exchange user mailauditing

Hi All

    I had let CG could receive exchange audit log event and show on CG WebConsole.

But I find I want to monitoring user mailauditing (mail send/move/delete) actions...

I refer CGofficial document and create a same user "Ben Smith" , then do same exchange shell command to enable this user mail auditing.

006.png

then assign monitoring usermailbox policy to this exchange2016 server...but then try to mail action on this account to to let policy trigger..

But no event been generate ....

I run  Search-MailboxAuditing -identity "Ben Smith" on exchange shell windows....no event show.

009.png

which action I miss to let exchange to monitor user mail action ?

  • Hi Wencheng,


    Please add alias name under modify table parameters in Change Guardian Event Collector and try.

    Follow the below steps to add parameter,

    1. Run Change Guardian Event Collector (ChangeGuardianEventCollectorAddonForWindowsAgent-7.15.0.8295.exe) as Administrator, Select the collector to configure
    2. On Exchange Collector Click on the modify option
    3. On the Connector setup screen, Select on modify the connector
    4. Click next, Select Modify Connector parameters
    5. Click next to Modify table parameters, add the alias name of mailboxes which you need to monitor. EX. Ben Smith, Administrator, Test1 etc...Modify table parameter.png
    6.  After adding alias name click on next,
    7.  Select on Exit and click next
    8.  Once the above steps complete restart service Arcsight Microsoft Exchange PowerShell Service

    Note: Make sure to enable each mailbox audit that needs to be monitored and add mailbox email ID in the Policy Editor policy and assign it to asset.

  • Hi  

          I have upgraded 6.0 to 6.1  , it seem just only upgrade CG agent no need Add-on Agent (same version)

    when I reference your procedure , after click "exit", I saw the message

    010.png

    when I click Yes...it keep "starting Modify" status more than 10 mins

     

     

    another question...when I modify table parameter....Does the AliasName match DISPLAY NAME, Correct?

    006_3.png

  • Hi Wencheng,

    Currently we are retaining the same version of Change guardian event collector addon (7.15)for windows agent with 6.1, so need to upgrade addon.

    For the script error, Please take a backup of CEF folder and uninstall event collector,Once uninstall completes clear the NetIQ folder(C:\Program Files\NetIQ) and re-install.

    Here Alias name and Display Name are different, For Example, Ben Smith (BenSmith@domain.com)is Display name and BenSmith is Alias name.