Bulletin: Exchange Cumulative Update breaks auditing


Bulletin: Exchange Cumulative Update breaks auditing

T

Hello,
I’m contacting you regarding issue below:
https://support.logbinder.com/LOGbinderforExchangeKB/50194/Bulletin-Exchange-Cumulative-Update-breaks-auditing
 
We have several POC for extracting exchange logs and forward them to customer SIEM. Can you please advise how we can fix this issue. Screenshots are below:
https://forum.logbinder.com/Uploads/Images/1ee4c785-ad17-4cb8-ad23-ff1f.png

https://forum.logbinder.com/Uploads/Images/04dd2029-cf1a-4eb8-8502-78f5.png


 
I’m guessing that this issue is related to transactions that are not completed and that there is no output to SIEM neither CEF/file.


Thanks.


 


bjvista

Team_ICT - 3/6/2019
Hello,
I’m contacting you regarding issue below:
https://support.logbinder.com/LOGbinderforExchangeKB/50194/Bulletin-Exchange-Cumulative-Update-breaks-auditing
 
We have several POC for extracting exchange logs and forward them to customer SIEM. Can you please advise how we can fix this issue. Screenshots are below:
https://forum.logbinder.com/Uploads/Images/1ee4c785-ad17-4cb8-ad23-ff1f.png

https://forum.logbinder.com/Uploads/Images/04dd2029-cf1a-4eb8-8502-78f5.png


 
I’m guessing that this issue is related to transactions that are not completed and that there is no output to SIEM neither CEF/file.


Thanks.


 


The transactions list screenshot shows that LOGbinder is asking for audit data but Exchange has yet to deliver it.  From the powershell screenshot I can't see much as the image quality is low but I can tell that there is an error in your cmdlet due to all the red in the result.

Know that the test cmdlet will not be in the transactions list in LOGbinder.  Those are only listed requests that LOGbinder has issued.  

Also, the blog post you referenced above was updated.  The updated article is list at the start of that post and is here:  https://support.logbinder.com/Knowledgebase/50128/Exceeding-the-maximum-number-of-audit-log-search-requests

That is most likely your issue if you have configured all your auditing properly. 
T


The red result is:
"You have exceeded the maximum number of audit log search requests that your organization can submit. Please try again later"

And after executing cmdlet "(Get-AuditLogSearch).Count" we get count 59.

Maybe this info can help?



bjvista

Team_ICT - 3/6/2019

The red result is:
"You have exceeded the maximum number of audit log search requests that your organization can submit. Please try again later"

And after executing cmdlet "(Get-AuditLogSearch).Count" we get count 59.

Maybe this info can help?



Did you see the link in my previous reply?  It addresses exactly what you are reporting. 
T

bjvista - 3/6/2019
Team_ICT - 3/6/2019

The red result is:
"You have exceeded the maximum number of audit log search requests that your organization can submit. Please try again later"

And after executing cmdlet "(Get-AuditLogSearch).Count" we get count 59.

Maybe this info can help?



Did you see the link in my previous reply?  It addresses exactly what you are reporting. 

OK. Let me ask you differently. At the end of the post: "Where is this limit specified? Can it be changed? We do not know yet. If you do, please let us know." Does this mean that we can't get logs from exchange because of this limit?

Is this error/limitation causes audit data not delivered by Exchange? Do you know is this only happening to some specific versions of exchange? Or Cumulative update?
We are doing this on EX2016 and doesn't work, but few week ago we have managed to deliver successful POC with EX2016 with no problem.  



bjvista

Team_ICT - 3/6/2019
bjvista - 3/6/2019
Team_ICT - 3/6/2019

The red result is:
"You have exceeded the maximum number of audit log search requests that your organization can submit. Please try again later"

And after executing cmdlet "(Get-AuditLogSearch).Count" we get count 59.

Maybe this info can help?



Did you see the link in my previous reply?  It addresses exactly what you are reporting. 

OK. Let me ask you differently. At the end of the post: "Where is this limit specified? Can it be changed? We do not know yet. If you do, please let us know." Does this mean that we can't get logs from exchange because of this limit?

Is this error/limitation causes audit data not delivered by Exchange? Do you know is this only happening to some specific versions of exchange? Or Cumulative update?
We are doing this on EX2016 and doesn't work, but few week ago we have managed to deliver successful POC with EX2016 with no problem.  



As far as we know and have been told by Microsoft, this is by design, unfortunately.  The best thing for you to do is to stop the LOGbinder service until Exchange delivers the results.  As the results come in the queue will clear.  Then you can start the service again.  What audit poll interval are you using?  This can help speed things up.  If you haven't changed it and are using 2016 it's probably set to 24 hours.  See here:  https://support.logbinder.com/LOGbinderforExchangeKB/50192/Changing-the-Exchange-audit-search-poll-interval
T

bjvista - 3/6/2019
Team_ICT - 3/6/2019
bjvista - 3/6/2019
Team_ICT - 3/6/2019

The red result is:
"You have exceeded the maximum number of audit log search requests that your organization can submit. Please try again later"

And after executing cmdlet "(Get-AuditLogSearch).Count" we get count 59.

Maybe this info can help?



Did you see the link in my previous reply?  It addresses exactly what you are reporting. 

OK. Let me ask you differently. At the end of the post: "Where is this limit specified? Can it be changed? We do not know yet. If you do, please let us know." Does this mean that we can't get logs from exchange because of this limit?

Is this error/limitation causes audit data not delivered by Exchange? Do you know is this only happening to some specific versions of exchange? Or Cumulative update?
We are doing this on EX2016 and doesn't work, but few week ago we have managed to deliver successful POC with EX2016 with no problem.  



As far as we know and have been told by Microsoft, this is by design, unfortunately.  The best thing for you to do is to stop the LOGbinder service until Exchange delivers the results.  As the results come in the queue will clear.  Then you can start the service again.  What audit poll interval are you using?  This can help speed things up.  If you haven't changed it and are using 2016 it's probably set to 24 hours.  See here:  https://support.logbinder.com/LOGbinderforExchangeKB/50192/Changing-the-Exchange-audit-search-poll-interval

We are using default one (24 hours). I'll see with the customer to change this to 20-30 minutes. So, to be cleared...
We can start Logbinder service than stop it after 30 min and wait exchange to deliver logs (transaction to complete) and than again start service. And repeat that process over and over again?


bjvista

The queue has probably backed up because of the 24 hour interval. My recommendation would be:
1. Stop LOGbinder service so no new requests are issued. Also don’t issue any other test requests via PowerShell.
2. Follow the steps to reduce the poll interval. You will most likely have to reboot Exchange or restart the Exchange Service host service.
3. Run the (Get-AuditLogSearch).Count until it results in zero.
4. Restart the LOGbinder service.

LOGbinder should then check the service account inbox and process the audit data delivered by Exchange from the previous requests. The queue may again fill up but Exchange should be able to keep up with it once it catches up with the audit requests with the new poll interval setting.
T

OK. We'll tray with time interval change.

Thank you.


GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search