Hi dear community.
Does anyone know when and for what purpose do i need to install a collector \ Agent ?
why the data source configuration on the receiver is not enough ?
does it have to do with the quality of the logs?
or maybe when in the SIEM Architecture the ESM and the data sources are in a different geolocation or network?
I well trully aprichiate your help! Thank you
So there can be multiple use cases for this. i will mention them below:
mostly you can collect everything else directly with the receiver.
exchange can be a bit of a pain as not everything is logged the same way.
so this really depends what you trying to achieve.
for normal exchange you might get it in some event logs. for OWA type logs its in the IIS logs.
for exchange admin logs you need to run a script to pull the events from the exchange admin center (EAC) and exports them to a .csv and then use a custom parser.
what is your use case?
yeah unfortunetly Microsoft doesnt have a standard way of logging so things are in different places.
with OWA you should just be able to add the IIS logs from the exchange. i have found in some enviornments though it doesnt give the source address so something like an F5 load balancer needs to use XFF forwarding to send the source to log it in the IIS OWA logs.
for the EAC logs which track what admins are doing on exchange accounts you can use the attached parser. I will need to look for the script for you that pulls out the EAC logs and puts them into a .CSV that you can pull. this happens using a scheduled task every 5 minutes. but i have searched and cant find the script.