Microsoft Exchange 2016 Edge Transport Server STIG:
(in versions v2 r4 through v1 r1)
The Exchange email Diagnostic log level must be set to the lowest level. (Cat II impact)
Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristically produces large volumes of data and requires care in managing the logs to prevent risk of disk capacity denial of service conditions. Exchange diagnostic logging is broken up into 29 main "services", each of which has anywhere from 2 to 26 "categories" of events to be monitored. Moreover, each category may be set to one of four levels of logging: Lowest, Low, CAT II, and High, depending on how much detail one desires. The higher the level of detail, the more disk space required to store the audit material. Diagnostic logging is intended to help administrators debug problems with their systems, not as a general-purpose auditing tool. Because the diagnostic logs collect a great deal of information, the log files may grow large very quickly. Diagnostic log levels may be raised for limited periods of time when attempting to debug relevant pieces of Exchange functionality. Once debugging has finished, diagnostic log levels should be reduced again.
Open the Exchange Management Shell and enter the following command: Get-EventLogLevel If any "EventLogLevel" values returned are not set to "Lowest", this is a finding.
Open the Exchange Management Shell and enter the following command: Set-EventLogLevel -Identity <'IdentityName\EventlogName'> -Level Lowest Note: The <IdentityName\EventlogName> value must be in single quotes.
Rule ID: SV-221207r612603_rule
Vulnerability ID: V-221207
Group Title: SRG-APP-000089
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.