Exchange Administrator Audit Log: Reporting and Alerting
Alerting
Exchange auditing has no built-in alerting capability. This is one of many reasons
why it is important to manage Exchange audit logs with your SIEM and
LOGbinder for Exchange™
bridges the gap between Exchange and SIEMs.
Reporting
Exchange allows you to produce administrator audit reports from the web based "Exchange
Control Panel" or the newer Exchange Administration Center. You can also use the
Search-AdminAuditLog cmdlet to search the admin audit log from PowerShell.
The activity reported on is only that activity saved online in the Exchange database
which defaults to 90 days.
Privileged users have the power to wreak havoc on an organization’s communication
and information systems—whether inadvertently or not. They also have the ability
to access its most sensitive secrets. Preventive controls over such privileged users
are virtually non-existent. Ultimately, organizations must rely on the deterrent,
and detective control of audit trails to enforce accountability of administrators.
If audit log files are to serve their purpose, administrators must be restricted
from tampering with the logs. In addition, a malicious outsider’s first action upon
compromising a system is usually to cover up his or her tracks by erasing the logs.
These two facts are the key drivers behind the commonly accepted best practice of
log management, which mandates that logs be moved, as frequently as possible, from
the system on which they are generated to a separate system with different access
control parameters.
Common compliance requirements and enterprise audit log management requires audit
logs be archived outside the application/server where they are generated and that
you be able to report on much long periods of time.
This is yet another reason why it is important to manage Exchange audit logs with
your SIEM and LOGbinder for Exchange™ bridges the gap between Exchange and SIEMs.
Next:
SIEM Integration