Fortinet black logo

External Systems Configuration Guide

Home FortiSIEM 6.4.1 External Systems Configuration Guide

Microsoft Exchange

6.4.1
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0
6.6.5
6.6.4
6.6.3
6.6.2
6.6.1
6.6.0
6.5.3
6.5.2
6.5.1
6.5.0
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.3.0
6.2.1
6.2.0
6.1.2
6.1.1
6.1.0
5.4.0
5.3.3
5.3.2
5.3.1
5.3.0
5.0.0
Copy Link
Copy Doc ID b6712729-cfc7-11ec-bb32-fa163e15d75b:673079
Download PDF

Microsoft Exchange

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU and memory utilization for the various exchange server processes Performance Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec for the various exchange server processes Performance Monitoring

Exchange performance metrics (: VM Largest Block size, VM Large Free Block Size, VM Total Free Blocks, RPC Requests, RPC Request Peak, RPC Average Latency, RPC Operations/sec, User count, Active user Count, Peak User Count, Active Connection Count, Max Connection Count

Exchange error metrics (obtained from Win32_PerfRawData_MSExchangeIS_MSExchangeIS WMI class): RPC Success, RPC Failed, RPC Denied, RPC Failed - Server Busy, RPC Failed - Server Unavailable, Foreground RPC Failed, Backgorund RPC Failed

Exchange mailbox metrics (obtained from Win32_PerfRawData_MSExchangeIS_MSExchangeISMailbox and Win32_PerfRawData_MSExchangeIS_MSExchangeISPublic WMI classes): Per Mailbox: Send Queue, Receive Queue, Sent Message, Submitted Message, Delivered Message, Active User, Peak User

Exchange SMTP metrics (obtained from Win32_PerfRawData_SMTPSVC_SMTPServer WMI class): Categorization Queue, Local Queue, Remote Queue, Inbound Connections, Outbound Connections, Sent Bytes/sec, Received Bytes/sec, Retry Count, Local Retry Queue, Remote Retry Queue

Exchange ESE Database (Win32_PerfFormattedData_ESE_MSExchangeDatabase):

Exchange Database Instances (Win32_PerfFormattedData_ESE_MSExchangeDatabaseInstances):

Exchange Mail Submission Metrics (Win32_PerfFormattedData_MSExchangeMailSubmission_MSExchangeMailSubmission):

Exchange Replication Metrics (Win32_PerfFormattedData_MSExchangeReplication_MSExchangeReplication):

Exchange Store Interface Metrics (Win32_PerfFormattedData_MSExchangeStoreInterface_MSExchangeStoreInterface):

Exchange Transport Queue Metrics (Win32_PerfFormattedData_MSExchangeTransportQueues_MSExchangeTransportQueues):
Windows Agent Application Logs, Microsoft Exchange Message Tracking Logs Security Monitoring and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "microsoft exchange" to see the event types associated with this device.

Reports

In RESOURCES > Reports, search for "microsoft exchange" in the main content panel Search... field to see the reports associated with this application or device.

Configuration

SNMP

See SNMP Configurations in the Microsoft Windows Server Configuration section.

WMI

See WMI Configurations in the Microsoft Windows Server Configuration section.

Settings for Access Credentials

See Setting Access Credentials in the Microsoft Windows Server Configuration section.

Collecting Microsoft Exchange Message Track Logs

To configure Microsoft Exchange to log message tracking on a Microsoft Exchange Server, take the following steps.

Note: General Windows Agent configuration information can be found here.

  1. Locate where your Microsoft Exchange log files reside. Typically, this path is:

    C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRKM*.log

  2. Install the FortiSIEM Windows Server Agent on the Microsoft Exchange Server.

  3. Configure a new Windows Agent Monitor Template by taking the following steps in FortiSIEM.

    1. Navigate to Admin > Setup > Windows Agent.

    2. Under Windows Agent Monitor Templates, click New.

    3. In the Generic tab, in the Name field, enter a name for the Windows Agent Monitor Template.

    4. Select the User Log tab, then and click New.

    5. In the Full File Name field, enter the path to your Microsoft Exchange Server logs. For example, for a typical Exchange Server, the path would be:

      C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRKM*.log

    6. In the Log Prefix field, enter "ExchTrackLog".

    7. Click Save to save the configuration.

    8. Click Save to save the Windows Agent Monitor Template.

  4. Configure a Host to Template Association to associate the template with the Exchange Server agent by taking the following steps.

    1. Under Hosts To Template Associations, click New.

    2. In the Name field, enter the name for the Hosts to Template Associations.

    3. Select an Organization with a collector.

    4. Select a Host.

    5. Select the Windows Agent Monitor Template you created earlier.

    6. Select a Collector or Select All.

    7. Click Save.

    8. Under Hosts to Template Associations, click Apply.

Sample Logs 

2017-10-05T12:06:00Z EXCH99.foo.com 192.0.2.0 AccelOps-WUA-UserFile-ExchangeTrackLog [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="d78e4bd5-bc3f-4950-bcdf-926947ee1db7" [timeZone]="+0300" [fileName]="C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\MSGTRKMS2017100512-1.LOG" [msg]="2017-10-05T12:05:56.564Z,ffff::eeee:aaaa:bbbb:cccc:dddd%13,EXCH99,,EXCH99.foo.com,\"MDB:d72c63cf-290e-456e-86e5-85dedb1f56de, Mailbox:d7c8c416-c1a7-4225-a17f-552d5274703d, Event:4419662, MessageClass:IPM.Note.ProbeMessage.MBTSubmissionServiceHeartbeatProbe, CreationTime:2017-10-05T12:05:56.267Z, ClientType:Monitoring, SubmissionAssistant:MailboxTransportSubmissionEmailAssistant\",,STOREDRIVER,SUBMIT,,<e545b612256a4c14a563f78a8999fafd@user.example.com>,0a21180c-5932-4c7e-3888-08d50be96f34,HealthMailbox66dd83eddb9b4ee69dbd3fa82c925a3b@user.example.com,,,1,,,00000052-0000-0000-0000-0000ea5a2141-MBTSubmissionServiceHeartbeatProbe,HealthMailbox66dd83eddb9b4ee69dbd3fa82c925a3b@user.example.com,,2017-10-05T12:05:56.267Z;LSRV=EXCH99.foo.com:TOTAL-SUB=0.296|SA=0.078|MTSS=0.209(MTSSD=0.209(MTSSDA=0.005|MTSSDC=0.005|SDSSO=0.161(SMSC=0.020|SMS=0.140)|X-MTSSDPL=0.004|X-MTSSDSS=0.008|MTSSDSDS=0.001)),Originating,,,,S:ItemEntryId=00-00-00-00-ED-99-60-31-E3-76-3C-4B-BE-FE-5B-27-F0-88-3D-0A-07-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-00-00-00-01-0B-00-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-00-30-88-0D-FF-00-00,Email,92e0d0ab-4670-41e9-d453-08d50be96f50,15.01.0845.034"
Previous
Next

Microsoft Exchange

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU and memory utilization for the various exchange server processes Performance Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec for the various exchange server processes Performance Monitoring

Exchange performance metrics (: VM Largest Block size, VM Large Free Block Size, VM Total Free Blocks, RPC Requests, RPC Request Peak, RPC Average Latency, RPC Operations/sec, User count, Active user Count, Peak User Count, Active Connection Count, Max Connection Count

Exchange error metrics (obtained from Win32_PerfRawData_MSExchangeIS_MSExchangeIS WMI class): RPC Success, RPC Failed, RPC Denied, RPC Failed - Server Busy, RPC Failed - Server Unavailable, Foreground RPC Failed, Backgorund RPC Failed

Exchange mailbox metrics (obtained from Win32_PerfRawData_MSExchangeIS_MSExchangeISMailbox and Win32_PerfRawData_MSExchangeIS_MSExchangeISPublic WMI classes): Per Mailbox: Send Queue, Receive Queue, Sent Message, Submitted Message, Delivered Message, Active User, Peak User

Exchange SMTP metrics (obtained from Win32_PerfRawData_SMTPSVC_SMTPServer WMI class): Categorization Queue, Local Queue, Remote Queue, Inbound Connections, Outbound Connections, Sent Bytes/sec, Received Bytes/sec, Retry Count, Local Retry Queue, Remote Retry Queue

Exchange ESE Database (Win32_PerfFormattedData_ESE_MSExchangeDatabase):

Exchange Database Instances (Win32_PerfFormattedData_ESE_MSExchangeDatabaseInstances):

Exchange Mail Submission Metrics (Win32_PerfFormattedData_MSExchangeMailSubmission_MSExchangeMailSubmission):

Exchange Replication Metrics (Win32_PerfFormattedData_MSExchangeReplication_MSExchangeReplication):

Exchange Store Interface Metrics (Win32_PerfFormattedData_MSExchangeStoreInterface_MSExchangeStoreInterface):

Exchange Transport Queue Metrics (Win32_PerfFormattedData_MSExchangeTransportQueues_MSExchangeTransportQueues):
Windows Agent Application Logs, Microsoft Exchange Message Tracking Logs Security Monitoring and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "microsoft exchange" to see the event types associated with this device.

Reports

In RESOURCES > Reports, search for "microsoft exchange" in the main content panel Search... field to see the reports associated with this application or device.

Configuration

SNMP

See SNMP Configurations in the Microsoft Windows Server Configuration section.

WMI

See WMI Configurations in the Microsoft Windows Server Configuration section.

Settings for Access Credentials

See Setting Access Credentials in the Microsoft Windows Server Configuration section.

Collecting Microsoft Exchange Message Track Logs

To configure Microsoft Exchange to log message tracking on a Microsoft Exchange Server, take the following steps.

Note: General Windows Agent configuration information can be found here.

  1. Locate where your Microsoft Exchange log files reside. Typically, this path is:

    C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRKM*.log

  2. Install the FortiSIEM Windows Server Agent on the Microsoft Exchange Server.

  3. Configure a new Windows Agent Monitor Template by taking the following steps in FortiSIEM.

    1. Navigate to Admin > Setup > Windows Agent.

    2. Under Windows Agent Monitor Templates, click New.

    3. In the Generic tab, in the Name field, enter a name for the Windows Agent Monitor Template.

    4. Select the User Log tab, then and click New.

    5. In the Full File Name field, enter the path to your Microsoft Exchange Server logs. For example, for a typical Exchange Server, the path would be:

      C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRKM*.log

    6. In the Log Prefix field, enter "ExchTrackLog".

    7. Click Save to save the configuration.

    8. Click Save to save the Windows Agent Monitor Template.

  4. Configure a Host to Template Association to associate the template with the Exchange Server agent by taking the following steps.

    1. Under Hosts To Template Associations, click New.

    2. In the Name field, enter the name for the Hosts to Template Associations.

    3. Select an Organization with a collector.

    4. Select a Host.

    5. Select the Windows Agent Monitor Template you created earlier.

    6. Select a Collector or Select All.

    7. Click Save.

    8. Under Hosts to Template Associations, click Apply.

Sample Logs 

2017-10-05T12:06:00Z EXCH99.foo.com 192.0.2.0 AccelOps-WUA-UserFile-ExchangeTrackLog [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="d78e4bd5-bc3f-4950-bcdf-926947ee1db7" [timeZone]="+0300" [fileName]="C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\MSGTRKMS2017100512-1.LOG" [msg]="2017-10-05T12:05:56.564Z,ffff::eeee:aaaa:bbbb:cccc:dddd%13,EXCH99,,EXCH99.foo.com,\"MDB:d72c63cf-290e-456e-86e5-85dedb1f56de, Mailbox:d7c8c416-c1a7-4225-a17f-552d5274703d, Event:4419662, MessageClass:IPM.Note.ProbeMessage.MBTSubmissionServiceHeartbeatProbe, CreationTime:2017-10-05T12:05:56.267Z, ClientType:Monitoring, SubmissionAssistant:MailboxTransportSubmissionEmailAssistant\",,STOREDRIVER,SUBMIT,,<e545b612256a4c14a563f78a8999fafd@user.example.com>,0a21180c-5932-4c7e-3888-08d50be96f34,HealthMailbox66dd83eddb9b4ee69dbd3fa82c925a3b@user.example.com,,,1,,,00000052-0000-0000-0000-0000ea5a2141-MBTSubmissionServiceHeartbeatProbe,HealthMailbox66dd83eddb9b4ee69dbd3fa82c925a3b@user.example.com,,2017-10-05T12:05:56.267Z;LSRV=EXCH99.foo.com:TOTAL-SUB=0.296|SA=0.078|MTSS=0.209(MTSSD=0.209(MTSSDA=0.005|MTSSDC=0.005|SDSSO=0.161(SMSC=0.020|SMS=0.140)|X-MTSSDPL=0.004|X-MTSSDSS=0.008|MTSSDSDS=0.001)),Originating,,,,S:ItemEntryId=00-00-00-00-ED-99-60-31-E3-76-3C-4B-BE-FE-5B-27-F0-88-3D-0A-07-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-00-00-00-01-0B-00-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-00-30-88-0D-FF-00-00,Email,92e0d0ab-4670-41e9-d453-08d50be96f50,15.01.0845.034"
Previous
Next