+x+xHey Tamas, I figured out what the issue was.I was trying to reinstall Logbinder application without deleting previous traces in C:\ProgramData . (I wanted to configure input of Logbinder with different recipient.) After I deleted all traces and reinstalled, I did not get any padding error and everything was fine and was able to collect logs too. I have a doubt, even though I had set polling interval as 10 min, Logbinder takes too much time (more than 24 hours) for collecting admin audit events from MSExchange 2016. Website tells this delay occurs only for mailbox audit logs but I faced it for admin events as well. ( I am interested in admin audit events only) Good thing is I am able to collect admin audit events. Thank you for help. Thanks Chaitanya Hi Chaitanya, You should not need to delete the configuration files from the ProgramData folder to install an upgrade. If you simply wanted to change the recipient, that can be done without reinstalling the software. Just open the input properties. The admin audit logs should be available in less than 24 hours. Do you have more than one Exchange servers? Have you set the polling interval on all of your Exchange servers? Hey Tamas, Adding to my previous mail, I had missed one of the prerequisite check before installing logbinder. - To enable LOGbinder events to be sent to the security log:
- Select Security Settings\Advanced Audit Policy Configuration\Object Access
- Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for Exchange does not require that the “Failure” option be enabled.)
So the above might have caused padding error. However I am now able to collect admin logs after checking all permissions that needs to be provided before installing logbinder. I compared admin event occurred and logged time, there is difference of 8 hours. So, as u mentioned they are collected less than 24 hours. Thank you for all help.
|