How to enable audit log in MS exchange 2013 & 2016

[ismailctest C]

Hi,

Please let us know how to enable audit logs in MS exchange 2013 & 2016.

Kindly share the steps to configure in MS exchange side & wazuh side.

What types of the logs to be collected for SIEM monitoring.

[Natalia Castillo]

Hi,

Thank you for your interest in Wazuh!

I will do some research on your request and get back to you as soon as I have a full answer. Please give us a bit of time and thank you for your patience.

Regards.

[ismailctest C]

Okay, thanks.

[Natalia Castillo]

Hello, 

Thank you for your patience.

First, You need to enable the audit logs in MS Exchange. This can only be done through Exchange Management Shell (EMS) with the permissions needed.

MS Exchange

1. Open the Exchange Management Shell. For more information.

2. Run the following command to enable mailbox audit logging for all user mailboxes in your organization:

Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" | Select PrimarySmtpAddress | ForEach {Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true}

Or the following command if you want to enable it for an specific mailbox:
Set-Mailbox -Identity "MailboxName" -AuditEnabled $true
Replace "MailboxName" with the name of the mailbox you want to enable audit logging


3. To enable administrator audit logging, run the following command:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

4. Verify that the audit logs are being generated. You can do that, by checking the default location where they are stored (C:\Program Files\Microsoft\Exchange Server\V15\Logging\Audit). However, this can be changed during or after installation using the Exchange Management Shell (EMS). In case is needed, please refer to Administrador audit log for more information.
   
   

For more information and possible configuration that you may want to do, please visit these references:
- Enable/disable Mailbox audit log 2013
- Enable/disable Mailbox audit log 2016
- Administrador audit log

Once the audit logs are enabled, you can configure Wazuh to monitor and collect them.

Wazuh

1. Install the Wazuh agent on the Microsoft Exchange server you want to monitor. You can find the installation instructions in the Wazuh documentation.
2. Add the Exchange logs location to the Wazuh agent configuration file. The configuration file is usually located at (C:\Program Files\ossec-agent\ossec.conf)
3. Wazuh already provides some decoders and rules for MS exchange, which are located in local_decoder.xml and local_rules.xml, but you can customize the decoders and rules to match your specific monitoring requirements.
4. Finally, restart the Wazuh agent service to apply the changes.

If you want to verify that the Wazuh agent is receiving the Exchange logs check the agent log file located in (C:\Program Files (x86)\ossec-agent\logs\ossec.log)

More information about wazuh configuration:

- How log data collection works

- Custom rules and decoders

- Creating decoders and rules from scratch

- Decoders Syntax
- Rules Syntax

Lastly, the types of logs to be collected for SIEM monitoring are:

• Windows Event Logs
  
• Internet Information Services Logs (IIS)
  
• Active Directory Logs  (AD)
  
• PowerShell Logs
  
• Remote Desktop Services Logs (RDS)
  

Let me know if that helped!

Regards.

[ismailctest C]

Hi Natalia Castillo,

Thanks for your support, will check and let you know.

[ismailctest C]

Hi Natalia Castillo,

We need to add the location in wazuh manager, all wazuh side configuration is planning to do in wazuhmanger only.

Could you please guide.

[Natalia Castillo]

Hello,
Sorry for the late response and thank you for your patience.

Do you want to do the configuration from the terminal or the web interface? since the configuration is a little different.

[ismailctest C]

Could you please share both.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/78X8ItHElY4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fe0b4816-1989-4b91-b937-68db9ff2f33en%40googlegroups.com.

[Natalia Castillo]

No problem.

First, you should know that you do need to make a configuration in a wazuh agent, due to how the MS exchange audit logs are being stored (C:\Program Files\Microsoft\Exchange Server\V15\Logging\Audit), this can be done by following the steps given before. But since you want to do all the configuration from the manager, you can modify the agent configuration from the manager. 

This can be done by using groups which allows you to define configuration groups, edit the configuration in a single file and assign agents to those groups. All the agents belonging to the same group will apply the configuration defined in that group. This way you modify the location and everything from the manager, but still needs agents. Here's more info about groups of you're interested (https://documentation.wazuh.com/current/user-manual/agents/grouping-agents.html)

But to be more helpful, can you be more specific about what you mean with "all wazuh side configuration is planning to do in wazuhmanger only" ?

Regards.