locked
Catch Exchange Auditing Using SCOM RRS feed

  • General discussion

  • Hi,

    Is there any way that we can catch Exchange Admin Auditing Using SCOM 2012 Management Pack. Like Permission change on mailbox or deletion or creation of new mailbox.

    Regards

    Usman Ghani


    Usman Ghani - MCITP Exchange 2010

    • Changed type Nicholas Li Monday, April 8, 2013 7:49 AM
    Tuesday, March 26, 2013 1:57 PM

All replies

  • I don't know anything about this, but i assume Exchange logs these messages in the eventlog (maybe some auditing policy). SCOM can pick any alert from the eventlog... 


    Rob Korving
    http://jama00.wordpress.com/

    Tuesday, March 26, 2013 2:41 PM
  • You should take a look at LOGbinder EX.  It can collect the admin audit log and the mailbox audit log and put those events into the Windows Security log, custom application log, or via Syslog so that you can report and alert on them.  You can find a list of the supported events at LOGbinder.com.  They have a 30 full license for testing too. 
    Thursday, March 28, 2013 3:47 AM
  • Exchange stores these logs in mailboxes and hidden folders trapped inside of the application. Not the best practice for security. 
    Thursday, March 28, 2013 3:49 AM

  • Agree with Rob.

    Please also refer to the following example:

    Auditing Mailbox Access
    http://contoso.se/blog/?p=658

    Hope this helps.

    Thanks.


    Nicholas Li
    TechNet Community Support

    Thursday, March 28, 2013 10:13 AM
  • No, Exchange does not send this data to the event log.  It's stored internal to Exchange.  There's ways to get it out with PowerShell but the way Exchange does it by processing the request asynchronously and sending it after some time as an XML attachment in an email.  This link explains how it works and how you can get this information into event log where SCOM or any SIEM can further handle.  http://www.ultimatewindowssecurity.com/exchange/adminaudit/default.aspx

    Randall F Smith

    Thursday, March 28, 2013 5:08 PM
  • I am facing the same request from a customer. any updates on how to do this guys ?
    Wednesday, April 20, 2016 11:04 AM
  • Well the above link mentions that SIEM (a security focused monitoring tool) access it through a module written for this purpose which in turn uses Exchange’s management API. When there's an API, SCOM can access that too.

    We can only help with porting this to SCOM when you know how the API works and Exchange guru's should be able to help you with this.


    Rob Korving
    http://jama00.wordpress.com/

    Monday, April 25, 2016 12:32 PM