18. 12. 2020 Juergen Vigna Log Management, Log-SIEM, NetEye

Monitor Microsoft Exchange Logs Using NetEye 4 Log Management

So you have a Microsoft Exchange mail server infrastructure and want full control over it using the NetEye 4 Log Management module? Yes, you can do that.

An Exchange server writes out various log files:

  • MessageTracking
  • Imap4/Pop3
  • Smtp
  • IIS logs

To be able to send these logs to NetEye you have to install the Filebeat Agent. Here’s a sample configuration file for the agent that sends the requested Exchange log files to the NetEye 4 Filebeat-Logstash TCP input port (5044).

Importantly, to be able to connect to this port you must configure the SSL certificates on the agent and also on the TCP port. Normally in NetEye 4 you will find these certificates in this directory:

/neteye/shared/logstash/conf/certs

And here’s the part inside the Filebeat configuration file where you have to create the certificate as documented on the NetEye server:

#List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["C:\Program Files\Filebeat\certificates\root-ca.crt"]
# Certificate for SSL client authentication
ssl.certificate: "C:\Program Files\Filebeat\certificates\filebeat.crt.pem"
# Client Certificate Key
ssl.key: "C:\Program Files\Filebeat\certificates\filebeat.key.pem"

And this part is where you define the locations of the different Logfiles (should be pretty standard for all Exchange Servers):

- C:\Program Files\Microsoft\Exchange Server\V15\Logging\Imap4\*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\Pop3\*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.LOG

While in NetEye 4 the input and output definitions for the Filebeat data are already defined, you’ll have to create a new filter rule in Logstash to be able to split the various Exchange log files into separate fields. These Exchange log files (excluding the IIS logs as they don’t really come from Exchange but from IIS) are in CSV format.

There’s one slight problem here: the different files have different column orderings, and between Exchange 2013 and 2016 the number of columns in the MessageTracking logs are also different. You can download a filtering configuration file that fixes this from our blog’s download page. Just remove the trailing .txt from the file name and insert it into this directory on your NetEye 4 server:

/neteye/shared/logstash/conf/conf.d

For the Exchange IIS Logs there’s a special IIS module inside the Filebeat Agent Configuration which you can activate to get those logs, too.

If you now restart your Logstash daemon you should be able to see your Exchange logs like this inside the Log Analytics module:

Juergen Vigna

Juergen Vigna

NetEye Solution Architect at Würth Phoenix
I have over 20 years of experience in the IT branch. After first experiences in the field of software development for public transport companies, I finally decided to join the young and growing team of Würth Phoenix. Initially, I was responsible for the internal Linux/Unix infrastructure and the management of CVS software. Afterwards, my main challenge was to establish the meanwhile well-known IT System Management Solution WÜRTHPHOENIX NetEye. As a Product Manager I started building NetEye from scratch, analyzing existing open source models, extending and finally joining them into one single powerful solution. After that, my job turned into a passion: Constant developments, customer installations and support became a matter of personal. Today I use my knowledge as a NetEye Senior Consultant as well as NetEye Solution Architect at Würth Phoenix.

Author

Juergen Vigna

I have over 20 years of experience in the IT branch. After first experiences in the field of software development for public transport companies, I finally decided to join the young and growing team of Würth Phoenix. Initially, I was responsible for the internal Linux/Unix infrastructure and the management of CVS software. Afterwards, my main challenge was to establish the meanwhile well-known IT System Management Solution WÜRTHPHOENIX NetEye. As a Product Manager I started building NetEye from scratch, analyzing existing open source models, extending and finally joining them into one single powerful solution. After that, my job turned into a passion: Constant developments, customer installations and support became a matter of personal. Today I use my knowledge as a NetEye Senior Consultant as well as NetEye Solution Architect at Würth Phoenix.

Latest posts by Juergen Vigna

30. 08. 2024 Log-SIEM, NetEye, Unified Monitoring
Monitor your Elasticsearch Shards Count
02. 07. 2024 NetEye
Monitor the Tasks in the Windows Task Scheduler
27. 05. 2024 NetEye
Check the Version of Your NetEye Cluster with Satellites
23. 02. 2024 Log-SIEM, NetEye, Unified Monitoring
Monitoring Logs in Elasticsearch: A Practical Example
22. 12. 2023 Log-SIEM, NetEye, Unified Monitoring
SIEM: Monitor Hosts Sending Data to Elasticsearch
See All

Related Content

Tags: , ,

18. 10. 2024 Log Management, Log-SIEM, NetEye

Offloading Data Enrichment to Satellite Machines with Logstash

In high-demand environments, efficiency isn't just an advantage – it's essential. One of the biggest hurdles we encountered was the overwhelming strain placed on NetEye's (Elastic) master nodes during the data enrichment process. As data volumes skyrocket, so do the Read More
28. 10. 2022 Log Management, Log-SIEM, NetEye

Syslog Collection with Elastic under Distributed NetEye Monitoring

Anyone who has joined the beautiful world of logging has collided, sooner or later, with the collection via syslog protocol. More than 40 years have passed since syslog was invented, and in that time there have been several attempts by Read More
24. 12. 2021 Log Management, NetEye

Log Management through NetEye Satellites

In the enormous world of Log Collection, quite often customers need to collect logs from various systems in remote locations, like from an office in another country. For Icinga we know that the latest NetEye 4.20 release fully supports distributed Read More
06. 08. 2020 Log Management

Firewall Log Collection: An Elastic Stack Performance Tuning Fairy Tale

In this blog post I will describe my experience with ingesting logs from a Fortinet firewall at a customer site. During this process I exploited the brand new Filebeat 7.8.0 Fortinet module. In particular, I will describe how I went from Read More
13. 03. 2020 Bug Fixes, Log Management, Log-SIEM, NetEye, Unified Monitoring

Bug discovered on NetEye module logmanagement and SIEM

A bug has been discovered on NetEye modules logmanagement and SIEM. If affected, rsyslog directories on system might be created with wrong permissions causing Logstash to be unable to load log lines of some hosts inside Elasticsearch. Users might also Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive