Chat now with support
Chat with Support

Metalogix Archive Manager for Exchange 8.3 - Auditing Guide

Database and Log Targets Configuration

If the light setup was used at the installation, the auditing database has to be configured after installation in the Configuration tool.

NOTE: If the installation package was used, the database configuration is done automatically. You can use the Configuration tool to specify additional log targets (see the section “Log targets”). If you do not need additonal log targets, proceed to the “Enabling auditing” section.

 

To open the Configuration tool, click C:\Program Files (x86)\ Common Files \ PAM \ PAMConfig \ PAMConfig.exe. The database Configuration tool pops-up. This tool administers the database(s) which your Archive Manager software uses to keep meta-data in.

 

In this manual we use auditDB (with the user srv_exchange) as an auditing database.

 

NOTE: The Configuration tool can contain several tabs for other databases used by Archive Manager products. However, you need to configure just the Auditing database.

 

clip0002

 

You will notice that each tab of the tool has 2 subsections - the Configuration section and the Run Scripts section. Always start with the Configuration subsection, since you will first need to set the connection parameters in order to run the sql scripts.

 

IMPORTANT NOTE: Once configured, you must NOT change the following values in the Configuration tool on any of the tabs:

 

·Initial Catalog: this is the default Database where the system is writing and reading from. This name should never be changed, unless you do not specifically restore all the prior archived data back in Exchange and decide to start all over with a fresh new database for the product. If by mistake another database is used the old archived data is no longer reachable.

·Table Owner: this is the default table owner used by the product. This SQL Table owner must be always the same, even if you move the SQL databases from one SQL server to another. If another SQL Table Owner name is created and used for the archiving product all the tables will be re-created as duplicate and the system will write in the new table set. As an end-effect the old archived data will not be reachable anymore. For SQL the Table Owner is the SCHEMA NAME of the database.

·Server Name: this is the name of the SQL server where the databases used by the Metalogix product are hosted. It is only allowed to change this name if the database(s) the Metalogix product uses are moved from one SQL server to another

 

In case of an ORACLE database, do NOT change ORACLE NET name and Schema.

 

To configure the Auditing database:

1.On the database Configuration tool switch to the Auditing tab and then click Configure.

clip0003

 

2.If you have an MS SQL server as a database provider, select the respective radio button and click Next. If you are using an Oracle database choose the other radio button and click Next.

 

clip0004

 

3.In the next window you have to fill in the text fields as follows:

 

·If you have selected Microsoft SQL Server:

Server name - the name of the SQL server

Initial catalog - the name of the Auditing database (e.g. MAMAUDIT).

Table owner - the name of the SQL Login that is a Table Owner (or the name of the SQL Schema), e.g. dbo.

Authentication – authentication type used on your SQL server; Windows Authentication is default

User name & Password - database login user (the one you are using as a table owner) for SQL Server authentication type

 

 

clip0005

 

IMPORTANT NOTE: When updating Archive Manager from one version to another you must NOT change the following values in the Configuration tool on any of the tabs:

oServer Name

oInitial Catalog

oTable Owner

In case of an ORACLE database, do NOT change ORACLE NET name and Schema.

 

·If you have selected ORACLE:

ORACLE NET Name - ORACLE NET name, TNS name

Schema - the name of the schema where Auditing tables will be created

User Name - log-on user for the Auditing database (with read and write rights to the tables)

Password - log-on user’s password

When you have finished, click Next. Then Finish.

clip0006

4.Back on the Auditing tab run the sql scripts by clicking Run Scripts. The list of the scripts will appear. Click Next.

 

clip0007

 

5.In case of SQL Authentication, click Next once more to accept the database login user and its password.

 

clip0008

 

6.Click Next to run the scripts.

 

clip0009

 

7.On the Connection tab it is possible to change the connection port for auditing. However, changing the port is not recommended as this value has to be then rewritten in all applications using the MAM Auditing Service.

 

clip0010

 

8.In the Log targets tab you can configure multiple types of log targets. The default and obligatory logging target is the log database. Other targets are optional, depending on administrator’s needs.

 

Multiple log targets can be defined; their usage can be conditioned. Logging events of different severity can be logged to different targets or entries containing a specific string can be omitted (see further).

 

clip0011

 

The target selected in the Log targets list can be configured in the lower part of the window. Click Add button to select a new log target. (Next section deals with log target configuration in detail.)

 

 

Log targets

 

As mentioned above, log database is default and mandatory log target. Any additional log targets are configured in the Configuration tool (C:\Program Files \ Common Files \ PAM \ PAMConfig \ PAMConfig.exe). Click Auditing / Log targets. Click Add (picture above) to define additional log targets:

·Debug Output - writes log entries into the debug output; it can be used only for debugging purposes, since it does not keep the entries

·Event log - writes log entries into the system event log; it is recommended to use this target for critical errors and events only

·File - writes log entries into the specified file

·Rolling File - Writes log entries into files and rolls log files based on size or date or both

·Net Send - sends log entries as network messages; it can be used for notification purposes in case of critical errors

·Email - sends log entries as e-mails; it can be used for notification purposes in case of critical errors

 

clip0012

 

In the pop-up window enter the name and select the type of the log target. After clicking OK, the log target is added in the Log targets list view. You can configure it in the Log target configuration section. For each log target you can define:

·Threshold level,

·Filters

·Layout (not applicable for database)

Additionaly, every log target has its specific properties as described further.

 

Threshold Level

Threshold level specifies the threshold level for the selected log target. All logging events with lower level than the threshold level are ignored.

NOTE: If „Off“ is selected, nothing will be logged for the selected target.

 

Filters

User can define a set of filters for each logging target. Filters form a chain that the logging event has to pass through. Any filter along the way can accept the event and stop processing, deny the event and stop processing, or allow the event on to the next filter. If the event gets to the end of the filter chain without being denied it is implicitly accepted and will be logged.

 

The available filter types are:

ØStringMatchFilter – matches a string (or regular expression) in the rendered message

ØPropertyMatchFilter – matches a string (or regular expression) in the value for a specific event property

ØDenyAllFilter – this filter drops all logging events

 

To define a filter for a log target, select the log target in the Configuration tool list view. In the log target configuration displayed below, in the Filters section click Edit. The Edit filters dialog pops-up (see the picture below). Double-click the desired filter type. In the filters options specify filter settings. Finally click Apply.

 

clip0013

 

Example:

If you want to allow through only messages that have a specific substring (e.g. 'database') then you need to specify the following filters:

1.StringMatchFilter, String to match: ‘database’, Accept on match: true

2.DenyAllFilter

If you do not want to log events having substring ‘debug’, you need to specify the following filter:

1.StringMatchFilter, String to match: ‘debug’, Accept on match: false

 

Layout

User can define the layout of a log entry (line) for log targets, except of the Auditing Database. The layout is the sequence of property values separated by arbitrary characters. The available properties are:

oProduct – product generating the logging event

oCategory – category of the logging event

oLevel – level of the logging event

oMessage – application supplied message associated with the logging event

oMethod – method name where the logging request was issued

oData – data associated with the logging event

oComputer – name of the computer where the logging request was issued

oUser – name of the user generating the logging request

oDate – date of the logging event

oNewline – platform dependent line separator character or characters

 

 

Specific log Target Properties

Auditing database

Intermediate directory

For minimizing the logging overhead, this log target operates in asynchronous mode, i.e. the entries are not written into the database directly, but they are held in an internal list and continually written into the database. In case of crash or other unpredictable situations the entries from the memory are lost, so there is an option to persist them to a file. By specifying the intermediate directory the intermediate file creation is activated. For each logging event a file is created, holding the event data. These files are deleted after the log entry was written to the database.

Flush intermediate files

Determines whether to flush the intermediate files immediately. If this option is set to false, then the underlying stream can defer persisting the entry to a later time, so it is likely that not the whole log entry will be written to the disk when the application exits, thus becoming the entry unusable and lost.

 

Event log

Application name

Specifies the Application name. This appears in the event logs when logging.

Log name

Specifies the name of the log where log entries will be stored. This is the name of the log as it appears in the Event Viewer tree. The default value is to log into the Application log, this is where most applications write their events. However if you need a separate log for your application (or applications) then you should specify the log name.

Level mapping

Specifies the mapping between a logging level (severity) and an event log entry type.

 

File

Log file

Specifies the path to the file that logging will be written to.

File creation

Indicates whether the file should be appended to or overwritten.

Locking model

Specifies the locking model used to handle locking of the file. When minimal locking is set, the system locks the file only for the minimal amount of time when logging each message. The exclusive locking locks the file from the start of logging to the end.

Immediate flush

Specifies whether to flush the log file immediately. Avoiding the flush operation at the end of each log writing results in a performance gain of 10 to 20 percent. However, there is safety trade-off involved in skipping flushing. Indeed, when flushing is skipped, then it is likely that the last few log events will not be recorded on disk when the application exits.

 

Rolling File

Log file

Specifies the path to the file that logging will be written to.

Backup file count

Specifies the maximum number of backup files that are kept before the oldest is erased

Rolling style

Specifies the rolling style; the possible values are the following:

·Once - roll files once per program run

·Size - roll files based only on the size of the file  

·Date - roll files based only on the date  

·Composite - roll files based on both the size and date of the file

Roll log files by size

Specifies the maximum size in bytes that the output file is allowed to reach before being rolled over to backup files.

Roll log files every

Specifies the interval when a log file is being rolled over to backup files.

File creation

Indicates whether the file should be appended to or overwritten.

Locking model

Specifies the locking model used to handle locking of the file. When minimal locking is set, the system locks the file only for the minimal amount of time when logging each message. The exclusive locking locks the file from the start of logging to the end.

Immediate flush

Specifies whether to flush the log file immediately. Avoiding the flush operation at the end of each log writing results in a performance gain of 10 to 20 percent. However, there is safety trade-off involved in skipping flushing. Indeed, when flushing is skipped, then it is likely that the last few log events will not be recorded on disk when the application exits.

 

Net Send

Server

Specifies the DNS or NetBIOS name of the remote server on which the Net Send to run.

Recipient

Specifies the message alias to which the message should be sent.

 

Email

To

Specifies the e-mail address of the message recipient by semicolon-separated list of e-mail addresses.

From

Specifies the e-mail address of the sender.

Subject

Specifies the subject line of the e-mail message.

Smtp host

Specifies the name of the SMTP relay mail server to use to send the e-mail messages.

Buffer size

Specifies the size of the cyclic buffer used to hold the logging events. When the specified buffer size is reached, oldest events are deleted as new events are added to the buffer. The buffer is used to keep the logging context; when a message is sent, the whole content of the buffer is included.

If the buffer size is set to a value less than or equal to 1 then no buffering will occur and the messages are sent immediately.

Enable auditing

 

As a next step, Auditing has to be enabled in the Enterprise Manager.

In the case of Archive Manager for Exchange Enterprise Manager:

-open Tools / Options / Server settings / Auditing. Check Enable Auditing check box. In the Server Name enter the name of the machine where the Auditing feature is installed and specify the Server Port. Click Apply.

 

clip0014

 

In the case of Archive Manager for Files Enterprise Manager:

-On the Settings tab check Audit log and enter the name of the machine where Auditing is installed and specify the port; it is 7783 by default

 

clip0015

 

 

 

 

Specifying Audit Users

 

As the default, only the super-user has auditing rights, i.e. only the super-user can browse the auditing logs in ArchiveWeb.

If you want other users to have access to auditing logs in ArchiveWeb, they have to be granted specific auditing roles:

1.Log on to ArchiveWeb with super-user or other powerful user.

2.Click the logged on user name in the right upper corner. From the dropdown menu select Manage settings. Then click Roles on the grey sub-bar

clip0021

 

3.In the left pane select the server for which the roles should apply. Or select Global option. ArchiveWeb roles appear in the main pane.

List of roles is split into sections – Exchange Archive features are listed under Exchange roles, search features under Search roles etc. The Auditing roles are listed at the end.

 

Select the Show auditing logs role. All users with this role are displayed under the list. In case the desired user is not visible, click the Add users and groups icon (AUDITI~1_img18) to add it to the list. Then click Allow check mark.

 

NOTE: For more information on roles management see the ArchiveWeb manual.

 

clip0022

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating