Home → LOGbinder for EX KB → Getting Started Guide → Appendix

2.5. Appendix

Appendix A: Assigning Permissions

Exchange Administrator Roles

1. Add a new administrator role group, containing the following roles:
   • View-Only Audit Logs
   • View-Only Configuration
   • View-Only Recipients
   • Audit Logs (Only needed if using the LOGbinder Mailbox Audit Policy Management wizard – See Mailbox Audit Policy Management article)
2. Make the LOGbinder service account a member of this role group.

The above two steps can be achieved, for example, through the Exchange Admin Center (https://<hostname>/ecp) interface, or using an Exchange Management Shell cmdlet, such as

New-RoleGroup "LOGbinderEX" -Roles "View-Only Audit Logs", "View-Only Configuration", "View-Only Recipients", “Audit Logs” -Members "lbex_svc"

where lbex_svc is to be replaced by the name of the LOGbinder for Exchange service account.

Local Security Policy Changes

The following chart summarizes the changes to be made in the Local Security Policy. Detailed explanations are found after the chart.

Local Security Policy (secpol.msc) settings summary				Windows Server 2003	Windows Server 2008/2012
Security Settings	Local Policies	User Rights Assignment	Log on as a service	add service account	add service account	This always needs to be set and is configured during installation by the installer
			Generate security audits	add service account	add service account	These need to be set if outputting to Windows Security log
		Audit Policy	Audit object access	set Success	N/A
		Security Options	Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings	N/A	set Enabled
	Advanced Audit Policy Configuration	Object Access	Audit Application Generated	N/A	set Success

Log On as a Service 

• Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
• Select Security Settings\Local Policies\User Rights Assignment
• Open "Log on as a service" and add user
• NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Generate Security Audits (SeAuditPrivilege)

• Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
• Select Security Settings\Local Policies\User Rights Assignment
• Open "Generate security audits" and add user
• NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Audit Policy

Windows Server 2003

• Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
• Select Security Settings\Local Policies\Audit Policy
• Edit "Audit object access," ensuring that "Success" is enabled. (LOGbinder for Exchange does not require that the "Failure" option be enabled.)
• NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Windows Server 2008/2012

Audit policy can be configured with the original top level categories as described above for Windows 2003 but most environments have migrated to the new more granular audit sub-categories available in Windows 2008 aka (Advanced Audit Policy).

Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)

• First, ensure that ‘basic’ and ‘advanced’ audit policy settings are not used at the same time:
• Microsoft gives this warning: “Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)
• Select Security Settings\Local Policies\Security Options
• Open and enable “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
• To enable LOGbinder events to be sent to the security log:
• Select Security Settings\Advanced Audit Policy Configuration\Object Access
• Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for Exchange does not require that the “Failure” option be enabled.)
• NOTE: You can also configure this via a group policy object in Active Directory.

Appendix B: LOGbinder Event List

LOGbinder for Exchange Events

https://www.logbinder.com/Products/LOGbinderEX/EventsGenerated

Diagnostic Events

551 – LOGbinder agent successful

552 – LOGbinder warning

553 – LOGbinder settings changed

554 – LOGbinder agent produced unexpected results

555 – LOGbinder error

556 – LOGbinder insufficient authority

557 – License for LOGbinder invalid

Appendix C: Diagnostic Events

551 – LOGbinder agent successful

This event occurs when LOGbinder for Exchange successfully translates log entries. Usually appearing in pairs, as one indicates that log entries have been 'exported' from their source (for example, Exchange), and the other that entries have been 'imported' to their destination (for example, the Windows event log). This event is informational in nature.

This event is written to the Windows Application log.

Example A

LOGbinder EX exported 3 entries from Exchange site http://MySite

Example B

LOGbinder EX imported 3 entries to Security event log

Example C

LOGbinder EX imported 3 entries to LOGbinder EX event log

552 – LOGbinder warning

This event occurs when LOGbinder for Exchange does not find information as expected. In most cases, it does not indicate a serious problem, but is provided so as to complete the audit trail. This event is written to Windows application log.

Example

This warning indicates that the results of the audit log search have not been returned by Exchange within two hours. If Exchange doesn’t respond to a request, LOGbinder will not retry that range. If the results or an error message is delivered, LOGbinder will handle it while it is in the transaction list (30 days). It will send the message below after 2 hours of not receiving it.

LOGbinder warning
No Response From Exchange – Audit Data Gap

Exchange has not responded to an audit data request in a reasonable time. If Exchange eventually responds with audit data for this request, LOGbinder will process it for up to 30 days. However, this warning indicates that there is currently a gap in audit data.

Request data:

2358359d-6da5-49b3-9132-e41d2d323dc5

Exchange Admin audit search Initiated: 7/7/2016 12:46:21 PM Start time: 7/7/2016 7:21:14 PM End time: 7/7/2016 7:26:20 PM

553 – LOGbinder settings changed

This event occurs when the LOGbinder settings are changed. This event is written to Windows Application log.

For LOGbinder for Exchange, this includes which Exchange servers are monitored, which audit event types are handled, and the date and time LOGbinder last translated log entries. In addition, the settings for output formats are included.

Example A

LOGbinder settings changed
Output to Security log enabled. Noise events included.

Example B

LOGbinder settings changed
Settings for lbex_svc@contoso.com adjusted: Settings ID: 48f7e2f2-4da3-4d59-9b41-507799bedf77

Example C

LOGbinder settings changed
Settings for http://ex1.contoso.com/powershell adjusted: Mailbox audit policy organizational units changed

554 – LOGbinder agent produced unexpected results

This event occurs when LOGbinder for Exchange encounters something unexpected when translating a log entry. At times it may be from a custom log entry.

This event is written to Windows Application log.

You can help us improve LOGbinder by reporting these events to the LOGbinder support team so that the LOGbinder product may be improved. Private data will not be shared.

Example

In this example, the developer used an existing event type, "Workflow," but included non-standard event data.

LOGbinder agent produced unexpected results
As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the LOGbinder support team.
<LogEntry siteName="http://shpnt" itemType="List Item" userName="Robert Solomon" locationType="Url" occurred="2009-06-29T21:49:11" eventType="Workflow"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemType="ListItem" userId="1" documentLocation="Cache Profiles/1_.000" locationType="Url" occurred="633819089510000000" event="Workflow" eventSource="ObjectModel"><EventData>http://shpnt/docLib/CopiedFile.ext</EventData></RawData><Details /></LogEntry>

555 – LOGbinder error

This event occurs when the LOGbinder service encounters a problem that needs attention. This event is written to Windows Application log. In most cases this gives enough information for you to address the problem successfully. Otherwise, please contact LOGbinder support for assistance.

Example A

In this example, the error indicates that the LOGbinder for Exchange service cannot run because the Exchange web service has not been configured properly.

LOGbinder error
Cannot start LOGbinder EX service, Exchange web service not configured.

Example B

In this example, a program assembly used by LOGbinder for Exchange does not exist, indicating that the LOGbinder software is no longer installed properly.

LOGbinder error
Exporter assembly does not exist: C:\Program Files\LOGbndEX\MTG.LOGbinder.Exchange.dll

Example C

In this example, a certificate error is indicated. The Exchange URL set for the inputs should open in Internet Explorer without any certificate error. Certificate errors often occur when using a self-signed certificate.

Could not retrieve mail messages from Exchange mailbox. Details: The request failed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.; The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.; The remote certificate is invalid according to the validation procedure.

Action: Add the self-signed certificate to the trusted root store.

556 – LOGbinder insufficient authority

This event occurs when the LOGbinder for Exchange service cannot run because of invalid or inadequate permissions. The event will include the module lacking the permission, the name or description of the permission, as well as relevant details. Each example below also includes the action needed in order to correct it.

Example A: No permission to write to security log

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log
Privilege: SeAuditPrivilege
Details: The LOGbinder agent does not have the necessary rights to configure the security log

Action: The service account needs the "Generate security audits" privilege (https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Generate-security-audits), or do not enable LOGbinder to output to the Windows Security log.

Example B: Attempt to write to security log from invalid location

One measure to protect the security log is to write security events only from authorized locations. When LOGbinder is configured, it registers its program location with the security log. If this error occurs, then LOGbinder had been reinstalled to a different location, and the previous location was not removed properly.

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log
Privilege: Invalid Location
Details: Cannot write to because the program location does not match what has been previously configured

Action: Recommended to delete the registry key manually. First ensure that LOGbinder is not open. Then delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LOGbndES. Be careful not to delete other parts of the registry, as it can cause the server to be unstable. When you reopen the LOGbinder control panel, it will reconfigure its ability to write to the security log.

Example C: Internal error

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log
Privilege: Internal Error
Details: The security account database contains an internal inconsistency

Action: One factor that can cause an internal error is if the LOGbinder program path is too long. By default, LOGbinder is installed to C:\Program Files\LOGbndEX. It is recommended that the default be used. If the software has been installed to a different location with a longer program path, to correct this error it will be necessary to reinstall LOGbinder.

Example D: Log on as service

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: LOGbinder service
Privilege: Log on as service
Details: Account running LOGbinder agent does not have user right "Logon as a service"

Action: The service account needs to be assigned the "Logon as a service" user right. (https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Log-on-as-a-service)

Example E: Cannot start LOGbinder control panel

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: LOGbinder Manager
Privilege: File Permissions
Details: Account running LOGbinder Control Panel needs to be a member of the local Administrators group

Action: Ensure that the user account used to run the LOGbinder for Exchange control panel has local administrator access.

557 – License for LOGbinder invalid

Occurs when the license for LOGbinder is not valid and an attempt is made to start the service. This event is written to the Application log.

If the license is not valid, the LOGbinder for Exchange control panel continues to operate as normal. However, the LOGbinder service will not start if the license is invalid. Follow the instructions in the control panel, in the menu File\License, in order to obtain a license to the software.

Example

License for LOGbinder invalid
Details: License is invalid. Open LOGbinder for Exchange Control Panel to remedy.

Appendix D: Troubleshooting

Initial checks

Check the Inputs in LOGbinder for Exchange control panel:

1. If there are entries under Transaction, then the Powershell URL is set good.
2. If the Completed column is filled, then the Exchange URL and Recipient are set good.

Verifying Mailbox Access

(In the following steps, some examples are shown. Please replace the bold parts with the appropriate details of your environment.)

1. Open Internet Explorer and logon as the LOGbinder service account, to the mailbox via Outlook Web Access using the server name specified in LOGbinder for Exchange control panel, such as

   https://ex1.acme.com/owa

   You should see emails in the Inbox or in Deleted Items from Microsoft Exchange with subjects, such as “Administrator Audit Log Search …” and “Mailbox Audit Log Search …”

2. In Internet Explorer go to the Exchange URL of your Input setting, such as

   https://ex1.acme.com/ews/exchange.asmx

   You should get the WSDL xml for Exchange, something like this

   

   Make sure there are no certificate errors in the browser.

   If it doesn’t work, you could try to identify the correct URL by executing the following PowerShell command from the Exchange Management Shell on the Exchange server:

   Get-WebServicesVirtualDirectory | fl *url

Verifying PowerShell Connectivity and Exchange Authority

(In the following steps, some examples are shown. Please replace the bold parts with the appropriate details of your environment.)

1. Double-check what account LOGbinder for Exchange service is configured to Logon as.
2. Logon to the desktop using that account.

Verifying PowerShell Connectivity

3. Open PowerShell – Not the Exchange Management Shell
4. Run (on line b, replace the URL with the correct PowerShell URL):
1. whoami
2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ex1.acme.com/PowerShell/
3. Import-PSSession $Session

Verifying Exchange Authority

5. After the previous steps, run the following commands (on lines c and d, replace the email address with an email address where you want the results to be sent to):
   1. $enddate = Get-Date (Get-Date).AddHours(-24) -Format "MM/dd/yyyy HH:mm"
   2. $startdate = Get-Date (Get-Date $enddate).AddMinutes(-10) -Format "MM/dd/yyyy HH:mm"
   3. New-AdminAuditLogSearch -StartDate $startdate -EndDate $enddate -Name LOGbinder-test -StatusMailRecipients administrator@acme.com
   4. New-MailboxAuditLogSearch -StartDate $startdate -EndDate $enddate -Name LOGbinder-test -StatusMailRecipients administrator@acme.com

6. After sufficient time elapsed, you should see emails in the Inbox or in Deleted Items from Microsoft Exchange with subjects, such as “Administrator Audit Log Search …” and “Mailbox Audit Log Search …”

   Note: Exchange server might take up to 15 minutes (or more) to generate the audit report.

Additional notes

On the server where LOGbinder for Exchange is installed, what version of Windows are you running? Windows Server 2003, 2008, 2008 R2, etc.?

• Windows Management Framework 2.0 is integrated with Windows Server 2008 R2.
• If you have Windows Server 2003 or Windows Server 2008 (but not R2), have you installed the Windows Management Framework 2.0?
  http://technet.microsoft.com/en-us/library/dd335083.aspx

  Note the requirements for Exchange 2010:

  • Windows Management Framework installed
    • Windows Management Framework includes Windows PowerShell V2 and Windows Remote Management (WinRM) 2.0.
  • The fully qualified domain name (FQDN) of an Exchange 2010 server in your organization
  • The domain this server is joined to must be trusted by the domain where the Exchange server resides.
  • TCP port 80 must be open between your computer and the remote Exchange 2010 server, and the port must be allowed through Windows Firewall on the Exchange 2010 server.
  • A user that's enabled for remote Shell