How to collect the MIcrosoft (MS) exchange logs
862 views
Skip to first unread message
ismailctest C
Dec 18, 2023, 5:31:54 AM12/18/23
to Wazuh | Mailing List
Hi Team,
Please let us know how to collect the MS exchange logs in wazuh.
Already installed the agent and not received MS exchange-related jobs,
Please let us know what additional configuration needs to be done on the MS exchange side and Wazuh manager to get the logs.
Andres Micalizzi
Dec 18, 2023, 7:38:07 AM12/18/23
to Wazuh | Mailing List
Hello,
Thanks for using Wazuh.
For this, you would need to enable the audit logs in MS Exchange. This can only be done through Exchange Management Shell (EMS) with the permissions needed.
MS Exchange
Thanks for using Wazuh.
For this, you would need to enable the audit logs in MS Exchange. This can only be done through Exchange Management Shell (EMS) with the permissions needed.
MS Exchange
- Open the Exchange Management Shell.
- Run the following command to enable mailbox audit logging for all user mailboxes in your organization:
- Or the following command if you want to enable it for an specific mailbox (replace "MailboxName" with the name of the mailbox you want to enable audit logging) :
- To enable administrator audit logging, run the following command:
Verify that the audit logs are being generated. You can do that, by checking the default location where they are stored (C:\Program Files\Microsoft\Exchange Server\V15\Logging\Audit). However, this can be changed during or after installation using the Exchange Management Shell (EMS). In case is needed, please refer to Administrador audit log for more information.
Once the audit logs are enabled, you can configure Wazuh to monitor and collect them.
Wazuh
Once the audit logs are enabled, you can configure Wazuh to monitor and collect them.
Wazuh
Add the Exchange logs location to the Wazuh agent configuration file. The configuration file is usually located at (C:\Program Files\ossec-agent\ossec.conf)
Wazuh already provides some decoders and rules for MS exchange, but you can customize the decoders and rules to match your specific monitoring requirements.
Finally, restart the Wazuh agent service to apply the changes.
If you want to verify that the Wazuh agent is receiving the Exchange logs check the agent log file located in (C:\Program Files (x86)\ossec-agent\logs\ossec.log)
I hope this clears your question.
Wazuh already provides some decoders and rules for MS exchange, but you can customize the decoders and rules to match your specific monitoring requirements.
Finally, restart the Wazuh agent service to apply the changes.
If you want to verify that the Wazuh agent is receiving the Exchange logs check the agent log file located in (C:\Program Files (x86)\ossec-agent\logs\ossec.log)
I hope this clears your question.
In case of further questions, do not heitate to ask.
Cheers!
Reply all
Reply to author
Forward
0 new messages