cancel
Showing results for 
Search instead for 
Did you mean: 
pervan
Level 7
Report Inappropriate Content
Message 1 of 8

How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

anybody has experience in collecting Message Tracking logs to SIEM (McAfeee ESM 9.3.1)?

I have two questions:

1. User guide says to give network share read privileges to domain user but doesn't say how to configure data source in Add Data Source window on ESM side.

2. Since we have 3 mail servers how should we collect logs from all three shared folders?

Best regards,

1 Solution

Accepted Solutions
artek
Level 11
Report Inappropriate Content
Message 2 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

you can find below the working example of Exchange Message Tracking configuration (CIFS):

ESM15.PNG

ESM16.PNG

If you have three email servers, you have to share folders on them, and - create three data sources for each Exchnge Server.

Regards,

Artur Sadownik

7 Replies
artek
Level 11
Report Inappropriate Content
Message 2 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

you can find below the working example of Exchange Message Tracking configuration (CIFS):

ESM15.PNG

ESM16.PNG

If you have three email servers, you have to share folders on them, and - create three data sources for each Exchnge Server.

Regards,

Artur Sadownik

pervan
Level 7
Report Inappropriate Content
Message 3 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Thnx Artur,

logs are collected.

I would like to ask you one more question. Although logs are collected, they are not parsed correctly. To be precise, almost all usefull information from message tracking logs, as log type (RECEIVE STORE), message subject, sender or receiver info, are showed in Packet tab where you can only see original log message. However, this way I cannot use filters to search for those parameters. For example: to search for all messages where sender or receiver is xx@mail.com.

By the way I have noticed this also in logs comming from Microsoft Forefront TMG, and from Oracle DB.

Any suggestions?

Message was edited by: pervan on 3/4/13 5:42:52 AM CST
artek
Level 11
Report Inappropriate Content
Message 4 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Pervan,

when you are using the Exchange Server (ASP) datasource, you should see the sender and receiver in the Source\Destination User fields. If you want to search messages by the addresses, you can use Source\Destination User filters. You probably know, that there is no possibility to use regex in the Filters, but you can use there something called "Normalization Strings":

ESM17.PNG

ESM18.PNG

ESM19.PNG

ESM20.PNG

ESM21.PNG

Regards,

Artur Sadownik

Message was edited by: artek on 3/21/13 11:05:17 PM CET
artek
Level 11
Report Inappropriate Content
Message 5 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

...and - if you cant see the email addresses in the Source\Destination User fields - please ask the McAfee Support about the latest hotfix.

Regards,

Artur Sadownik

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Artur,

I'm pretty new to the SIEM, and have a couple of questions about this configuration.

  • Is the Share Name and Path all defined on the data source itself?
  • For the Username, I assume this is an account that the server allows access to the logs??

Thanks,

LT

Highlighted

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Resurrecting an old post as I have a similar issue.

Trying to add a file share as a data source. Use has read and modify rights. When I do a connection test I get the error:

NotOk writeability: Permission denied, readability: Ok

What exact rights does the user require?

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

I usually use a packet capture to troubleshoot share issues. You could run tcpdump on the Receiver (tcpdump -nni eth0 host x.x.x.x -X) while you try to mount it. The error is usually clearly stated.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center