Microsoft Exchange protocol configuration options
To receive events from SMTP, OWA, and message tracking events from Microsoft Windows Exchange 2007, 2010, 2013 and 2017 servers, configure a log source to use the Microsoft Exchange protocol.
The Microsoft Exchange protocol is an outbound/active protocol.
To read the log files, folder paths that contain an administrative share (C$), require NetBIOS privileges on the administrative share (C$). Local or domain administrators have sufficient privileges to access log files on administrative shares.
Fields for the Microsoft Exchange protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/ directory for an administrative share, or the LogFiles/directory for a public share folder path, but cannot contain the c:/LogFiles directory.
| Parameter | Description |
|---|---|
| Protocol Configuration | Microsoft Exchange |
| Log Source Identifier | Type the IP address, host name, or name to identify your log source. |
| Server Address | The IP address or host name of your Microsoft Exchange server. |
| Domain |
Type the domain for your Microsoft Exchange server. This parameter is optional if your server is not in a domain. |
| Username | Type the user name that is required to access your Microsoft Exchange server. |
| Password | Type the password that is required to access your Microsoft Exchange server. |
| Confirm Password | Type the password that is required to access your Microsoft Exchange server. |
| SMTP Log Folder Path |
The directory path to access the SMTP log files. The default file path is Program Files/Microsoft/Exchange Server/ TransportRoles/Logs/ProtocolLog When the folder path is clear, SMTP event collection is disabled. |
| OWA Log Folder Path | The directory path to access OWA log files. The default file path is Windows/system32/LogFiles/W3SVC1 When the folder path is clear, OWA event collection is disabled. |
| MSGTRK Log Folder Path |
The directory path to access message tracking logs. The default file path is Program Files/Microsoft/Exchange Server/ TransportRoles/Logs/MessageTracking Message tracking is available on Microsoft Exchange 2017 or 2010 servers that are assigned the Hub Transport, Mailbox, or Edge Transport server role. |
| Use Custom File Patterns | Select this check box to configure custom file patterns. Leave the check box clear to use the default file patterns. |
| MSGTRK File Pattern |
The regular expression (regex) that is used to identify and download the MSTRK logs. All files that match the file pattern are processed. The default file pattern is All files that match the file pattern are processed. |
| MSGTRKMD File Pattern |
The regular expression (regex) that is used to identify and download the MSGTRKMD logs. All files that match the file pattern are processed. The default file pattern is All files that match the file pattern are processed. |
| MSGTRKMS File Pattern |
The regular expression (regex) that is used to identify and download the MSGTRKMS logs. All files that match the file pattern are processed. The default file pattern is All files that match the file pattern are processed. |
| MSGTRKMA File Pattern |
The regular expression (regex) that is used to identify and download the MSGTRKMA logs. All files that match the file pattern are processed. The default file pattern is |
| SMTP File Pattern |
The regular expression (regex) that is used to identify and download the SMTP logs. All files that match the file pattern are processed. The default file pattern is All files that match the file pattern are processed. |
| OWA File Pattern |
The regular expression (regex) that is used to identify and download the OWA logs. All files that match the file pattern are processed. The default file pattern is All files that match the file pattern are processed. |
| Force File Read | If the check box is cleared, the log file is read only when QRadar detects a change in the modified time or file size. |
| Recursive | If you want the file pattern to search sub folders, use this option. By default, the check box is selected. |
| SMB Version |
Select the version of SMB that you want to use.
Note: Before you create a log source with a specific SMB version (for example: SMBv1, SMBv2, and
SMBv3), ensure that the specified SMB version is supported by the Windows OS that is running on your server. You also need to verify that SMB
versions is enabled on the specified Windows Server.
For more information about which Windows version supports which SMB versions, go to the Microsoft TechNet website (https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/ ). For more information about how to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server, go to the Microsoft support website (https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server). |
| Polling Interval (in seconds) | Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds. |
| Throttle Events/Sec | The maximum number of events the Microsoft Exchange protocol can forward per second. |
| File Encoding | The character encoding that is used by the events in your log file. |