Which Exchange Logs should be collected for central logging solution?

A1opus
A1opus used Ask the Experts™
on
Hi,

I am implementing a central logging solution using Elasticsearch, Logstash, and Kibana (ELK Stack). Now, which Exchange 2010 logs should be collected, message tracking, IIS, any other recommendations?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SteveArchitect/Designer

Commented:
depends what you are trying to monitor. there are various logs that exchange can produce but they all log a different element.
if you want to monitor for general issues, the event log is the best place as Exchange puts most issues in there by default.
if you want to monitor specific things consider  the individual logging element from each part of Exchange as noted above.

Author

Commented:
Thanks for the replies. Currently, I am collecting message tracking which is highly recommended. What about IIS logs for OWA. I know Exchange can produce various logs that's why I asked a question in first place for recommendation.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Sudeep SharmaTechnical Designer
Commented:
...........IIS logs for OWA.............
You should if you have application which can parse the logs and report anything which could cause trouble.
We use Splunk and monitor the IIS OWA logs as it would list the IP addresses connection, user logging into the server, devices (Iphone & android) connecting, invalid logins, failed attempts, hacking attempts etc.

sudeep
SteveArchitect/Designer

Commented:
I know Exchange can produce various logs that's why I asked a question in first place for recommendation.
yes,but we need to know what your intention is to make appropriate recommendations.
Are you monitoring health, performance, specific issues?
IE what are you looking for?

Author

Commented:
yes,but we need to know what your intention is to make appropriate recommendations.
Are you monitoring health, performance, specific issues?
IE what are you looking for?

Well, it's not for monitoring health performance but for forensic investigation in case of any event.
Architect/Designer
Commented:
Nice one. in that case, IIS & SMTP logs are definites so you can monitor mailflow & activesync/web access.
Message tracking can be exported via powershell so include those for all internal mailflow too.

Author

Commented:
Thanks Steve,

So, I should ship IIS, SmTP. and message tracking logs, right?
SteveArchitect/Designer
Commented:
Definitely. Would you need a record of the actual messages too? could you Journalling if you need to, but this can take up a lot of storage so only do it if you really need it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial