Fwd: [logs] Exchange Logging May 09 2008 12:52AM
Raffael Marty (rmarty splunk com)

From my experience, you want to tune the message tracking events. If
you turn on full logging, you get about 8 messages per email. Each
queue that a message traverses generates an event. There are some
event codes that you can - depending on your exact requirements -
filter out.

Splunk can help you manage your Exchange logs. We offer a free version
that you can use up to 500MB/day. That should be enough for a smaller
environment. Splunk runs natively on Windows and we can read the
Exchange message tracking logs. They are simple, plain text files.
Once collected, we store and compress the files. You can get back to
the original logs, if you need to. It also gives you a way to search,
report, and alert on the logs. Splunk will deal with compression,
archiving, etc. Yes, the archives can get big, but by compressing
them, you get a pretty good storage reduction.



Raffael Marty
Chief Security Strategist @ Splunk>
Security Visualization: http://secviz.org raffy.ch/blog

On May 8, 2008, at 4:14 PM, Philip Webster wrote:

> Just wondering how people handle Exchange logs ...
> For *nix boxen we use a combination of syslog and remote copy via
> SSH, and we can do the same for Windows but are not sure how
> effective it will be for Exchange. The Exchange message tracking
> GUI seems to be the preferred way to handle things, but again we're
> not too sure of how effective it will be.
> We store logs for 7 years which is quite simple to manage when
> they're all compressed text files on a central log server, but I
> imagine disk space will become an issue if we're storing that much
> data on live Exchange servers.
> MOM isn't really an option for us at the moment (but may be in the
> future).
> So do you centralise your logs? Use message tracking? Or ...? Is
> there third-party (free/open?) software which you use for analysing
> the logs?
> Happy to summarise responses for the list.
> Thanks
> Phil
> --
> Philip Webster, IT Security Engineer
> Queensland University of Technology
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis

LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus