exchange installs in about 2 minutes and only requires a few settings:

  1. Specify an Exchange server for LOGbinder for Exchange to communicate with
  2. Specify the user account LOGbinder should run as
  3. Choose whether to output events to the custom LOGbinder EX event log, to the actual Windows Security Log, to syslog or, for ArcSight, CEF over syslog.

How do you monitor LOGbinder for Exchange’s health?

Check the Application log for warnings or errors from source "LOGbndEX".

Why doesn’t LOGbinder for Exchange include alerting or long term archival capability?

These are functions of a log management / SIEM solution. LOGbinder complements and enhances the value of your log management solution. If you do not already have a log management solution, we can provide a simple, inexpensive, but dependable solution from our partner and we will help you install and configure it.

How does LOGbinder for Exchange integrate with my current log management solution?

With LOGbinder, any log management solution that supports Windows event logs or syslog can now collect, monitor, archive, and report on Exchange Server audit log activity. Also, see next Q&A.

Which output formats does LOGbinder for Exchange currently support?

LOGbinder can output to either the Windows Security Log, syslog, text file or a custom Windows event log called LOGbinder for Exchange.

How is LOGbinder for Exchange licensed?

Does LOGbinder for Exchange need to be installed on my Exchange Server?

No. See above questions on performance.

What user credentials must be assigned to LOGbinder for Exchange? Why?

The account needs to be authorized to run as a service, and if using the security log, must be authorized to write to the security log. The account requires minimal permissions inside Exchange.

Your SIEM, log management or BDSA solution already does a great job at collecting, archiving, correlating and reporting on security logs. We just extend that capability to Exchange. LOGbinder for Exchange works with any SIEM, log management or Big Data platform that can consume:

  • Windows event logs
  • Text files
  • Syslog UDP
  • Common Event Format (ArcSight)
  • LEEF for Qradar (Future release)

In addition, we provide Recommended Report and Alert specifications so that you can intelligently respond to and analyze Exchange security activity once it’s in your SIEM. If your SIEM/BDSA vendor is one of our Synergy Partners, your SIEM already understands Exchange events from LOGbinder. If not, introduce us to your SIEM or BDSA vendor; we’d love to work with them!

Ask Sales Download Free Trial