Collecting Microsoft Exchange Logs

SUMMARY

Jan 22, 2016

This article contains information on configuring the Epilog agent to collect Microsoft Exchange Logs.

The following links are useful Microsoft articles on Exchange logging:

• https://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx

• http://social.technet.microsoft.com/wiki/contents/articles/31117.exchange-2013-logging-clear-out-the-log-files.aspx

• https://technet.microsoft.com/en-us/library/cc539064.aspx

• https://technet.microsoft.com/en-us/library/cc539073.aspx

In the settings make sure you configure the log file to be ASCII text and not binary or unicode as the Epilog agent will not be able to process these other file types.

Once you know the location (which can vary depending on the version you are running) on your server for the email message tracking logs you can configure Epilog to monitor the specific files you are after.

Epilog Configuration

1. Select the Log Configuration menu item.

2. Add a log entry and select the Exchange version type from the drop down menu if sending to a Snare Server or create your own custom label if you are sending to another destination SIEM.
   NOTE:For Microsoft Exchange 2013 send data as a custom event log with a tag of Exch2013MTLog so the Snare Server processes the information correctly.

3. The entry should be single line log type

4. Specify the log directory

5. Specify the log file name to monitor

6. Select Change Configuration

7. Select Apply Latest Audit Configuration so Epilog picks up the new configuration.

Still having problems? Change the file to be UTF-8 format from when it's saved from Exchange then Epilog can process the file.