Table of Contents:
Microsoft Exchange is a widely used enterprise level email server running on Windows Server operating systems. MS Exchange stores most of its operational logs in a comma-delimited format similar to W3C. These MS Exchange logs can be read with im_file and the xm_w3c extension module
Prerequisites
- Access to Microsoft Exchange Server.
- NX log should be installed on the Exchange Server.
Collecting Exchange events from Windows Event Log
With this configuration, NXLog will use the im_msvistalog module to subscribe to the Application and System channels (Critical, Error, and Warning event levels only) and the MSExchange Management crimson channel (all event levels).
* Note: The Application and System channels will include other non-Exchange events.
- Go to the NX log installation path and open the config file.
- C:\Program Files\nxlog\conf (Default Installation Path)
Add the Below code:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">
*[System[(Level=1 or Level=2 or Level=3)]]
</Select>
<Select Path="System">
*[System[(Level=1 or Level=2 or Level=3)]]
</Select>
<Select Path="MSExchange Management">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output syslog>
Module om_udp
Host <Forwarder IP>
Port 11612
Exec to_syslog_bsd();
</Output>
<Route exchange_to_syslog>
Path eventlog => syslog
</Route>
- Now Start the NXLog service. You will be receiving the logs to the forwarder at this point.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference
Comments
0 comments
Please sign in to leave a comment.