Use this reference information to configure the WinCollect plug-in for Microsoft Exchange Server.
Supported versions
WinCollect supports the following versions of
Microsoft Exchange :
- Microsoft Exchange 2003
- Microsoft Exchange 2007
- Microsoft Exchange 2010
- Microsoft Exchange 2013
- Microsoft Exchange 2016
- Microsoft Exchange 2019
Table 1. Microsoft Exchange
Server protocol parameters
| Parameter |
Description |
| Log Source Type |
Microsoft Exchange Server |
| Protocol Configuration |
WinCollect Microsoft Exchange |
| Local System |
The WinCollect agent must be installed on the
Microsoft Exchange Server.
The log source uses local system credentials to collect and forward events to QRadar®.
|
Ensure that the firewalls that are located between the Exchange Server and the remote host allow
traffic on the following ports:
- TCP port 135 for Microsoft Endpoint Mapper.
- UDP port 137 for NetBIOS name service.
- UDP port 138 for NetBIOS datagram service.
- TCP port 139 for NetBIOS session service.
- TCP port 445 for Microsoft Directory Services to
transfer files across a Windows share.
For more information about Microsoft Exchange log
source configuration, see The IBM®
QRadar DSM Configuration Guide.
Table 2. Default OWA directory paths for Microsoft Exchange Server events.
The Exchange Server OWA event logs that are monitored by WinCollect are defined by the directory path
that you specify in your WinCollect
Exchange Server log source. Microsoft Exchange writes to two directories:
W3SVC1 and W3SVC2. The Microsoft Exchange plug-in monitors
all recursive files under the C:\inetpub\logs\LogFiles\ directory.
| Collection type |
Root log directory |
| Local |
C:\inetpub\logs\LogFiles\W3SVC1 |
| Remote |
\\<Exchange Server IP
address>\C$\inetpub\logs\LogFiles\W3SVC1 |
Table 3. Default Message Tracking directory paths for Microsoft Exchange Server events.
The Exchange Server Message Tracking event logs that are monitored by WinCollect are defined by the directory path
that you specify in your WinCollect
Exchange Server log source.
| Collection type |
Root log directory |
| Local |
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking
|
| Remote |
\\<Exchange Server IP address>\C$\Program
Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking |
Table 4. Default SMTP/Mail directory paths for Microsoft Exchange Server events.
The Exchange Server SMTP/Mail event logs that are monitored by WinCollect are defined by the directory path
that you specify in your WinCollect
Exchange Server log source.
| Collection type |
Root log directory |
| Local |
C:\Program Files\Microsoft\Exchange
Server\V15\TransportRoles\Logs\Hub\ProtocolLog |
| Remote |
\\<Exchange Server IP address>\C$\Program
Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog |