- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- MSExchange Protocol Logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone been able to ingest and parse out protocol logs? I see that there's two perfmon stanzas for them in TA-Exchange-Mailbox but I don't want perfmon, and also nothing is ingested when I enable those.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I asked this question so that I could answer it and post my solution for the community. Here's what I did:
In TA-Exchange-Mailbox's inputs.conf, I added these two stanzas right after my MessageTracking stanza and pushed out from my DS to the EX servers:
[monitor://E:\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:SmtpReceive
queue=parsingQueue
index=msexchange
disabled=false
[monitor://E:\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:SmtpSend
queue=parsingQueue
index=msexchange
disabled=false
and then on my SH props.conf:
[MSExchange:2013:SmtpReceive]
EXTRACT-smtpreceive = (?<date_time>[\s\S]*?),(?<connector_id>[\s\S]*?),(?<session_id>[\s\S]*?),(?<sequence_number>[\s\S]*?),(?<local_endpoint>[\s\S]*?),(?<remote_endpoint>[\s\S]*?),(?<event>[\s\S]*?),(\"(?<data1>[\s\S]*?)\",(?<context1>[\s\S]*)|(?<data2>[\s\S]*?),(?<context2>[\s\S]*))
EVAL-data=if(isnull(data1),data2,data1)
EVAL-context=if(isnull(context1),context2,context1)
[MSExchange:2013:SmtpSend]
EXTRACT-smtpsend = (?<date_time>[\s\S]*?),(?<connector_id>[\s\S]*?),(?<session_id>[\s\S]*?),(?<sequence_number>[\s\S]*?),(?<local_endpoint>[\s\S]*?),(?<remote_endpoint>[\s\S]*?),(?<event>[\s\S]*?),(\"(?<data1>[\s\S]*?)\",(?<context1>[\s\S]*)|(?<data2>[\s\S]*?),(?<context2>[\s\S]*))
EVAL-data=if(isnull(data1),data2,data1)
EVAL-context=if(isnull(context1),context2,context1)
You could write the regex better so you don't have to eval, but unfortunately when I tried to use (?J) to extract data and context (conditionally accepting both quotations and no quotations), https://answers.splunk.com/answers/442008/has-anyone-else-come-across-unexpected-behavior-us.html happened.
Cheers,
Nick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I asked this question so that I could answer it and post my solution for the community. Here's what I did:
In TA-Exchange-Mailbox's inputs.conf, I added these two stanzas right after my MessageTracking stanza and pushed out from my DS to the EX servers:
[monitor://E:\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:SmtpReceive
queue=parsingQueue
index=msexchange
disabled=false
[monitor://E:\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:SmtpSend
queue=parsingQueue
index=msexchange
disabled=false
and then on my SH props.conf:
[MSExchange:2013:SmtpReceive]
EXTRACT-smtpreceive = (?<date_time>[\s\S]*?),(?<connector_id>[\s\S]*?),(?<session_id>[\s\S]*?),(?<sequence_number>[\s\S]*?),(?<local_endpoint>[\s\S]*?),(?<remote_endpoint>[\s\S]*?),(?<event>[\s\S]*?),(\"(?<data1>[\s\S]*?)\",(?<context1>[\s\S]*)|(?<data2>[\s\S]*?),(?<context2>[\s\S]*))
EVAL-data=if(isnull(data1),data2,data1)
EVAL-context=if(isnull(context1),context2,context1)
[MSExchange:2013:SmtpSend]
EXTRACT-smtpsend = (?<date_time>[\s\S]*?),(?<connector_id>[\s\S]*?),(?<session_id>[\s\S]*?),(?<sequence_number>[\s\S]*?),(?<local_endpoint>[\s\S]*?),(?<remote_endpoint>[\s\S]*?),(?<event>[\s\S]*?),(\"(?<data1>[\s\S]*?)\",(?<context1>[\s\S]*)|(?<data2>[\s\S]*?),(?<context2>[\s\S]*))
EVAL-data=if(isnull(data1),data2,data1)
EVAL-context=if(isnull(context1),context2,context1)
You could write the regex better so you don't have to eval, but unfortunately when I tried to use (?J) to extract data and context (conditionally accepting both quotations and no quotations), https://answers.splunk.com/answers/442008/has-anyone-else-come-across-unexpected-behavior-us.html happened.
Cheers,
Nick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Am wondering if this would be better placed in TA-Exchange-HubTransport...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It very well might be, yeah.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Either way, thanks for this. It came in handy!
There's No Place Like Chrome and the Splunk Platform
The Great Resilience Quest: 5th Leaderboard Update
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
