Exchange Administrator Audit Log - SIEM Integration
The administrator audit log is inaccessible to SIEM via normal log-collection
means because the log is not written to any type of log file or to the Windows event
log. The administrator audit log is stored internally, inside a special audit mailbox.
There are several PowerShell cmdlets such as Search-AdminAuditlog for exporting
the administrator audit log however:
- The output is in a cryptic XML format - not a simple text file format easily parsed
by most SIEMs.
- The output from the synchronous (meaning it returns results during the execution
of the command) Search-AdminAuditlog cmdlet leaves out crucial details from events.
- The only way to get the complete admin audit event information for is with the asynchronous
New-AdminAuditLogSearch which requires that you wait for the log to appear as an
email attachment sometime later in a specified mailbox.
As in the case of mailbox auditing, this is where
LOGbinder for Exchange™
comes in. Using
Exchange’s management API, LOGbinder for Exchange collects the hidden administrator audit
log files from its internal special mailbox, parses the log data, and formats it into
more than 500 easy-to-read messages
delivered to your SIEM.
Next:
LOGbinder for Exchange