Collect Microsoft Exchange logs

This document explains how to ingest Microsoft Exchange logs to Google Security Operations using Bindplane. An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the EXCHANGE_MAIL ingestion label.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• A Windows Server 2016 or later with Microsoft Exchange Server installed
• Administrative access to the Exchange Server
• If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows operating system according to the following instructions.

Windows Installation

1. Open the Command Prompt or PowerShell as an administrator.
2. Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Additional Installation Resources

• For additional installation options, consult this installation guide.

Configure the Bindplane agent to collect Windows Event Logs and send to Google SecOps

1. Access the Configuration File:

   • Locate the config.yaml file. Typically, it's in the `C:\Program Files\observIQ OpenTelemetry Collector` directory on Windows.
   • Open the file using a text editor (for example, Notepad or Notepad++).

2. Edit the config.yaml file as follows:

   receivers:
     windowseventlog/exchange_application:
       channel: Application
       raw: true
       max_reads: 100
       poll_interval: 5s
       start_at: end
   
     windowseventlog/exchange_system:
       channel: System
       raw: true
       max_reads: 100
       poll_interval: 5s
       start_at: end
   
     windowseventlog/exchange_management:
       channel: MSExchange Management
       raw: true
       max_reads: 100
       poll_interval: 5s
       start_at: end
   
   processors:
     batch:
   
   exporters:
     chronicle/exchange:
       compression: gzip
       # Adjust the path to the credentials file you downloaded earlier
       creds_file_path: 'C:\path\to\ingestion-authentication-file.json'
       # Replace with your actual customer ID
       customer_id: <PLACEHOLDER_CUSTOMER_ID>
       endpoint: <YOUR_REGIONAL_ENDPOINT>
       # Add ingestion labels for Exchange logs
       log_type: 'EXCHANGE_MAIL'
       raw_log_field: body
       ingestion_labels:
   
   service:
     pipelines:
       logs/exchange:
         receivers:
           - windowseventlog/exchange_application
           - windowseventlog/exchange_system
           - windowseventlog/exchange_management
         processors:
           - batch
         exporters:
           - chronicle/exchange
   

   • Replace <PLACEHOLDER_CUSTOMER_ID> with the actual Customer ID obtained earlier.
   • Replace <YOUR_REGIONAL_ENDPOINT> with the appropriate regional endpoint from the Regional Endpoints documentation.
   • Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Configuration notes

• Application channel: Collects application-level events from Exchange Server, including service startup, errors, and warnings.
• System channel: Collects system-level events that may affect Exchange Server operation.
• MSExchange Management channel: Collects Exchange-specific management events, including PowerShell cmdlet executions and administrative actions.
• raw: true: Sends complete Windows Event Log entries in their original format for comprehensive parsing.
• start_at: end: Begins collecting new events from the current point forward (does not ingest historical logs).

Restart the Bindplane agent to apply the changes

• To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command as an administrator:

  net stop "observIQ OpenTelemetry Collector" && net start "observIQ OpenTelemetry Collector"
  

UDM Mapping

Need more help? Get answers from Community members and Google SecOps professionals.