cancel
Showing results for 
Search instead for 
Did you mean: 
mcgarl1
Level 9
Report Inappropriate Content
Message 1 of 11

Microsoft Exchange Message Tracking

Has anyone successfully configured Microsoft Exchange Message Tracking as a data source as shown here: https://community.mcafee.com/thread/52745

After I configure the data source, I try to test the connection, and receive the following error:

Exchange Message Tracking.PNG

Thanks,

LT

10 Replies

Re: Microsoft Exchange Message Tracking

I currently collect Message Tracking logs via CIFS without issues. I would double check that you have the proper permissions where the logs are located. The account will need write access even if you don't plan to delete the logs after processing. I believe the Remote Registry service also needs to be running.

I would tail the messages file on the receiver when running the test connect. It could provide more details about where the issue is. Also I know there was a reported issue that was fixed in mr7 "1015740 - Connection test failing when connection test tries to use /ss1/usr/local/elm/tmp for tmp directory on receiver".

Hope this helps.

mcgarl1
Level 9
Report Inappropriate Content
Message 3 of 11

Re: Microsoft Exchange Message Tracking

Thanks Wizard. I did everything you suggested, but I'm still receiving the NotOk \n error. Below is the result of the tailing the messages:

MTALogs.PNG

BTW, I'm on 9.5.0 MR2.

Thanks,

LT

Re: Microsoft Exchange Message Tracking

You need full access (w/r) on your share directory. Just grant read/write access related to folder

mcgarl1
Level 9
Report Inappropriate Content
Message 5 of 11

Re: Microsoft Exchange Message Tracking

Hi Streamer,

The account has full access, and I'm still receiving the error. Support says based on the logs I sent them, the account is locked out, but I have verified that it's not, and the issue does not happen on other data sources that are associated with the account. I have also verified that my personal account has full access to the share, and when I use it as the username, I receive the same error.

Re: Microsoft Exchange Message Tracking

Could you pls try below command and inform us:

First login of your ERC via ssh

#perl /usr/local/bin/wmitest.pl -i '10.10.10.10' -H 'Server_Name' -u 'domain\user' -p 'password'

if everything's ok then output:

Ok

else

NotOk Access denied.  The user may not have permissions to access the DCOM interface or the provided credentials are incorrect.

mcgarl1
Level 9
Report Inappropriate Content
Message 7 of 11

Re: Microsoft Exchange Message Tracking

Streamer,

I ran the command, and the output returned was Ok

mcgarl1
Level 9
Report Inappropriate Content
Message 8 of 11

Re: Microsoft Exchange Message Tracking

Also note, that I can gather Widows security logs from the server via WMI using that same account without issue. I only have the problem trying to connect and pull the Exchange Messaging logs.

Highlighted

Re: Microsoft Exchange Message Tracking

As you know ESM is a Linux based system and sometimes it can be such this file sharing problem especially with NTFS on Windows. Therefore McAfee released a windows base application called McAfee SIEM Collector Utility. I recommned that you use this application for these types of windows files for log collect.

exchange.PNG

Re: Microsoft Exchange Message Tracking

I do use this tool for dome other Windows data sources, but the tool is installed on a "jump server" and the data sources send the files to the jump server, then Nitro picks them up from there. Can I use this tool without using a jump server?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator