topic Re: Can someone explain how splunk stream can be used to get email headers in All Apps and Add-ons

Can someone explain how splunk stream can be used to get email headers

schandrasekar — Wed, 05 Aug 2020 04:30:56 GMT

The goal is to find the delay between the time sender sents the mail and recipient receive the mail , if the delay is more than 10 mins then alert

Options tried:

Message tracking logs C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking in exchange server2010. But the logs didn provide the actual time when the user sent the email, also the original IP of the sender is replaced with LB/Exchange server/relay server/firewall.

So now I looking for other options. One of them is using Splunk stream.

Please provide your suggestions.

Re: Can someone explain how splunk stream can be used to get email headers

thambisetty — Wed, 05 Aug 2020 04:02:14 GMT

In the message tracking logs, you should see field called event which actually contains SEND,DELIVER,RECEIVE

if you can minus the time of send from time of receive by message_id then you should get what you want.

Re: Can someone explain how splunk stream can be used to get email headers

schandrasekar — Wed, 05 Aug 2020 05:48:29 GMT

@thambisetty date_time doesn't look like the time when the message was sent by the user. Also, I am looking for original IP field to be the actual sender IP

https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/message-tracking?view=exchserver-2019