Event ID(s) 25113 and 25295 Integration with... Expand / Collapse
Author
Message
Posted 2/5/2017 1:21:42 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/5/2017 1:02:13 PM
Posts: 3, Visits: 0
HI, Any one can help me to integrate Windows Events 25113: Add-MailboxPermission Exchange cmdlet issued and 25295: Remove-MailboxPermission Exchange cmdlet issued with IBM Security Qradar. What configurations to be done at Exchange server? What is the category of these events (i.e. they belong to Security Log, or System Log or Application Log?) I have configured MS Exchange Windows OS logs, enabling System, Application and Security log types. I am unable to see above mentioned logs anywhere in Windows Event Viewer? If these logs will appear in event viewer, then I think I would be able to export them to my SIEM.

Thanks.

Burh@n
Post #7316
Posted 3/17/2017 7:38:41 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 206, Visits: 0
This event is not in the security log. This is an Exchange audit event from LOGbinder EX generated by Log Admin Audit. The administrator audit log is inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. The administrator audit log is stored internally, inside a special audit mailbox. LOGbinder is used for extracting this info and sending it to a SIEM.
Post #7329
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 11:21pm