Exchange Administrator Audit Log: Reporting and Alerting

Alerting

Exchange auditing has no built-in alerting capability. This is one of many reasons why it is important to manage Exchange audit logs with your SIEM and LOGbinder for Exchange™ bridges the gap between Exchange and SIEMs.

Reporting

Exchange allows you to produce administrator audit reports from the web based "Exchange Control Panel" or the newer Exchange Administration Center. You can also use the Search-AdminAuditLog cmdlet to search the admin audit log from PowerShell.

The activity reported on is only that activity saved online in the Exchange database which defaults to 90 days.

Privileged users have the power to wreak havoc on an organization’s communication and information systems—whether inadvertently or not. They also have the ability to access its most sensitive secrets. Preventive controls over such privileged users are virtually non-existent. Ultimately, organizations must rely on the deterrent, and detective control of audit trails to enforce accountability of administrators.

If audit log files are to serve their purpose, administrators must be restricted from tampering with the logs. In addition, a malicious outsider’s first action upon compromising a system is usually to cover up his or her tracks by erasing the logs. These two facts are the key drivers behind the commonly accepted best practice of log management, which mandates that logs be moved, as frequently as possible, from the system on which they are generated to a separate system with different access control parameters.

Common compliance requirements and enterprise audit log management requires audit logs be archived outside the application/server where they are generated and that you be able to report on much long periods of time.

This is yet another reason why it is important to manage Exchange audit logs with your SIEM and LOGbinder for Exchange™ bridges the gap between Exchange and SIEMs.

Next: SIEM Integration

 

Upcoming Webinars
    Additional Resources