Scribd
Upload
184 views

Log Source Integration Document-Microsoft Exchange Server

Uploaded by

Wadud Piul
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
184 views

Log Source Integration Document-Microsoft Exchange Server

Uploaded by

Wadud Piul
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

 

01/05/2022
   
 

IBM Security  
 
 
 
 

QRadar  
 
 

 
Standard Operating Procedure
   
   
   
   
   
 
 
 
   
 
   
 
 
 
 
 
 
 
 
   
Prepared By:
  Secbounty Services Pvt Ltd,
Indiranagar, Selvapuram, Coimbatore,
  Tamil Nadu, India
Prepared For: Phone: +91 8098054477
United Comercial Bank Limited E-Mail: [email protected]
Bangladesh
 
 
 
 
 
 
 

www.secbounty.com
   IBM Security QRadar  -  Standard Operating Procedure

Table of Contents
 
1 Introduction ......................................................................................................................................................... 3
2 Audience.............................................................................................................................................................. 4
3 Microsoft Exchange Server ................................................................................................................................ 5
3.1 Configuring OWA logs on your Microsoft Exchange Server..........................................................................5
3.2 Enabling SMTP logs on your Microsoft Exchange Server 2013, and 2016 ..................................................6
3.3 Configuring MSGTRK logs for Exchange 2013 and 2016 .............................................................................6
3.4 Microsoft Exchange Server log source configuration options .....................................................................6
4 Troubleshooting.................................................................................................................................................. 8

                             – 
IBM Security QRadar  -  Standard Operating Procedure

1 Introduction
This document contains the Standard Operation Procedure for the Integration of Log sources and basic
troubleshooting guide. This document displays the Scope of Log source integration delivered in the IT
infrastructure of United Comercial Bank Limited.

Introduction
                             – 
IBM Security QRadar  -  Standard Operating Procedure

2 Audience
This document is intended for members of the United Comercial Bank Limited, solution architects, and
technical team who have direct responsibility for the network infrastructure inside the IT network. In addition,
it is advisable that those IT persons responsible for managing Network devices also review this document
and provide comments and feedback where applicable.

Audience
                             – 
IBM Security QRadar  -  Standard Operating Procedure

3 Microsoft Exchange Server


Before you begin
Ensure that the firewalls that are located between the Exchange Server and the remote host allow traffic on
the following ports:
• TCP port 135 for Microsoft Endpoint Mapper.
• UDP port 137 for NetBIOS name service.
• UDP port 138 for NetBIOS datagram service.
• TCP port 139 for NetBIOS session service.
• TCP port 445 for Microsoft Directory Services to transfer files across a Windows share.
Procedure
1. Configure OWA logs.
2. Configure SMTP logs.
3. Configure MSGTRK logs.

3.1 Configuring OWA logs on your Microsoft Exchange Server


To prepare your Microsoft Exchange Server to communicate with IBM QRadar, configure Outlook Web
Access (OWA) event logs.
Procedure
1. Log into your Microsoft Internet Information System (IIS) Manager.
2. On the desktop, select Start > Run.
3. Type the following command:
inetmgr
4. Click OK.
5. In the menu tree, expand Local Computer.
6. If you use IIS 6.0 Manager for Microsoft Server 2003, complete the following steps:
a) Expand Web Sites.
b) Right-click Default Web Site and select Properties.
c) From the Active Log Format list, select W3C.
d) Click Properties.
e) Click the Advanced tab.
f) From the list of properties, select the Method (cs-method) and Protocol Version (cs-version)
checkboxes
g) Click OK.
7. If you use IIS 7.0 Manager for Microsoft Server 2008 R2, or IIS 8.5 for Microsoft Server 2012 R2,
complete the following steps:
a) Click Logging.
b) From the Format list, select W3C.
c) Click Select Fields.
d) From the list of properties, select the Method (cs-method) and Protocol Version (cs-version)
checkboxes
e) Click OK.

Microsoft Exchange Server


                             – 
IBM Security QRadar  -  Standard Operating Procedure

3.2 Enabling SMTP logs on your Microsoft Exchange Server 2013,


and 2016
To prepare your Microsoft Exchange Server 2013 and 2016 to communicate with IBM QRadar, enable SMTP
event logs.
Procedure
1. Start the Exchange Administration Center.
2. To configure your receive connector, select Mail Flow > Receive Connectors. 3. Select your receive
connector and click Edit.
3. Click the General tab.
4. From the Protocol logging level list, select Verbose.
5. Click Save.
6. To configure your send connector, select Mail Flow > Send Connectors
7. Select your send connector and click Edit.
8. Click the General tab.
9. From the Protocol logging level list, select Verbose. 11. Click Save.

3.3 Configuring MSGTRK logs for Exchange 2013 and 2016


Message Tracking logs created by the Microsoft Exchange Server detail the message activity that takes
place on your Exchange Server, including the message path information.
Procedure
1. Start the Exchange Administration Center.
2. Click Servers > Servers.
3. Select the mailbox server that you want to configure, and then click Edit. 4. Click Transport Logs.
4. In the Message tracking log section, configure the following parameters:
Parameter Description
Enable message tracking log Enable or disable message tracking on the server.
5. Click Save.

3.4 Microsoft Exchange Server log source configuration options


Use this reference information to configure the WinCollect plug-in for Microsoft Exchange Server.

Parameter Description

Log Source Type Microsoft Exchange Server

Protocol Configuration WinCollect Microsoft Exchange

Local System The WinCollect agent must be installed on the


Microsoft Exchange Server.

The log source uses local system credentials to


collect and forward events to QRadar®.

Microsoft Exchange Server


                             – 
IBM Security QRadar  -  Standard Operating Procedure

Default OWA directory paths for Microsoft Exchange Server events.

The Exchange Server OWA event logs that are monitored by WinCollect are defined by the directory path
that you specify in your WinCollect Exchange Server log source. Microsoft Exchange writes to two
directories: W3SVC1 and W3SVC2. The Microsoft Exchange plug-in monitors all recursive files under the C:
\inetpub\logs\LogFiles\ directory.

Collection type Root log directory

Local C:\inetpub\logs\LogFiles\W3SVC1

Default Message Tracking directory paths for Microsoft Exchange Server events.

The Exchange Server Message Tracking event logs that are monitored by WinCollect are defined by the
directory path that you specify in your WinCollect Exchange Server log source.

Collection type Root log directory

Local C:\Program Files\Microsoft\Exchange


Server\V15\TransportRoles\Logs\MessageTracking

Default SMTP/Mail directory paths for Microsoft Exchange Server events.

The Exchange Server SMTP/Mail event logs that are monitored by WinCollect are defined by the directory
path that you specify in your WinCollect Exchange Server log source.

Collection type Root log directory

Local C:\Program Files\Microsoft\Exchange


Server\V15\TransportRoles\Logs\Hub\ProtocolLog

Microsoft Exchange Server


                             – 
IBM Security QRadar  -  Standard Operating Procedure

4 Troubleshooting
IBM QRadar SIEM has several devices supported as Log source, which is listed in the IBM document of
Device Support Modules (DSM). In order to integrate devices, we must follow the steps given in DSM.

However, during the integration, you must follow the following standards
1. Make sure that the Port required is opened between SIEM and Log sources. The default port for
Syslog is 514, you can refer to the QRadar DSM guide if the nonstandard port is required.
2. Test with Telnet on port 514 to QRadar Console Bond3 interface to check the reachability between
SIEM.
3. Make sure to follow DSM guide provided by IBM to configure the log source in SIEM and its setting in
the respective devices.
4. Not all devices are auto-discovered and log source is created in SIEM. For those devices create log
source manually and to the “Deploy change”.
5. To check if logs are being received by QRadar for respective devices use “tcpdump”.
a. Example: tcpdump -s 0 -A host 10.x.x.x and port 514 ---- for tcp                                         
tcpdump -s 0 -A host 10.x.x.x and udp port 514 --- for udp
6. If logs are not received at QRadar, please check the configuration and network.
7. With respect to Linux server’s configuration make sure that “auditd” service is properly restarted as
instructed in DSM guide.
8. With respect to windows server’s configuration, make sure that the destination address is provided.

Troubleshooting
                             – 

You might also like