All Apps and Add-ons

MSExchange Protocol Logs

nick405060
Motivator

Has anyone been able to ingest and parse out protocol logs? I see that there's two perfmon stanzas for them in TA-Exchange-Mailbox but I don't want perfmon, and also nothing is ingested when I enable those.

1 Solution

nick405060
Motivator

I asked this question so that I could answer it and post my solution for the community. Here's what I did:

In TA-Exchange-Mailbox's inputs.conf, I added these two stanzas right after my MessageTracking stanza and pushed out from my DS to the EX servers:

[monitor://E:\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:SmtpReceive
queue=parsingQueue
index=msexchange
disabled=false

[monitor://E:\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:SmtpSend
queue=parsingQueue
index=msexchange
disabled=false

and then on my SH props.conf:

[MSExchange:2013:SmtpReceive]
EXTRACT-smtpreceive = (?<date_time>[\s\S]*?),(?<connector_id>[\s\S]*?),(?<session_id>[\s\S]*?),(?<sequence_number>[\s\S]*?),(?<local_endpoint>[\s\S]*?),(?<remote_endpoint>[\s\S]*?),(?<event>[\s\S]*?),(\"(?<data1>[\s\S]*?)\",(?<context1>[\s\S]*)|(?<data2>[\s\S]*?),(?<context2>[\s\S]*))
EVAL-data=if(isnull(data1),data2,data1)
EVAL-context=if(isnull(context1),context2,context1)

[MSExchange:2013:SmtpSend]
EXTRACT-smtpsend = (?<date_time>[\s\S]*?),(?<connector_id>[\s\S]*?),(?<session_id>[\s\S]*?),(?<sequence_number>[\s\S]*?),(?<local_endpoint>[\s\S]*?),(?<remote_endpoint>[\s\S]*?),(?<event>[\s\S]*?),(\"(?<data1>[\s\S]*?)\",(?<context1>[\s\S]*)|(?<data2>[\s\S]*?),(?<context2>[\s\S]*))
EVAL-data=if(isnull(data1),data2,data1)
EVAL-context=if(isnull(context1),context2,context1)

You could write the regex better so you don't have to eval, but unfortunately when I tried to use (?J) to extract data and context (conditionally accepting both quotations and no quotations), https://answers.splunk.com/answers/442008/has-anyone-else-come-across-unexpected-behavior-us.html happened.

Cheers,

Nick

View solution in original post

nick405060
Motivator

I asked this question so that I could answer it and post my solution for the community. Here's what I did:

In TA-Exchange-Mailbox's inputs.conf, I added these two stanzas right after my MessageTracking stanza and pushed out from my DS to the EX servers:

[monitor://E:\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:SmtpReceive
queue=parsingQueue
index=msexchange
disabled=false

[monitor://E:\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:SmtpSend
queue=parsingQueue
index=msexchange
disabled=false

and then on my SH props.conf:

[MSExchange:2013:SmtpReceive]
EXTRACT-smtpreceive = (?<date_time>[\s\S]*?),(?<connector_id>[\s\S]*?),(?<session_id>[\s\S]*?),(?<sequence_number>[\s\S]*?),(?<local_endpoint>[\s\S]*?),(?<remote_endpoint>[\s\S]*?),(?<event>[\s\S]*?),(\"(?<data1>[\s\S]*?)\",(?<context1>[\s\S]*)|(?<data2>[\s\S]*?),(?<context2>[\s\S]*))
EVAL-data=if(isnull(data1),data2,data1)
EVAL-context=if(isnull(context1),context2,context1)

[MSExchange:2013:SmtpSend]
EXTRACT-smtpsend = (?<date_time>[\s\S]*?),(?<connector_id>[\s\S]*?),(?<session_id>[\s\S]*?),(?<sequence_number>[\s\S]*?),(?<local_endpoint>[\s\S]*?),(?<remote_endpoint>[\s\S]*?),(?<event>[\s\S]*?),(\"(?<data1>[\s\S]*?)\",(?<context1>[\s\S]*)|(?<data2>[\s\S]*?),(?<context2>[\s\S]*))
EVAL-data=if(isnull(data1),data2,data1)
EVAL-context=if(isnull(context1),context2,context1)

You could write the regex better so you don't have to eval, but unfortunately when I tried to use (?J) to extract data and context (conditionally accepting both quotations and no quotations), https://answers.splunk.com/answers/442008/has-anyone-else-come-across-unexpected-behavior-us.html happened.

Cheers,

Nick

itradeclayton
Path Finder

Am wondering if this would be better placed in TA-Exchange-HubTransport...

0 Karma

nick405060
Motivator

It very well might be, yeah.

0 Karma

itradeclayton
Path Finder

Either way, thanks for this. It came in handy!

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...