Hi All,

NetIQ standard exchange collector support only "Message Tracking
Logging", But in china, I found many customers have pop3/exchange/owa
user login audit and user open other's mailbox action needed audit, for
example, steve_zeng perhaps is exchange administrator's friend,
steve_zeng ask exchange admin to configure exchange to can be open
management's mailbox, these requirements are important than "Message
Tracking Logging", why NetIQ don't release these collector?

I am delivering Sentinel project in our customer, I found it need
develop collector, but I currently have no time to study these works,
can anyone help me to develop these collectors? thanks!

1. WHEN MAIL CLIENT USE POP3 LOGIN EXCHANGE SERVER, EXCHANGE SERVER
DEFAULT DON'T RECORD THESE ACTION LOGS, BUT AFTER I ENABLE POP3 AUDIT, I
FOUND POP3 LOGS INCLUDE USER LOGON SUCCESS AND FAILURE LOGS, DETAIL
INFORMATION PLEASE REFERENCE ATTACHMENT, AS FOLLOWING:

#Software: Microsoft Exchange Server
#Version: 14.0.0.0
#Log-type: POP3 Log
#Date: 2013-05-28T06:51:26.758Z
#Fields:
dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
2013-05-28T06:51:26.758Z,0000000000000001,0,10.108.47.250: 110,10.108.37.47:1081,,-2147483648,0,51,OpenSession,,
2013-05-28T06:51:27.163Z,0000000000000001,1,10.108.47.250: 110,10.108.37.47:1081,,296,8,5,user,ceo,R=ok
2013-05-28T06:51:33.434Z,0000000000000001,2,10.108.47.250: 110,10.108.37.47:1081,ceo,6240,10,34,pass,*****,"R =ok;RpcC=21;RpcL=358;LdapC=11;LdapL=46;Msg=""User: ceo:63040b18-f9de-40e5-ae36-e2e5bb38dcaa:Mailbox
Database
1922842333:testad.adtest.com"";Budget=""Conn:0,Han gingConn:0,AD:$null/$null/1%,CAS:$null/$null/10%,AB:$null/$null/0%,RPC:$null/$null/1%,FC:1000/0,PolicyefaultThrottlingPolicy_f057760c-e745-4fcc-9b0f-89388f4f1176,Norm[ResourcesDC)testad.adtest.com(Health:-1%,HistLoad:0),(Mdb)Mailbox
Database 1922842333(Health:-1%,HistLoad:0),];GC:2/1/1;"""
2013-05-28T06:52:01.780Z,0000000000000002,0,10.108.47.250: 110,10.108.37.47:1082,,-2147483648,0,51,OpenSession,,
2013-05-28T06:52:01.795Z,0000000000000002,1,10.108.47.250: 110,10.108.37.47:1082,,0,8,5,user,ceo,R=ok
2013-05-28T06:52:01.858Z,0000000000000002,2,10.108.47.250: 110,10.108.37.47:1082,ceo,62,10,34,pass,*****,"R=o k;RpcC=13;RpcL=31;LdapC=2;Msg=""User:ceo:63040b18-f9de-40e5-ae36-e2e5bb38dcaa:Mailbox
Database
1922842333:testad.adtest.com"";Budget=""Conn:0,Han gingConn:0,AD:$null/$null/1%,CAS:$null/$null/17%,AB:$null/$null/0%,RPC:$null/$null/2%,FC:1000/0,PolicyefaultThrottlingPolicy_f057760c-e745-4fcc-9b0f-89388f4f1176,Norm[ResourcesDC)testad.adtest.com(Health:-1%,HistLoad:0),(Mdb)Mailbox
Database 1922842333(Health:-1%,HistLoad:0),]"""
2013-05-28T06:56:59.101Z,0000000000000004,0,10.108.47.250: 110,10.108.37.47:1085,,-2147483648,0,51,OpenSession,,
2013-05-28T06:56:59.101Z,0000000000000004,1,10.108.47.250: 110,10.108.37.47:1085,,0,8,5,user,ceo,R=ok
2013-05-28T06:56:59.740Z,0000000000000005,2,10.108.47.250: 110,10.108.37.47:1086,,15,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LoginDenied"
2013-05-28T06:56:59.756Z,0000000000000005,3,10.108.47.250: 110,10.108.37.47:1086,,0,0,0,CloseSession,,

*2. user open other's mailbox action needed audit, for example,
steve_zeng perhaps is exchange administrator's friend, steve_zeng ask
exchange admin to configure exchange to can be open management's
mailbox, detail logs is following:*


RunspaceId : 7641f65a-2032-4f9b-8122-73c40e121222
Operation : FolderBind
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId :
LgAAAADO7f09i5wrRosCpXxI9tDOAQCSyUsyvLOTQo94x/CDPhYwAAAAn6M0AAAB
FolderPathName : \Sync Issues\Server Failures
ClientInfoString : Client=MSExchangeRPC
ClientIPAddress : 10.108.37.43
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 14.0.4760.1000
InternalLogonType : Owner
MailboxOwnerUPN : ceo@adtest.com
MailboxOwnerSid :
S-1-5-21-2584176711-3539298727-1927041674-1143
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation :
LogonUserDisplayName : stevezeng
LogonUserSid :
S-1-5-21-2584176711-3539298727-1927041674-1130
SourceItems : {}
SourceFolders : {}
ItemId :
ItemSubject :
DirtyProperties :
OriginatingServer : TESTAD (14.01.0218.011)
MailboxGuid : 63040b18-f9de-40e5-ae36-e2e5bb38dcaa
MailboxResolvedOwnerName : ceo
LastAccessed : 2013/5/22 16:43:18
Identity :
RgAAAADO7f09i5wrRosCpXxI9tDOBwCSyUsyvLOTQo94x/CDPhYwAAAAoHAWAACSyUsyvLOTQo94x/CDPhYwAAAAoHAr
AAAJ

Thank you!
steve zeng
zjzeng@novell.com


--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=47839