So you have a Microsoft Exchange mail server infrastructure and want full control over it using the NetEye 4 Log Management module? Yes, you can do that.
An Exchange server writes out various log files:
To be able to send these logs to NetEye you have to install the Filebeat Agent. Here’s a sample configuration file for the agent that sends the requested Exchange log files to the NetEye 4 Filebeat-Logstash TCP input port (5044).
Importantly, to be able to connect to this port you must configure the SSL certificates on the agent and also on the TCP port. Normally in NetEye 4 you will find these certificates in this directory:
And here’s the part inside the Filebeat configuration file where you have to create the certificate as documented on the NetEye server:
#List of root certificates for HTTPS server verifications ssl.certificate_authorities: ["C:\Program Files\Filebeat\certificates\root-ca.crt"] # Certificate for SSL client authentication ssl.certificate: "C:\Program Files\Filebeat\certificates\filebeat.crt.pem" # Client Certificate Key ssl.key: "C:\Program Files\Filebeat\certificates\filebeat.key.pem"
And this part is where you define the locations of the different Logfiles (should be pretty standard for all Exchange Servers):
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\Imap4\*.LOG - C:\Program Files\Microsoft\Exchange Server\V15\Logging\Pop3\*.LOG - C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.LOG - C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\*.LOG - C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.LOG
While in NetEye 4 the input and output definitions for the Filebeat data are already defined, you’ll have to create a new filter rule in Logstash to be able to split the various Exchange log files into separate fields. These Exchange log files (excluding the IIS logs as they don’t really come from Exchange but from IIS) are in CSV format.
There’s one slight problem here: the different files have different column orderings, and between Exchange 2013 and 2016 the number of columns in the MessageTracking logs are also different. You can download a filtering configuration file that fixes this from our blog’s download page. Just remove the trailing
.txt from the file name and insert it into this directory on your NetEye 4 server:
For the Exchange IIS Logs there’s a special IIS module inside the Filebeat Agent Configuration which you can activate to get those logs, too.
If you now restart your Logstash daemon you should be able to see your Exchange logs like this inside the Log Analytics module: