cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
pervan
pervan
Level 7
Report Inappropriate Content
Message 1 of 8
‎02-26-2013 06:02 AM

How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

anybody has experience in collecting Message Tracking logs to SIEM (McAfeee ESM 9.3.1)?

I have two questions:

1. User guide says to give network share read privileges to domain user but doesn't say how to configure data source in Add Data Source window on ESM side.

2. Since we have 3 mail servers how should we collect logs from all three shared folders?

Best regards,

0 Kudos
Reply
1 Solution

Accepted Solutions
artek
artek
Level 11
Report Inappropriate Content
Message 2 of 8
‎03-01-2013 01:35 PM

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

you can find below the working example of Exchange Message Tracking configuration (CIFS):

ESM15.PNG

ESM16.PNG

If you have three email servers, you have to share folders on them, and - create three data sources for each Exchnge Server.

Regards,

Artur Sadownik

0 Kudos
Reply
7 Replies
artek
artek
Level 11
Report Inappropriate Content
Message 2 of 8
‎03-01-2013 01:35 PM

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Hello,

you can find below the working example of Exchange Message Tracking configuration (CIFS):

ESM15.PNG

ESM16.PNG

If you have three email servers, you have to share folders on them, and - create three data sources for each Exchnge Server.

Regards,

Artur Sadownik

0 Kudos
Reply
pervan
pervan
Level 7
Report Inappropriate Content
Message 3 of 8
‎03-04-2013 03:42 AM

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Thnx Artur,

logs are collected.

I would like to ask you one more question. Although logs are collected, they are not parsed correctly. To be precise, almost all usefull information from message tracking logs, as log type (RECEIVE STORE), message subject, sender or receiver info, are showed in Packet tab where you can only see original log message. However, this way I cannot use filters to search for those parameters. For example: to search for all messages where sender or receiver is xx@mail.com.

By the way I have noticed this also in logs comming from Microsoft Forefront TMG, and from Oracle DB.

Any suggestions?

Message was edited by: pervan on 3/4/13 5:42:52 AM CST
0 Kudos
Reply
artek
artek
Level 11
Report Inappropriate Content
Message 4 of 8
‎03-21-2013 03:01 PM

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Pervan,

when you are using the Exchange Server (ASP) datasource, you should see the sender and receiver in the Source\Destination User fields. If you want to search messages by the addresses, you can use Source\Destination User filters. You probably know, that there is no possibility to use regex in the Filters, but you can use there something called "Normalization Strings":

ESM17.PNG

ESM18.PNG

ESM19.PNG

ESM20.PNG

ESM21.PNG

Regards,

Artur Sadownik

Message was edited by: artek on 3/21/13 11:05:17 PM CET
0 Kudos
Reply
artek
artek
Level 11
Report Inappropriate Content
Message 5 of 8
‎03-21-2013 03:07 PM

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

...and - if you cant see the email addresses in the Source\Destination User fields - please ask the McAfee Support about the latest hotfix.

Regards,

Artur Sadownik

0 Kudos
Reply
mcgarl1
mcgarl1
Level 9
Report Inappropriate Content
Message 6 of 8
‎04-16-2015 06:41 AM

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Artur,

I'm pretty new to the SIEM, and have a couple of questions about this configuration.

  • Is the Share Name and Path all defined on the data source itself?
  • For the Username, I assume this is an account that the server allows access to the logs??

Thanks,

LT

0 Kudos
Reply
Highlighted
cowboy71
cowboy71
Level 7
Report Inappropriate Content
Message 7 of 8
‎05-16-2017 03:14 PM

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

Resurrecting an old post as I have a similar issue.

Trying to add a file share as a data source. Use has read and modify rights. When I do a connection test I get the error:

NotOk writeability: Permission denied, readability: Ok

What exact rights does the user require?

0 Kudos
Reply
andy777
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 8 of 8
‎05-24-2017 06:58 AM

Re: How to configure Exchange 2010 Message Tracking as Data Source

Jump to solution

I usually use a packet capture to troubleshoot share issues. You could run tcpdump on the Receiver (tcpdump -nni eth0 host x.x.x.x -X) while you try to mount it. The error is usually clearly stated.

0 Kudos
Reply
McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.