i am trying to parse MS-Exchange http_proxy logs with below setup in props & transforms but this doesnt seem to be working
inputs.conf UF-
[monitor://D:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\*\*.LOG]
disabled=0
recusrive=true
index= exchange_index
sourcetype= exchange_httpproxy
ignoreOlderThan = 0d
Props and transforms on SH
[exchange_httpproxy] REPORT-extractfields = extractfields
[extractfields] DELIMS="," FIELDS=DateTime,RequestId,MajorVersion,MinorVersion,BuildVersion,RevisionVersion,ClientRequestId,Protocol,UrlHost,UrlStem,ProtocolAction,AuthenticationType,IsAuthenticated,AuthenticatedUser,Organization,AnchorMailbox,UserAgent,ClientIpAddress,ServerHostName,HttpStatus,BackEndStatus,ErrorCode,Method,ProxyAction,TargetServer,TargetServerVersion,RoutingType,RoutingHint,BackEndCookie,ServerLocatorHost,ServerLocatorLatency,RequestBytes,ResponseBytes,TargetOutstandingRequests,AuthModulePerfContext,HttpPipelineLatency,CalculateTargetBackEndLatency,GlsLatencyBreakup,TotalGlsLatency,AccountForestLatencyBreakup,TotalAccountForestLatency,ResourceForestLatencyBreakup,TotalResourceForestLatency,ADLatency,SharedCacheLatencyBreakup,TotalSharedCacheLatency,ActivityContextLifeTime,ModuleToHandlerSwitchingLatency,ClientReqStreamLatency,BackendReqInitLatency,BackendReqStreamLatency,BackendProcessingLatency,BackendRespInitLatency,BackendRespStreamLatency,ClientRespStreamLatency,KerberosAuthHeaderLatency,HandlerCompletionLatency,RequestHandlerLatency,HandlerToModuleSwitchingLatency,ProxyTime,CoreLatency,RoutingLatency,HttpProxyOverhead,TotalRequestTime,RouteRefresherLatency,UrlQuery,BackEndGenericInfo,GenericInfo,GenericErrors,EdgeTraceId,DatabaseGuid,UserADObjectGuid,PartitionEndpointLookupLatency,RoutingStatus
In props.conf, Do you have the following lines:
SHOULD_LINEMERGE = False
pulldown_type = 1
Also do a soft restart: in search window:
| extract reload=T
the props and transforms are in my SHC and i was following below link
https://www.splunk.com/en_us/blog/security/detecting-microsoft-exchange-vulnerabilities-0-8-days-lat...
Please share some sample logs and also elaborate on "doesn't seem to be working".
2021-09-20T19:00:06.275Z,XXXXXXXXXXXXXXXXXXXXXXX,15,1,2308,14,,Eas,localhost,/Microsoft-Server-ActiveSync/default.eas,,Basic,false,,,,AMProbe/Local/ClientAccess,XXX.X.X.X,XXXX-XXX-XXX,401,,,GET,,,,,,,,,0,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,5,,5,5,,,,BeginRequest=2021-09-20T19:00:06.270Z;CorrelationID=<empty>;SharedCacheGuard=0;EndRequest=2021-09-20T19:00:06.275Z;,,,,,,