18. 12. 2020 Juergen Vigna Log Management, Log-SIEM, NetEye

Monitor Microsoft Exchange Logs Using NetEye 4 Log Management

So you have a Microsoft Exchange mail server infrastructure and want full control over it using the NetEye 4 Log Management module? Yes, you can do that.

An Exchange server writes out various log files:

  • MessageTracking
  • Imap4/Pop3
  • Smtp
  • IIS logs

To be able to send these logs to NetEye you have to install the Filebeat Agent. Here’s a sample configuration file for the agent that sends the requested Exchange log files to the NetEye 4 Filebeat-Logstash TCP input port (5044).

Importantly, to be able to connect to this port you must configure the SSL certificates on the agent and also on the TCP port. Normally in NetEye 4 you will find these certificates in this directory:

/neteye/shared/logstash/conf/certs

And here’s the part inside the Filebeat configuration file where you have to create the certificate as documented on the NetEye server:

#List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["C:\Program Files\Filebeat\certificates\root-ca.crt"]
# Certificate for SSL client authentication
ssl.certificate: "C:\Program Files\Filebeat\certificates\filebeat.crt.pem"
# Client Certificate Key
ssl.key: "C:\Program Files\Filebeat\certificates\filebeat.key.pem"

And this part is where you define the locations of the different Logfiles (should be pretty standard for all Exchange Servers):

- C:\Program Files\Microsoft\Exchange Server\V15\Logging\Imap4\*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\Pop3\*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.LOG

While in NetEye 4 the input and output definitions for the Filebeat data are already defined, you’ll have to create a new filter rule in Logstash to be able to split the various Exchange log files into separate fields. These Exchange log files (excluding the IIS logs as they don’t really come from Exchange but from IIS) are in CSV format.

There’s one slight problem here: the different files have different column orderings, and between Exchange 2013 and 2016 the number of columns in the MessageTracking logs are also different. You can download a filtering configuration file that fixes this from our blog’s download page. Just remove the trailing .txt from the file name and insert it into this directory on your NetEye 4 server:

/neteye/shared/logstash/conf/conf.d

For the Exchange IIS Logs there’s a special IIS module inside the Filebeat Agent Configuration which you can activate to get those logs, too.

If you now restart your Logstash daemon you should be able to see your Exchange logs like this inside the Log Analytics module:

Juergen Vigna

Juergen Vigna

NetEye Solution Architect at Würth Phoenix
I have over 20 years of experience in the IT branch. After first experiences in the field of software development for public transport companies, I finally decided to join the young and growing team of Würth Phoenix. Initially, I was responsible for the internal Linux/Unix infrastructure and the management of CVS software. Afterwards, my main challenge was to establish the meanwhile well-known IT System Management Solution WÜRTHPHOENIX NetEye. As a Product Manager I started building NetEye from scratch, analyzing existing open source models, extending and finally joining them into one single powerful solution. After that, my job turned into a passion: Constant developments, customer installations and support became a matter of personal. Today I use my knowledge as a NetEye Senior Consultant as well as NetEye Solution Architect at Würth Phoenix.

Author

Juergen Vigna

I have over 20 years of experience in the IT branch. After first experiences in the field of software development for public transport companies, I finally decided to join the young and growing team of Würth Phoenix. Initially, I was responsible for the internal Linux/Unix infrastructure and the management of CVS software. Afterwards, my main challenge was to establish the meanwhile well-known IT System Management Solution WÜRTHPHOENIX NetEye. As a Product Manager I started building NetEye from scratch, analyzing existing open source models, extending and finally joining them into one single powerful solution. After that, my job turned into a passion: Constant developments, customer installations and support became a matter of personal. Today I use my knowledge as a NetEye Senior Consultant as well as NetEye Solution Architect at Würth Phoenix.

Leave a Reply

Your email address will not be published.

Archive