All Apps and Add-ons

Exchange 2013 HubTransport Extractions

willadams
Contributor

Downloaded the TA for Microsoft Exchange and noticed that Hub Transport doesn't contain any stanzas for Microsoft Exchange 2013. The stanza's only seem to be valid for Microsoft Exchange 2007 and Exchange 2010. If I deploy the TA to an Exchange 2013 server and then create an inputs.conf file to ingest the data the extraction doesn't do what it needs to do.

My configured inputs.conf file is

[monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Messagetracking]
whitelist=.log$|.LOG$
time_before_close = 0
queue=parsingQueue
index=messagetrack
sourcetype=MSExchange:2010:MessageTracking
disabled = 0

^^ In the above the sourcetype I expect not to work but if I don't have this in inputs.conf the sourcetype will be based on each LOG file.

When I looked at the transforms.conf in the default location I noted that Exchange 2013 is now using a "-" as opposed to a "_" in the log file. I have no experience with rewriting props and transforms files to fix this but it looks like it has been missed for Exchange 2013.

I have done the following to try and work (again no experience with trying to rewrite props, transforms but from what I have done I am closer to the picture as extraction is happening but incorrectly :(. Here is my configuration thus far. Can you please assist with the correct of the HubTransport TA to extract appropriately.

eventtypes.conf added

[msexchange2013-email-events]
search = sourcetype=MSExchange:2013:MessageTracking (event-id="BADMAIL" OR event-id="DELIVER" OR event-id="FAIL" OR event-id="RECEIVE" OR event-id="SEND")

props.conf added

[MSExchange:2013:MessageTracking]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = msexchange2007msgtrack-fields, msgtrack-extract-psender, msgtrack-psender, msgtrack-sender, msgtrack-recipients, msgtrack-recipient
TRANSFORMS-comments = ignore-comments
FIELDALIAS-server_hostname_as_dest = server-hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original-client-ip,client-ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action

# alias fix for Email DM for ES
FIELDALIAS-user = sender-address AS user
FIELDALIAS-orig_dest = client-ip AS orig_dest
FIELDALIAS-dest_ip = server-ip AS dest_ip
FIELDALIAS-recipient_count = recipient-count AS recipient_count
FIELDALIAS-return_addr = return-path AS return_addr
FIELDALIAS-size = total-bytes AS size
FIELDALIAS-subject = message-subject AS subject
EVAL-orig_src = coalesce(original-client-ip,original-server-ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"

tags.conf added

[eventtype=msexchange2013-email-events]
email = enabled

transforms.conf added

[msexchange2013msgtrack-fields]
FIELDS = "date-time","client-ip","client-hostname","server-ip","server-hostname","source-context","connector-id","source","event-id","internal-message-id","message-id","network-message-id","recipient-address","recipient-status","total-bytes","recipient-count","related-recipient-address","reference","message-subject","sender-address","return-path","message-info","directionality","tenant-id","original-client-ip","original-server-ip","custom-data"
DELIMS = ,

When I look at this on my search head I have some values where they shouldn't be

For example

"sender" field shows the "subject"
"recipient" field shows what appears to be the "message id"
"message size" fields shows "unknown" or "to" or "to;to" or "failed to process message......."

etc. etc.

I also need to make sure that this works with Enterprise Security.

0 Karma
1 Solution

willadams
Contributor

As I found out through support and through the doco, the config I needed has moved to the "Exchange-Mailbox" TA which will do what is needed.

View solution in original post

0 Karma

willadams
Contributor

As I found out through support and through the doco, the config I needed has moved to the "Exchange-Mailbox" TA which will do what is needed.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...