Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Microsoft Exchange Server

The JSA DSM for Microsoft Exchange Server collects Exchange events by polling for event log files.

The following table identifies the specifications for the Microsoft Exchange Server DSM:

Table 1: Microsoft Exchange Server

Specification

Value

Manufacturer

Microsoft

DSM name

Exchange Server

RPM file name

DSM-MicrosoftExchange-JSA_version-build_number.noarch.rpm

Supported versions

Microsoft Exchange 2003

Microsoft Exchange 2007

Microsoft Exchange 2010

Microsoft Exchange 2013

Microsoft Exchange 2016

Protocol type

WinCollect for Microsoft Exchange 2003

Microsoft Exchange protocol for Microsoft Exchange 2007, 2010, 2013, and 2016.

JSA recorded event types

Outlook Web Access events (OWA)

Simple Mail Transfer Protocol events (SMTP)

Message Tracking Protocol events (MSGTRK)

Automatically discovered?

No

Included identity?

No

More information

Microsoft website (http://www.microsoft.com)

To integrate Microsoft Exchange Server with JSA, use the following steps:

  1. If automatic updates are not enabled, download the most recent version of the Microsoft Exchange Server DSM RPM from the Juniper Downloads.

  2. Configure your Microsoft Exchange Server DSM device to enable communication with JSA.

  3. Create an Microsoft Exchange Server DSM log source on the JSA Console.

Configuring Microsoft Exchange Server to Communicate with JSA

Ensure that the firewalls that are located between the Exchange Server and the remote host allow traffic on the following ports:

  • TCP port 13 for Microsoft Endpoint Mapper.

  • UDP port 137 for NetBIOS name service.

  • UDP port 138 for NetBIOS datagram service.

  • TCP port 139 for NetBIOS session service.

  • TCP port 445 for Microsoft Directory Services to transfer files across a Windows share.

  1. Configure OWA logs.

  2. Configure SMTP logs.

  3. Configure MSGTRK logs.

Configuring OWA Logs on Your Microsoft Exchange Server

To prepare your Microsoft Exchange Server to communicate with JSA, configure Outlook Web Access (OWA) event logs.

  1. Log into your Microsoft Internet Information System (IIS) Manager.

  2. On the desktop, select Start > Run.

  3. Type the following command:

    inetmgr

  4. Click OK.

  5. In the menu tree, expand Local Computer.

  6. If you use IIS 6.0 Manager for Microsoft Server 2003, complete the following steps:

    1. Expand Web Sites.

    2. Right-click Default Web Site and select Properties.

    3. From the Active Log Format list, select W3C.

    4. Click Properties.

    5. Click the Advanced tab.

    6. From the list of properties, select the Method (cs-method) and Protocol Version (cs-version) check boxes

    7. Click OK.

  7. If you use IIS 7.0 Manager for Microsoft Server 2008 R2, or IIS 8.5 for Microsoft Server 2012 R2, complete the following steps:

    1. Click Logging.

    2. From the Format list, select W3C.

    3. Click Select Fields.

    4. From the list of properties, select the Method (cs-method) and Protocol Version (cs-version) check boxes

    5. Click OK.

Enabling SMTP Logs on Your Microsoft Exchange Server 2003, 2007, and 2010

To prepare your Microsoft Exchange Server 2003, 2007 and 2010 to communicate with JSA, enable SMTP event logs.

  1. Start the Exchange Management Console.

  2. To configure your receive connector, choose one of the following options:

    • For edge transport servers, select Edge Transport in the console tree and click the Receive Connectors tab.

    • For hub transport servers, select Server Configuration > Hub Transport in the console tree, select the server, and then click the Receive Connectors tab.

  3. Select your receive connector and click Properties.

  4. Click the General tab.

  5. From the Protocol logging level list, select Verbose.

  6. Click Apply.

  7. Click OK.

  8. To configure your send connector, choose one of the following options:

    • For edge transport servers, select Edge Transport in the console tree and click the Send Connectors tab.

    • For hub transport servers, select Organization Configuration > Hub Transport in the console tree, select your server, and then click the Send Connectors tab.

  9. Select your send connector and click Properties.

  10. Click the General tab.

  11. From the Protocol logging level list, select Verbose.

  12. Click Apply.

  13. Click OK.

Enabling SMTP Logs on Your Microsoft Exchange Server 2013, and 2016

To prepare your Microsoft Exchange Server 2013 and 2016 to communicate with JSA, enable SMTP event logs.

  1. Start the Exchange Administration Center.

  2. To configure your receive connector, select Mail Flow >Receive Connectors.

  3. Select your receive connector and click Edit.

  4. Click the General tab.

  5. From the Protocol logging level list, select Verbose.

  6. Click Save.

  7. To configure your send connector, select Mail Flow >Send Connectors

  8. Select your send connector and click Edit.

  9. Click the General tab.

  10. From the Protocol logging level list, select Verbose.

  11. Click Save.

Configuring MSGTRK Logs for Microsoft Exchange 2003, 2007, and 2010

Message Tracking logs created by the Microsoft Exchange Server detail the message activity that takes place on your Microsoft Exchange Server, including the message path information.

MSGTRK logs are enabled by default on Microsoft Exchange 2007 or Exchange 2010 installations. The following configuration steps are optional.

To enable MSGTRK event logs:

  1. Start the Exchange Management Console.

  2. Configure your receive connector based on the server type:

    • For edge transport servers - In the console tree, select Edge Transport and click Properties.

    • For hub transport servers - In the console tree, select Server Configuration >Hub Transport, and then select the server and click Properties.

  3. Click the Log Settings tab.

  4. Select the Enable message tracking check box.

  5. Click Apply.

  6. Click OK.

    MSGTRK events are now enabled on your Exchange Server.

Configuring MSGTRK Logs for Exchange 2013 and 2016

Message Tracking logs created by the Microsoft Exchange Server detail the message activity that takes place on your Exchange Server, including the message path information.

  1. Start the Exchange Administration Center.

  2. Click Servers >Servers.

  3. Select the mailbox server that you want to configure, and then click Edit.

  4. Click Transport Logs.

  5. In the Message tracking log section, configure the following parameters:

    Parameter

    Description

    Enable message tracking log

    Enable or disable message tracking on the server.

    Message tracking log path

    The value that you specify must be on the local Exchange server. If the folder does not exist, it is created when you click Save.

  6. Click When using the Microsoft Exchange Server protocol, there are specific parameters that you must use

Microsoft Exchange Server Log Source Parameters for Microsoft Exchange

If JSA does not automatically detect the log source, add a Microsoft Exchange log source on the JSAConsole by using the Microsoft Exchange Server protocol.

When using the Microsoft Exchange Server protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Microsoft Exchange Server events from Microsoft Exchange:

Table 2: Microsoft Exchange Server Log Source Parameters for the Microsoft Exchange DSM

Parameter

Value

Log Source type

Microsoft Exchange Server

Protocol Configuration

Microsoft Exchange

Log Source Identifier

The IP address or host name to identify the Windows Exchange event source in the JSA user interface.

SMTP Log Folder Path

The directory path to access the SMTP log files. Use one of the following directory paths:

  • For Microsoft Exchange 2003, use c$/Program Files/Microsoft/Exchange Server/TransportRoles/ Logs/ProtocolLog/ .

  • For Microsoft Exchange 2007, use c$/Program Files/Microsoft/Exchange Server/TransportRoles/ Logs/ProtocolLog/.

  • For Microsoft Exchange 2010, use c$/Program Files/Microsoft/Exchange Server/V14/ TransportRoles/Logs/ProtocolLog/.

  • For Microsoft Exchange 2013, use c$/Program Files/Microsoft/Exchange Server/V15/ TransportRoles/Logs/ProtocolLog/.

  • For Microsoft Exchange 2016, use c$/Program Files/Microsoft/Exchange Server/V15/ TransportRoles/Logs/ProtocolLog/.

OWA Log Folder Path

The directory path to access the OWA log files. Use one of the following directory paths:

  • For Microsoft Exchange 2003, use c$\WINDOWS\system32\LogFiles\W3SVC1\.

  • For Microsoft Exchange 2007, use c$\WINDOWS\ system32\LogFiles\W3SVC1\.

  • For Microsoft Exchange 2010, use c$/inetpub/logs/ LogFiles/W3SVC1/.

  • For Microsoft Exchange 2013, use c$/inetpub/logs/ LogFiles/W3SVC1/.

  • For Microsoft Exchange 2016, use c$/inetpub/logs/ LogFiles/W3SVC1/.

MSGTRK Log Folder Path

The directory path to access message tracking log files. Message tracking is only available on Microsoft Exchange 2007 servers assigned the Hub Transport, Mailbox, or Edge Transport server role. Use one of the following directory paths:

  • For Microsoft Exchange 2007, use c$/Program Files/Microsoft/Exchange Server/TransportRoles/ Logs/MessageTracking/.

  • For Microsoft Exchange 2010, use c$/Program Files/Microsoft/Exchange Server/V14/ TransportRoles/Logs/MessageTracking/.

  • For Microsoft Exchange 2013, use c$/Program Files/Microsoft/Exchange Server/V15/ TransportRoles/Logs/MessageTracking/.

  • For Microsoft Exchange 2016, use c$/Program Files/Microsoft/Exchange Server/V15/ TransportRoles/Logs/MessageTracking/.

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

Note:

Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.

Microsoft Exchange Server sample message when you use the Microsoft Exchange protocol

The following sample shows a send external event.

SourceIp=10.91.5.110 AgentDevice=WindowsExchange AgentLogFile=MSGTRK2018112722-1.LOG AgentLogFormat =MSGTRK date-time=2018-11-27T22:40:02.966Z client-ip =10.4.11.100 client-hostname=testHostName server-ip =192.168.25.195 server-hostname =qradar.example.test source-context=;250 2.0.0 OK b139-v6si456977itb.104 - gsmtp;ClientSubmitTime: connector-id=Outbound Mail source=SMTP event-id =SENDEXTERNAL internal-messageid= 64441689310559 message-id=<admin4@qradar.domain.test> network-message-id=0fd591fe-1cc4-47f0-0bbc -08d654b944f3 recipient-address=admin3@qradar.domain.test recipient-status=250 2.1.5 OK b139- v6si45 6977itb.104 - gsmtp total-bytes=7249 recipient-count=1 related-recipient-address= reference= messag e-subject=Receipt sender-address =admin1@qradar.domain.test return-path=admin2@ qradar.domain.test message-info=2018-11-27T22:40:02.194Z;SRV=testHostName.BLAH.BLAH.BLAH:TOTAL-FE= 0.006|SMR=0.004(SMRPI=0.002(SMRPI-FrontendProxyAgent=0.002))|SMS=0.001;SRV=testHostName.BLAH.BLAH. BLAH:TOTAL-HUB=0.765|SMR=0.103(SMRDE=0.001|SMRC=0.101(SMRCL=0.101))|CAT=0.030(CATOS=0.005(CATSM=0. 005(CATSM-Unified Group Post Sent Item Routing Agent=0.004))|CATRESL=0.002|CATORES=0.020(CATRS=0. 020(CATRS-Transport Rule Agent=0.001(X-ETREX=0.001)|CATRS-Index Routing Agent=0.017)))|QDE=0.120| SMSC=0.127(X-SMSDR=0.120)|SMS=0.382 directionality=Originating tenant-id= original-client-ip= ori ginal-server-ip= custom-data=S:E2ELatency=0.771;S:ExternalSendLatency=0.141;S:ToEntity=Internet;S :FromEntity=Internet;S:MsgRecipCount=1;S:IncludeInSla=True;S:Microsoft.Exchange.Transport.MailRec ipient.RequiredTlsAuthLevel=Opportunistic;S:Microsoft.Exchange.Transport.MailRecipient.EffectiveT lsAuthLevel=EncryptionOnly;S:IsSmtpResponseFromExternalServer=True;S:DeliveryPriority=Normal;S:Or iginalFromAddress=admin1@qradar.domain.test;S:AccountForest=BLAH.BLAH.BLAH transport-traffic-type =Email log-id=755ab09c-9c04-44aa-8b07-08d654b94568 schema-version=15.01.1261.039

Table 3: Highlighted fields

JSA field name

Highlighted payload field name

Event ID

categoAgentLogFormat + event-id

Username

sender-address

Source IP

client-ip

Destination IP

server-ip

Related Documentation