We wrote back in 2012 about the challenges of SharePoint auditing and how to address them via Auditing SharePoint with LEM & LOGbinder SP, but the folks over at Monterey Technology Group (the same folks who brought you Ultimate Windows Security) went on to create even MORE useful Microsoft auditing tools. This time around, we've also integrated LOGbinder for Exchange (LOGbinder EX).
Without LOGbinder EX or a tool like it, it's very hard to get visibility into the Exchange auditing logs. Audit data is stored as a part of the mailbox instead of the Event Log, and there's no clean way to get the data into the Event Log repeatably and consistently. Even if you were able to do that, there's a ton of coded data, with different types and metadata that you'd have to translate. The LOGbinder system does this automatically, storing data into the Event Log and both making it easy for you to read and for a system like Log & Event Manager to monitor, alert, and store it.
Use LOGbinder EX for:
- Detecting non-owner mailbox access (e.g. delegate or users opening other users' mailboxes)
- Changes to audit log settings and audit log integrity
- Permissions, policy, certificate, federation, and IRM changes
Use LEM + LOGbinder EX together for:
- Alerting on unexpected client activity (mailboxes accessed from something other than Outlook/OWA)
- Alerting on unexpected mailbox access (someone opening one or many mailboxes other than their own)
- Alerting on unexpected changes across Exchange infrastructure
- Reporting on Exchange audit and change management events
- Viewing Exchange events in context with other system, network, security, and application events
I just uploaded some rules, filters, and reports for LOGbinder EX over at the Content Exchange that provide some additional insight for the LEM side of your configuration. There's an integration guide in the Zip file that will explain how to install the files, which are all tailored to the LOGbinder EX event log data. You will need an agent installed on your LOGbinder EX system, you'll need to make sure you have the latest product connectors installed, then it's just a matter of following the guide to get set up and start monitoring.