Help Portal
MaxPatrol SIEM 8.2 (27.0) · Help
English
Setting up sourcesEmail systems. Event collection
Microsoft Exchange Server 2013, 2016, 2019: source configuration
In this article
Administrator audit logging
Information Store service audit
Transport system audit logging
Mailbox logon audit
Mailbox user activity audit

Source audit is enabled by default. Configuration is performed separately for each Microsoft Exchange server. Events from the following audit logs can be collected:

  • Administrator audit. By default, administrator actions are logged when any cmdlets are run, except Get queries. The audit settings can be changed.
  • Exchange Information Store services audit. For the server to log events, the Mailbox Server role is required. Setting up the source for collecting events from the log is not required.
  • Transport system audit. For the server to log events, the Mailbox Server and Edge Transport roles are required.
  • Mailbox logon audit. For the server to log events, the Mailbox Server role is required.
  • Mailbox user activity audit. For the server to log events, the Mailbox Server role is required. The audit settings can be changed.

To collect events from a source in the Microsoft Exchange server domain, you must create a domain account and a server management role group including the following roles: Mailbox Search, Monitoring, View-Only Audit Logs, View-Only Configuration, and View-Only Recipients. Add the domain account you have created to this group.

The Exchange Online service (part of Microsoft 365) is not supported.

Administrator audit logging

If the corporate IT infrastructure uses a firewall or other means of network traffic control, you must configure rules allowing traffic in both directions between the source host and the MP 10 Collector host. The system TCP port 135 and dynamic TCP ports 49152–65535 are used.
When using Windows Firewall on the source host, you must enable the following inbound rules: Remote Event Log Management (NP-In), Remote Event Log Management (RPC), and Remote Event Log Management (RPC-EPMAP).

In order for MP 10 Collector to collect events related to administrator activity, you must do the following on the source:

  1. Configure the administrator audit logging.
  2. Use the OS tools to create a local OS user account for the MP 10 Collector access.
    You must enter the credentials of this account when adding a credential to MaxPatrol SIEM.
  3. Add the account to the "Access this computer from the network" local (group) security policy.
  4. Add the account to the Event Log Readers local user group.

Information Store service audit

If the corporate IT infrastructure uses a firewall or other means of network traffic control, you must configure rules allowing traffic in both directions between the source host and the MP 10 Collector host. The system TCP port 135 and dynamic TCP ports 49152–65535 are used.
When using Windows Firewall on the source host, you must enable the following inbound rules: Remote Event Log Management (NP-In), Remote Event Log Management (RPC), and Remote Event Log Management (RPC-EPMAP).

For MP 10 Collector to collect Information Store events on the source, you must do the following:

  1. Use the OS tools to create a local OS user account for the MP 10 Collector access.
    You must enter the credentials of this account when adding a credential to MaxPatrol SIEM.
  2. Add the account to the "Access this computer from the network" local (group) security policy.
  3. Add the account to the Event Log Readers local user group.

Transport system audit logging

If the corporate IT infrastructure uses a firewall or other means of network traffic control, you must configure rules allowing traffic in both directions between the source host and the MP 10 Collector host. Ports UDP 137, UDP 138, TCP 139, and TCP 445 are used.
If the source host uses Windows Firewall, you must enable the File and Printer Sharing (SMB-In) inbound rule.

By default, log files with transport system events are saved on the source host in the C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking folder.

In order for MP 10 Collector to collect transport system events on the source, you must do the following:

  1. Configure the transport system audit logging.
  2. Use the OS tools to create a domain OS user account for MP 10 Collector access.
    You must enter the credentials of this account when adding a credential to MaxPatrol SIEM.
  3. Add the account to the "Access this computer from the network" local (group) security policy.
  4. Configure shared access to the folder with the log files and grant the account read access to this folder.

Mailbox logon audit

If the corporate IT infrastructure uses a firewall or other means of network traffic control, you must configure rules allowing traffic in both directions between the source host and the MP 10 Collector host. TCP port 5985 is used for HTTP, and TCP port 5986 is used for HTTPS. If Windows XP or Windows Server 2003 is installed on the source host, TCP port 80 is used for HTTP, and TCP port 443 is used for HTTPS.
If the source host uses Windows Firewall, you must enable the File and Printer Sharing (SMB-In) inbound rule "Windows Remote Management (HTTP-In)."

In order for MP 10 Collector to start remotely collecting mailbox logon events on the source, you must do the following:

  1. Use the OS tools to create a domain OS user account for MP 10 Collector access.
    You must enter the credentials of this account when adding a credential to MaxPatrol SIEM.
  2. Add the account to the "Access this computer from the network" local (group) security policy.
  3. Set up permission for the account to remotely run scripts Get-Mailbox and Get-MailboxStatistics.
  4. Configure remote MP 10 Collector connection to the source.

Mailbox user activity audit

If the corporate IT infrastructure uses a firewall or other means of network traffic control, you must configure rules allowing traffic in both directions between the source host and the MP 10 Collector host. TCP port 5985 is used for HTTP, and TCP port 5986 is used for HTTPS. If Windows XP or Windows Server 2003 is installed on the source host, TCP port 80 is used for HTTP, and TCP port 443 is used for HTTPS.
If the source host uses Windows Firewall, you must enable the File and Printer Sharing (SMB-In) inbound rule "Windows Remote Management (HTTP-In)."

In order for MP 10 Collector to start remotely collecting mailbox user activity events on the source, you must do the following:

  1. Configure the mailbox user activity audit.
  2. Use the OS tools to create a domain OS user account for MP 10 Collector access.
    You must enter the credentials of this account when adding a credential to MaxPatrol SIEM.
  3. Add the account to the "Access this computer from the network" local (group) security policy.
  4. Set up permission for the account to remotely run the script Get-Mailbox.
  5. Configure remote MP 10 Collector connection to the source.
Creating a task for collecting SMTP data reception events
Configuring remote script start
In this article
Administrator audit logging
Information Store service audit
Transport system audit logging
Mailbox logon audit
Mailbox user activity audit

The website uses cookies according to the cookie policy.

Accept allManage cookies