Skip to main content
Skip table of contents

Flat File - Microsoft Exchange Tracking Logs

The message tracking log is a detailed record of all activity as mail flows through the transport pipeline on Mailbox servers and Edge Transport servers. You can use message tracking for message forensics, mail flow analysis, reporting, and troubleshooting.

  1. On the Exchange server, enable tracking logs.

    You must enable this feature on each server where you want to track messages. To enable message tracking for multiple servers, you can use a server policy. The size of the message tracking logs can increase quickly on bridgehead servers that process many inbound and outbound messages. Ensure that you have adequate disk space for tracking log files.

  2. Start Exchange System Manager and display the properties of the server where you want to enable message tracking.
  3. On the General tab, select the Enable message tracking check box.
  4. To track the subject line for each message, select the Enable subject logging and display check box. This also tracks envelope information, such as To, From, and Date Sent. 
  5. Ensure the default log file directory, C:\Program Files\ExchSrvr\<SERVERNAME> is what you want for your site.
  6. Create a host record for the Exchange server's system. See the Host Records topic in the LogRhythm SIEM Help.
  7. Install and configure a System Monitor Agent on the Exchange server.
  8. Establish a Log Processing (MPE) Policy for the Microsoft Exchange Message Tracking Log Log Source Type, or use the default.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is Flat File - Microsoft Exchange Message Tracking Log. In addition, when configuring this log source:

  • For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
  • On the Flat File Settings tab, enter the following:
    • File Path. <path to log file, including the file name and extension>
    • Date Parsing Format. Defines regular expression (regex) patterns to be used by a System Monitor Agent for parsing date information from log files.
      Example: ExchangeLog where ExchangeLog is a Date Format defined as <UTC><yy>-<M>-<d> <h>:<m>:<s>


Configure LogRhythm for Microsoft Exchange Tracking

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

  1. In the Client Console on the main toolbar, click Deployment Manager.
  2. Click the System Monitors tab.
  3. Double-click the System Monitor Agent that will collect the information.
    The System Monitor Agent Properties dialog box appears.
  4. Click the Agent Settings tab.
  5. Right-click anywhere in the Log Message Sources Collected by this Agent grid, and then click New.
  6. Click the Basic Configuration tab.
  7. For Log Message Source Type, select Flat File - Microsoft Exchange Message Tracking Log.
  8. For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.

  9. Click the Flat File Settings tab.

  10. Populate the flat file boxes with the following information:

    • File PathDefine the PATH to the log file or directory. If you chose directory, ensure the file extension is specified (for example, \PATH\*.log). Example: C:\Program Files\Exchsrvr\MYSERVER.log\*.log

    • Date Parsing FormatDefines regular expression (regex) patterns to be used by a System Monitor Agent for parsing date information from log files.
      Example: ExchangeLog where ExchangeLog is a Date Format defined as <UTC><yy>-<M>-<d> <h>:<m>:<s>

  11. To save the configuration, click OK, and then click OK again.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close