All Apps and Add-ons

Exchange 2013 HubTransport Extractions


Downloaded the TA for Microsoft Exchange and noticed that Hub Transport doesn't contain any stanzas for Microsoft Exchange 2013. The stanza's only seem to be valid for Microsoft Exchange 2007 and Exchange 2010. If I deploy the TA to an Exchange 2013 server and then create an inputs.conf file to ingest the data the extraction doesn't do what it needs to do.

My configured inputs.conf file is

[monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Messagetracking]
time_before_close = 0
disabled = 0

^^ In the above the sourcetype I expect not to work but if I don't have this in inputs.conf the sourcetype will be based on each LOG file.

When I looked at the transforms.conf in the default location I noted that Exchange 2013 is now using a "-" as opposed to a "_" in the log file. I have no experience with rewriting props and transforms files to fix this but it looks like it has been missed for Exchange 2013.

I have done the following to try and work (again no experience with trying to rewrite props, transforms but from what I have done I am closer to the picture as extraction is happening but incorrectly :(. Here is my configuration thus far. Can you please assist with the correct of the HubTransport TA to extract appropriately.

eventtypes.conf added

search = sourcetype=MSExchange:2013:MessageTracking (event-id="BADMAIL" OR event-id="DELIVER" OR event-id="FAIL" OR event-id="RECEIVE" OR event-id="SEND")

props.conf added

REPORT-fields = msexchange2007msgtrack-fields, msgtrack-extract-psender, msgtrack-psender, msgtrack-sender, msgtrack-recipients, msgtrack-recipient
TRANSFORMS-comments = ignore-comments
FIELDALIAS-server_hostname_as_dest = server-hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original-client-ip,client-ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action

# alias fix for Email DM for ES
FIELDALIAS-user = sender-address AS user
FIELDALIAS-orig_dest = client-ip AS orig_dest
FIELDALIAS-dest_ip = server-ip AS dest_ip
FIELDALIAS-recipient_count = recipient-count AS recipient_count
FIELDALIAS-return_addr = return-path AS return_addr
FIELDALIAS-size = total-bytes AS size
FIELDALIAS-subject = message-subject AS subject
EVAL-orig_src = coalesce(original-client-ip,original-server-ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"

tags.conf added

email = enabled

transforms.conf added

FIELDS = "date-time","client-ip","client-hostname","server-ip","server-hostname","source-context","connector-id","source","event-id","internal-message-id","message-id","network-message-id","recipient-address","recipient-status","total-bytes","recipient-count","related-recipient-address","reference","message-subject","sender-address","return-path","message-info","directionality","tenant-id","original-client-ip","original-server-ip","custom-data"

When I look at this on my search head I have some values where they shouldn't be

For example

"sender" field shows the "subject"
"recipient" field shows what appears to be the "message id"
"message size" fields shows "unknown" or "to" or "to;to" or "failed to process message......."

etc. etc.

I also need to make sure that this works with Enterprise Security.

0 Karma
1 Solution


As I found out through support and through the doco, the config I needed has moved to the "Exchange-Mailbox" TA which will do what is needed.

View solution in original post

0 Karma


As I found out through support and through the doco, the config I needed has moved to the "Exchange-Mailbox" TA which will do what is needed.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...