Downloaded the TA for Microsoft Exchange and noticed that Hub Transport doesn't contain any stanzas for Microsoft Exchange 2013. The stanza's only seem to be valid for Microsoft Exchange 2007 and Exchange 2010. If I deploy the TA to an Exchange 2013 server and then create an inputs.conf file to ingest the data the extraction doesn't do what it needs to do.
My configured inputs.conf file is
[monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Messagetracking]
time_before_close = 0
disabled = 0
^^ In the above the sourcetype I expect not to work but if I don't have this in inputs.conf the sourcetype will be based on each LOG file.
When I looked at the transforms.conf in the default location I noted that Exchange 2013 is now using a "-" as opposed to a "_" in the log file. I have no experience with rewriting props and transforms files to fix this but it looks like it has been missed for Exchange 2013.
I have done the following to try and work (again no experience with trying to rewrite props, transforms but from what I have done I am closer to the picture as extraction is happening but incorrectly :(. Here is my configuration thus far. Can you please assist with the correct of the HubTransport TA to extract appropriately.
search = sourcetype=MSExchange:2013:MessageTracking (event-id="BADMAIL" OR event-id="DELIVER" OR event-id="FAIL" OR event-id="RECEIVE" OR event-id="SEND")
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = msexchange2007msgtrack-fields, msgtrack-extract-psender, msgtrack-psender, msgtrack-sender, msgtrack-recipients, msgtrack-recipient
TRANSFORMS-comments = ignore-comments
FIELDALIAS-server_hostname_as_dest = server-hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original-client-ip,client-ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action
# alias fix for Email DM for ES
FIELDALIAS-user = sender-address AS user
FIELDALIAS-orig_dest = client-ip AS orig_dest
FIELDALIAS-dest_ip = server-ip AS dest_ip
FIELDALIAS-recipient_count = recipient-count AS recipient_count
FIELDALIAS-return_addr = return-path AS return_addr
FIELDALIAS-size = total-bytes AS size
FIELDALIAS-subject = message-subject AS subject
EVAL-orig_src = coalesce(original-client-ip,original-server-ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"
email = enabled
FIELDS = "date-time","client-ip","client-hostname","server-ip","server-hostname","source-context","connector-id","source","event-id","internal-message-id","message-id","network-message-id","recipient-address","recipient-status","total-bytes","recipient-count","related-recipient-address","reference","message-subject","sender-address","return-path","message-info","directionality","tenant-id","original-client-ip","original-server-ip","custom-data"
DELIMS = ,
When I look at this on my search head I have some values where they shouldn't be
"sender" field shows the "subject"
"recipient" field shows what appears to be the "message id"
"message size" fields shows "unknown" or "to" or "to;to" or "failed to process message......."
I also need to make sure that this works with Enterprise Security.