Exchange Administrator Audit Log - SIEM Integration

The administrator audit log is inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. The administrator audit log is stored internally, inside a special audit mailbox.

There are several PowerShell cmdlets such as Search-AdminAuditlog for exporting the administrator audit log however:

  • The output is in a cryptic XML format - not a simple text file format easily parsed by most SIEMs.
  • The output from the synchronous (meaning it returns results during the execution of the command) Search-AdminAuditlog cmdlet leaves out crucial details from events.
  • The only way to get the complete admin audit event information for is with the asynchronous New-AdminAuditLogSearch which requires that you wait for the log to appear as an email attachment sometime later in a specified mailbox.

As in the case of mailbox auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange collects the hidden administrator audit log files from its internal special mailbox, parses the log data, and formats it into more than 500 easy-to-read messages delivered to your SIEM.

Next: LOGbinder for Exchange

 

Upcoming Webinars
    Additional Resources