Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Nxlog configuration for MS Exchange server-2016

Owned by Customer Success & Engineering (Unlicensed)
Last updated: Mar 27, 2023
2 min read



Overview: 

          NXLOG is used to process the collected information and send it on to the OTM CCE

         

Configuration process:

          Login on MS Exchange server

          Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer.

          http://nxlog.org/products/nxlog-community-edition/download

          Open the Nxlog configuration file at:

        C:\Program Files (x86)\nxlog\conf\nxlog.conf

          Replace the entire configuration file by pasting the following Below – Note to replace the variable ({IP address of Seceon Server}) with the actual Seceon Server IP address:


## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog


Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


<Extension syslog>
Module xm_syslog
</Extension>

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

<Input in_exchange>
Module im_file
File '%BASEDIR%\MSGTRK*-*.LOG'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>



<Output out_exchange>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchange_msgtrk_log';
Exec to_syslog_bsd();

</Output>

<Route 1>
Path in_exchange => out_exchange
</Route>


Verification:

Can validate the success of configuration either on UI or on CCE server.

  • Verification through UI

1.Open UI >>Systems




2. Dropdown systems and go inside logs and flows collection status.



3. Under the Source device IP address section the device configured will reflect.

  • Verification Through CCE server

“sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .








Seceon Inc. All rights reserved. https://www.seceon.com