Microsoft Exchange Server log source parameters for Microsoft Exchange

If QRadar® does not automatically detect the log source, add a Microsoft Exchange log source on the QRadar Console by using the Microsoft Exchange Server protocol.

When using the Microsoft Exchange Server protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Microsoft Exchange Server events from Microsoft Exchange:

Table 1. Microsoft Exchange Server log source parameters for the Microsoft Exchange DSM
Parameter	Value
Log Source type	Microsoft Exchange Server
Protocol Configuration	Microsoft Exchange
Log Source Identifier	The IP address or host name to identify the Windows Exchange event source in the QRadar user interface.
SMTP Log Folder Path	The directory path to access the SMTP log files. Use one of the following directory paths: For Microsoft Exchange 2003, use c$/Program Files/Microsoft/Exchange Server/TransportRoles/Logs/ProtocolLog/ . For Microsoft Exchange 2007, use c$/Program Files/Microsoft/Exchange Server/TransportRoles/Logs/ProtocolLog/. For Microsoft Exchange 2010, use c$/Program Files/Microsoft/Exchange Server/V14/TransportRoles/Logs/ProtocolLog/. For Microsoft Exchange 2013, use c$/Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/ProtocolLog/. For Microsoft Exchange 2016, use c$/Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/ProtocolLog/.
OWA Log Folder Path	The directory path to access the OWA log files. Use one of the following directory paths: For Microsoft Exchange 2003, use c$/WINDOWS/system32/LogFiles/W3SVC1/ . For Microsoft Exchange 2007, use c$/WINDOWS/system32/LogFiles/W3SVC1/ . For Microsoft Exchange 2010, use c$/inetpub/logs/LogFiles/W3SVC1/. For Microsoft Exchange 2013, use c$/inetpub/logs/LogFiles/W3SVC1/. For Microsoft Exchange 2016, use c$/inetpub/logs/LogFiles/W3SVC1/. For Microsoft Exchange 2019, use c$/inetpub/logs/LogFiles/W3SVC1/.
MSGTRK Log Folder Path	The directory path to access message tracking log files. Message tracking is only available on Microsoft Exchange 2007 servers assigned the Hub Transport, Mailbox, or Edge Transport server role. Use one of the following directory paths: For Microsoft Exchange 2007, use c$/Program Files/Microsoft/Exchange Server/TransportRoles/Logs/MessageTracking/. For Microsoft Exchange 2010, use c$/Program Files/Microsoft/Exchange Server/V14/TransportRoles/Logs/MessageTracking/. For Microsoft Exchange 2013, use c$/Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/. For Microsoft Exchange 2016, use c$/Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/.

For a complete list of Microsoft Exchange Server protocol parameters and their values, see Microsoft Exchange protocol configuration options.