Microsoft Exchange Logs
- tlapham
Analytics
Snare can forward log data to Securonix using their pre-configured parsers. This guide outlines the steps to configure the Snare agent to forward Microsoft Windows Application, System and Security logs to Securonix. Along with links to the Securonix documentation on how to finalise configuration within Securonix itself.
This guide is broken into 2 sections:
- 1 Exchange log collection configuration
- 2 Snare Agent Configuration
- 2.1 Repeat the above for the remaining log files
- 2.2 Below is a table with the Log type names and path (paths listed are default, please replace if alternative path is used.)
- 2.3 For ExchangeHUBSmtp Ensure the “*” is included in the log directory as this will allow Snare to collect logs from both the Send and Receive sub folder
- 3 Snare Reflector Configuration
Exchange log collection configuration
To configure log collection for the below log types in Microsoft On-Premise Exchange:
MessageTracking
Connectivity
SmtpSend
SmtpReceive
On the Exchange server Login to the “Exchange Admin Centre” web page and login as an administrator.
Once logged in navigate to the “Servers” tab on the left:
Select your server and click on the Pencil Icon
The Server details will then open in a pop up window, navigate to the transport logs tab:
Tick box boxes to enable logging and make note of the paths specified.
Snare Agent Configuration
Follow steps outlined here to install the Snare agent. Agent Installation - Snare Windows Agent v5 Documentation - Confluence
Once the agent is installed and licensed, login to the web UI (https://localhost:6161) and select “Log Files ”.
Click the Add Button to Add a policy:
Select “Custom Event Log” and enter “ExchangeMessageTracking”
Paste in the log folder directory “C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking"
Under “Log Name Format” type in “*.LOG” this will allow all log files in the directory to be collected. (As exchange creates a new log file each day the wild card ensures these are correctly collected.
Repeat the above for the remaining log files
Below is a table with the Log type names and path (paths listed are default, please replace if alternative path is used.)
Log Type Name | Log Directory | Log Name Format |
|---|---|---|
ExchangeMessageTracking | C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking | *.LOG |
ExchangeMessageConnectivity | C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity | *.LOG |
ExchangeHUBSmtp | C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\* | *.LOG |
For ExchangeHUBSmtp Ensure the “*” is included in the log directory as this will allow Snare to collect logs from both the Send and Receive sub folder
Under the “Network Destinations” section, enter the domain/IP address for Snare Reflector, set the port to “6161”, ensure Format is “Snare” and “Delimiter Character” is “Tab”.
Scroll to the bottom of the page, select “Update Destinations” and the select “Apply Configuration and Restart service” on the left hand navigation menu.
Note: Once configured, this configuration can be pulled into the Snare Agent Manager (Agents Policies Management - Snare Agent Manager Documentation - Confluence) or bundled into an .msi using the Snare MSI builder (Creating the MSI package - Snare MSI Documentation v3 - Confluence).
Snare Reflector Configuration
Login to Snare Central. Navigate to the Reflector UI (System->Administrative Tools-> Configure Collector/Reflector) and select “Destinations” on the left hand menu.
Select “Add Destination” at the bottom of the page and create a new destination with the following configuration and select “Update”, the “Proceed with update” and scroll to the top of the window and select “Restart Reflector” to apply the settings.
Configuration option | Value |
|---|---|
Hostname | IP/Hostname of the SNYPR instance in Securonix. |
Port | Port associated with the Snare Microsoft Exchange parser |
Format | Set the format to “QRadar” |
Protocol | Set the protocol to UDP, TCP or TLS as per the configuration in SNYPR. |
Add Regular Expression | Create 3 policies with the following regular expression and mode set to “Include” (not including quotes): “ExchangeMessageConnectivity” “ExchangeHUBSmtp” |
Once applied, return to the Reflector dashboard by selecting “Dashboard” and locate the chart for the destination that was just configured. Ensure the “Status” is “Sending” and that the chart has values.
Once applied, return to the Reflector dashboard by selecting “Dashboard” and locate the chart for the destination that was just configured. Ensure the “Status” is “Sending” and that the chart has values.
Finally, validate the delivery of logs to Securonix using the “Spotter” feature within the Securonix platform.