My customer wishes to audit their two hybrid Exchange 2016 servers. The servers currently host no user/shared/room mailboxes, in keeping with the use of the free hybrid license key from Microsoft.

The eventual destination for the events collected by LogBinder is the customer's SIEM. Is a user mailbox required by LogBinder for the retrieval of audit events in this scenario? If so, can the user mailbox reside in Exchange Online rather than on-prem Exchange?

Yes, a mailbox is needed. LOGbinder requests the audit data from Exchange. Exchange processes the request and delivers the results to a mailbox, normally and preferably the mailbox of the service account running LOGbinder. Currently On Prem is the only supported environment for LOGbinder for Exchange. We do not currently support Exchange Online.

Question, when you say hybrid what exact setup are you referring to? I ask because I’ve heard different people use hybrid to explain varying types of configurations. I just want to make sure I understand you correctly.

Thanks for the prompt reply. I'm using "hybrid" in the sense that the customer ran Microsoft's Hybrid Configuration Wizard to establish the relationship between the O365 tenant and the on-prem Exchange organization. This customer ran the "full" rather than the "minimal" hybrid configuration.

The primary concern for this customer is the licensing requirement which comes with hosting on-prem mailboxes other than Exchange's defaults. At present, no customer mailboxes are hosted on-prem.

As Barry says, we do not support full Exchange Online environments at the moment because of the additional difficulties when establishing a remote PowerShell session.

On the other hand, all LOGbinder for Exchange needs is to connect to the Exchange environment through a PowerShell session and access mailbox items through Exchange Web Services. We have not tested in hybrid environments, but I would be surprised if it is possible.

I would suggest to try the steps under the Troubleshooting section in our documentation, especially the points under Verifying PowerShell Connectivity and Exchange Authority. For the PowerShell session, use an on-prem Exchange server. If the user account used to establish the PowerShell session can access the mailbox where the results of the New-AdminAuditLogSearch and New-MailboxAuditLogSearch commands are sent, it should work. Please let us know.

Currently, LOGbinder for Exchange doesn't support Exchange Online/O365 installations.  It's possible that the admin log could be collected with LOGbinder but it would be only for administrative actions that are performed against the on-prem servers.  It's highly unlikely that the mailbox auditing would cooperate.  

You could always test LOGbinder for Exchange as it runs fully functional for 30 days.  For a situation like this we would also extend the license since this testing will most likely take more time than 30 days.