Help for Understanding and Using Exchange Audit

Comparing Exchange Server's 3 Audit Logs for Security and SIEM Integration explains the 3 logs in Exchange Server that are valuable to Security. Only one of the logs, message tracking, is directly accessible by SIEM/log management solutions. The other 2 audit logs, administrator and mailbox access, are stored internally within Exchange mailboxes.

LOGbinder EX™ collects the mailbox audit logs through efficient use of the Exchange management API and then parses the cryptic Exchange audit log data and formats it into 11 easy-to-ready messages delivered to your SIEM via several possible channels.

Using Exchange’s management API, LOGbinder EX™ collects the hidden administrator audit log files from its internal special mailbox, parses the log data, and formats it into more than 400 easy-to-read messages delivered to your SIEM. You can then use the pre-built LOGbinder™ content packages to track audit log events within SIEM solutions from participating SIEM Synergy Partners.

There's lots of information at Randy's Exchange section at UltimateWindows Security.com.

Next: