IBM QRadar

 View Only

 MS Exchange remote log collection from managed Wincollect 7

David Mechsner's profile image
David Mechsner posted Tue January 21, 2025 09:12 AM

Does anyone in this community have experience with integrating managed WinCollect and remote log collection from Microsoft Exchange?

We have been trying for some time to retrieve logs with our managed Wincollect 7 agent remotely from our Exchange server with a user who has read permission on a network share of the Exchange server. If we connect with Windows Explorer from Windows Agent Host to the network share of the Exchange server with our DomainUser who is allowed to read the share, we can see and read the Exchange log files. 
The Wincollect Agent cannot do this.  Wincollect log shows "Unable to open directory: ...." errors


01-21 06:30:04.505 DEBUG Device.FileMonitorDevicePool.MicrosoftExchange.x1D48 : RunControl code 1
01-21 06:30:04.505 DEBUG Device.FileMonitorDevicePool.MicrosoftExchange.x1D48 : NEW_DEVICE

01-21 06:30:04.505 DEBUG Device.MicrosoftExchange.DeviceReader.a.b.c.d : SetupMonitors on : \\a.b.c.d\OWAAccessDirectory\
01-21 06:30:04.552 DEBUG Device.MicrosoftExchange.DeviceReader.a.b.c.d : Unable to open directory: \\a.b.c.d\OWAAccessDirectory\

01-21 06:30:04.552 DEBUG Device.MicrosoftExchange.DeviceReader.a.b.c.d : SetupMonitors on : \\a.b.c.d\MessageTrackingDirectory\
01-21 06:30:04.567 DEBUG Device.MicrosoftExchange.DeviceReader.a.b.c.d : Unable to open directory: \\a.b.c.d\MessageTrackingDirectory\

01-21 06:30:04.567 DEBUG Device.MicrosoftExchange.DeviceReader.a.b.c.d : SetupMonitors on : \\a.b.c.d\SMTPMailDirectory\
01-21 06:30:04.599 DEBUG Device.MicrosoftExchange.DeviceReader.a.b.c.d : Unable to open directory: \\a.b.c.d\SMTPMailDirectory\

Can anyone here perhaps help, or is it perhaps not possible to do what we are doing?
Do you perhaps always need an admin account of \\c$\.... is allowed to read?

Thank you very much

Ralph Belfiore's profile image
Ralph Belfiore IBM Champion posted Tue January 21, 2025 11:14 AM

Hello David,

i assume you proceed as described in DSM Guide? Maybe this will help..

https://www.ibm.com/docs/en/qradar-on-cloud?topic=agents-microsoft-exchange-server-log-source

Regards,

Ralph

David Mechsner's profile image
David Mechsner posted Tue January 21, 2025 11:34 AM

Hello Ralph,
thanks for your quick response.

Configuration according to the manual, well, not quite.  Because we have created a separate network shares for each log type (OWA, MSTR, SMPT), on which the service account is authorized to read. 

If we have entered the folder paths according to the instructions, we get an access denied error, because the service account is not allowed to read the admin share C$. 
I mean these directories according to the instructions
\\<Exchange Server IP address>\C$\inetpub\logs\LogFiles\W3SVC1
\\<Exchange Server IP address>\C$\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking
\\<Exchange Server IP address>\C$\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

This is because our company policy does not want to assign domain admin rights for log collection. 
Here is the error with the full path: 
01-21 17:48:42.987 DEBUG Device.MicrosoftExchange.DeviceReader.<Exchange Server IP> : Unable to open directory: \\<Exchange Server IP>\C$\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\

Where can I find in the wincollect documentation which authorizations the remote user (service account) needs?

Ralph Belfiore's profile image
Ralph Belfiore IBM Champion posted Wed January 22, 2025 02:59 AM

Hello David,

did you check, if your remote user is a member of microsoft event reader group? In case of remote collect microsoft windows security events is this a default requirement..

Regards,

Ralph

Ralph Belfiore's profile image
Ralph Belfiore IBM Champion posted Thu February 06, 2025 09:01 AM

@David Mechsner: any findings, progress or success story? :)

Regards,

Ralph

David Mechsner's profile image
David Mechsner posted Thu February 06, 2025 10:45 AM

IBM Support recommended that we give the domain service account for the Exchange servers local administrator rights and then use the admin shares according to the IBM instructions. This gives the user the right to read the log paths. Working with restricted rights does not work. 

Ralph Belfiore's profile image
Ralph Belfiore IBM Champion posted Tue February 18, 2025 03:12 AM

Hi @David Mechsner,

thank you for this useful update and feedback related to solve this approach :)
Good to know, how to deal with this use case.

Regards,

Ralph

Related Content