LOGbinder for Exchange automatically manages the complicated process of requesting audit logs
from Exchange every few minutes, watching for them to arrive by email, downloading
the attachments and parsing the XML. LOGbinder for Exchange translates cryptic admin and mailbox
audit data into easy-to-understand messages and sends the results to your SIEM/BDSA – where
they belong. LOGbinder for Exchange does not require an agent to be installed on your Exchange
servers. We simply bridge the gap by bringing application security intelligence
from Exchange to your security operations center.
- Translates cryptic Exchange audit data in to easy-to-understand events
- Sends Exchange audit events to your SIEM
- Safeguards audit log integrity
- Manages mailbox audit policy
LOGbinder for Exchange is a small, efficient Windows service; there’s no agent to be installed
on your Exchange servers.
Instead, a single instance of LOGbinder for Exchange, licensed for the total active mailboxes in the
Exchange organization, runs on a given domain server. LOGbinder for Exchange periodically
sends a light-weight request to one of your Exchange servers asking for the latest
events. Then it watches its mailbox for the logs to arrive. Exchange internally
schedules and optimizes audit log processing and send the results to LOGbinder for Exchange
by email. There is no heavy communication between LOGbinder for Exchange and Exchange.
LOGbinder for Exchange parses the XML data it receives from Exchange into easy-to-understand
mailbox and admin audit events and sends these events to your SIEM/BDSA using the
best method for the target technology.
Where can I learn more about Exchange Server's Auditing capability?
Why do I need LOGbinder for Exchange - can't Exchange send audit events to the Windows event
log itself?
No. Exchange records mailbox audit events to a hidden folder on each mailbox and
administrator audit events are logged to a special mailbox. Events are not written
out to any kind of external log file.
What can I monitor with the Exchange auditing and LOGbinder for Exchange?
Will LOGbinder for Exchange slow down my Exchange Server?
You can run LOGbinder for Exchange on your Exchange Server and it's unlikely you will see
a material impact to performance, but you can just as easily run LOGbinder for Exchange on
a separate server so that no production server resources are spent executing LOGbinder for
Exchange.
Will enabling the auditing on Exchange slow down my environment?
We have never observed a material impact to performance associated with mailbox
or administrator logging. Exchange has special features to limit event flooding
with mailbox auditing, and administrator auditing does not generate that many events
in the first place. In comparison, the resources required by these 2 audit logs
are tiny compared to Exchange "message tracking" which generates multiple records
for every message sent or received.
How secure is LOGbinder for Exchange?
LOGbinder is fully integrated with Windows and Exchange security and complies with
widely accepted secure design and coding techniques.
At installation, LOGbinder secures the folder permissions where the software files
reside. To protect LOGbinder's configuration from tampering, LOGbinder encrypts
its configuration data.
LOGbinder security requirements are greatly simplified since LOGbinder does not
store your audit log data. LOGbinder is designed to quickly get audit events
out of Exchange and to the destination of your choice, at which point your log
management solution takes over. If you configure LOGbinder for Exchange to direct events
to the Windows security log, you leverage the significant effort Microsoft has invested
in protecting the security log. And if you are already collecting Windows
security logs with your log management application, Exchange audit events will automatically
be included when you install LOGbinder for Exchange.
LOGbinder for Exchange's design helps you fulfill separation of duty and audit trail integrity
requirements by quickly getting audit events off the system where they are produced
(and thus vulnerable to intruders or malicious administrators) and into your separate
and secure log management system.
Does LOGbinder for Exchange require much configuration?
LOGbinder for Exchange installs in about 2 minutes and only requires a few settings:
- Specify an Exchange server for LOGbinder for Exchange to communicate with
- Specify the user account LOGbinder should run as
- Choose whether to output events to the custom LOGbinder EX event log, to the actual
Windows Security Log, to syslog or, for ArcSight, CEF over syslog.
How do you monitor LOGbinder for Exchange’s health?
Check the Application log for warnings or errors from source "LOGbndEX".
Why doesn’t LOGbinder for Exchange include alerting or long term archival capability?
These are functions of a log management / SIEM solution. LOGbinder complements
and enhances the value of your log management solution. If you do not already have
a log management solution, we can provide a simple, inexpensive, but dependable solution
from our partner and we will help you install and configure it.
How does LOGbinder for Exchange integrate with my current log management solution?
With LOGbinder, any log management solution that supports Windows event logs or
syslog can now collect, monitor, archive, and report on Exchange Server audit log
activity. Also, see next Q&A.
Which output formats does LOGbinder for Exchange currently support?
LOGbinder can output to either the Windows Security Log, syslog, text file or a
custom Windows event log called LOGbinder for Exchange.
How is LOGbinder for Exchange licensed?
Does LOGbinder for Exchange need to be installed on my Exchange Server?
No. See above questions on performance.
What user credentials must be assigned to LOGbinder for Exchange? Why?
The account needs to be authorized to run as a service, and if using the security
log, must be authorized to write to the security log. The account requires minimal
permissions inside Exchange.
Your SIEM, log management or BDSA solution already does a great job at collecting,
archiving, correlating and reporting on security logs. We just extend that capability
to Exchange. LOGbinder for Exchange works with any SIEM, log management or Big Data platform
that can consume:
- Windows event logs
- Text files
- Syslog UDP
- Common Event Format (ArcSight)
- LEEF for Qradar (Future release)
In addition, we provide Recommended Report and Alert specifications so that you
can intelligently respond to and analyze Exchange security activity once it’s
in your SIEM. If your SIEM/BDSA vendor is one of our Synergy Partners, your
SIEM already understands Exchange events from LOGbinder. If not, introduce us to
your SIEM or BDSA vendor; we’d love to work with them!
