Temporary ban counters for IPs are maintained in memory, and restarting the EvlWatcher service will reset the dictionary (correct me if I am wrong).
For multiple Exchange servers in NLB, they have separate event logs. Even if I write a script to periodically merge (and deduplicate) the Permaban list in the configuration files, it takes a restart of service to apply the changes, which will impact the permaban mechanism.
Solution:
- Follow the instructions of this article: https://michaelwaterman.nl/2024/06/29/step-by-step-guide-to-windows-event-forwarding-and-ntlmv1-monitoring/ , and configure Windows Event Forwarding (from both servers to both servers). Now we have all the event logs we need on the ForwardedEvents channel on both sides.
- Merge and deduplicate the whitelist and banlist in the
config.xml files, modify the BlockSMTPAuthExchangeFrontend rule and set the EventPath value to ForwardedEvents.
- Restart the EvlWatcher service, sit back and watch the Live tab on the UI.
Temporary ban counters for IPs are maintained in memory, and restarting the EvlWatcher service will reset the dictionary (correct me if I am wrong).
For multiple Exchange servers in NLB, they have separate event logs. Even if I write a script to periodically merge (and deduplicate) the Permaban list in the configuration files, it takes a restart of service to apply the changes, which will impact the permaban mechanism.
Solution:
config.xmlfiles, modify theBlockSMTPAuthExchangeFrontendrule and set the EventPath value to ForwardedEvents.