cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 8

How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

anybody has experience in collecting Message Tracking logs to SIEM (McAfeee ESM 9.3.1)?

I have two questions:

1. User guide says to give network share read privileges to domain user but doesn't say how to configure data source in Add Data Source window on ESM side.

2. Since we have 3 mail servers how should we collect logs from all three shared folders?

Best regards,

1 Solution

Accepted Solutions
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

you can find below the working example of Exchange Message Tracking configuration (CIFS):

ESM15.PNG

ESM16.PNG

If you have three email servers, you have to share folders on them, and - create three data sources for each Exchnge Server.

Regards,

Artur Sadownik

View solution in original post

7 Replies
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

you can find below the working example of Exchange Message Tracking configuration (CIFS):

ESM15.PNG

ESM16.PNG

If you have three email servers, you have to share folders on them, and - create three data sources for each Exchnge Server.

Regards,

Artur Sadownik

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Thnx Artur,

logs are collected.

I would like to ask you one more question. Although logs are collected, they are not parsed correctly. To be precise, almost all usefull information from message tracking logs, as log type (RECEIVE STORE), message subject, sender or receiver info, are showed in Packet tab where you can only see original log message. However, this way I cannot use filters to search for those parameters. For example: to search for all messages where sender or receiver is xx@mail.com.

By the way I have noticed this also in logs comming from Microsoft Forefront TMG, and from Oracle DB.

Any suggestions?

Message was edited by: pervan on 3/4/13 5:42:52 AM CST
Highlighted
Level 11
Report Inappropriate Content
Message 4 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Pervan,

when you are using the Exchange Server (ASP) datasource, you should see the sender and receiver in the Source\Destination User fields. If you want to search messages by the addresses, you can use Source\Destination User filters. You probably know, that there is no possibility to use regex in the Filters, but you can use there something called "Normalization Strings":

ESM17.PNG

ESM18.PNG

ESM19.PNG

ESM20.PNG

ESM21.PNG

Regards,

Artur Sadownik

Message was edited by: artek on 3/21/13 11:05:17 PM CET
Highlighted
Level 11
Report Inappropriate Content
Message 5 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

...and - if you cant see the email addresses in the Source\Destination User fields - please ask the McAfee Support about the latest hotfix.

Regards,

Artur Sadownik

Highlighted

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Artur,

I'm pretty new to the SIEM, and have a couple of questions about this configuration.

  • Is the Share Name and Path all defined on the data source itself?
  • For the Username, I assume this is an account that the server allows access to the logs??

Thanks,

LT

Highlighted

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Resurrecting an old post as I have a similar issue.

Trying to add a file share as a data source. Use has read and modify rights. When I do a connection test I get the error:

NotOk writeability: Permission denied, readability: Ok

What exact rights does the user require?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

I usually use a packet capture to troubleshoot share issues. You could run tcpdump on the Receiver (tcpdump -nni eth0 host x.x.x.x -X) while you try to mount it. The error is usually clearly stated.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community