All Apps and Add-ons

Exchange 2013 HubTransport Extractions


Downloaded the TA for Microsoft Exchange and noticed that Hub Transport doesn't contain any stanzas for Microsoft Exchange 2013. The stanza's only seem to be valid for Microsoft Exchange 2007 and Exchange 2010. If I deploy the TA to an Exchange 2013 server and then create an inputs.conf file to ingest the data the extraction doesn't do what it needs to do.

My configured inputs.conf file is

[monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Messagetracking]
time_before_close = 0
disabled = 0

^^ In the above the sourcetype I expect not to work but if I don't have this in inputs.conf the sourcetype will be based on each LOG file.

When I looked at the transforms.conf in the default location I noted that Exchange 2013 is now using a "-" as opposed to a "_" in the log file. I have no experience with rewriting props and transforms files to fix this but it looks like it has been missed for Exchange 2013.

I have done the following to try and work (again no experience with trying to rewrite props, transforms but from what I have done I am closer to the picture as extraction is happening but incorrectly :(. Here is my configuration thus far. Can you please assist with the correct of the HubTransport TA to extract appropriately.

eventtypes.conf added

search = sourcetype=MSExchange:2013:MessageTracking (event-id="BADMAIL" OR event-id="DELIVER" OR event-id="FAIL" OR event-id="RECEIVE" OR event-id="SEND")

props.conf added

REPORT-fields = msexchange2007msgtrack-fields, msgtrack-extract-psender, msgtrack-psender, msgtrack-sender, msgtrack-recipients, msgtrack-recipient
TRANSFORMS-comments = ignore-comments
FIELDALIAS-server_hostname_as_dest = server-hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original-client-ip,client-ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action

# alias fix for Email DM for ES
FIELDALIAS-user = sender-address AS user
FIELDALIAS-orig_dest = client-ip AS orig_dest
FIELDALIAS-dest_ip = server-ip AS dest_ip
FIELDALIAS-recipient_count = recipient-count AS recipient_count
FIELDALIAS-return_addr = return-path AS return_addr
FIELDALIAS-size = total-bytes AS size
FIELDALIAS-subject = message-subject AS subject
EVAL-orig_src = coalesce(original-client-ip,original-server-ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"

tags.conf added

email = enabled

transforms.conf added

FIELDS = "date-time","client-ip","client-hostname","server-ip","server-hostname","source-context","connector-id","source","event-id","internal-message-id","message-id","network-message-id","recipient-address","recipient-status","total-bytes","recipient-count","related-recipient-address","reference","message-subject","sender-address","return-path","message-info","directionality","tenant-id","original-client-ip","original-server-ip","custom-data"

When I look at this on my search head I have some values where they shouldn't be

For example

"sender" field shows the "subject"
"recipient" field shows what appears to be the "message id"
"message size" fields shows "unknown" or "to" or "to;to" or "failed to process message......."

etc. etc.

I also need to make sure that this works with Enterprise Security.

0 Karma
1 Solution


As I found out through support and through the doco, the config I needed has moved to the "Exchange-Mailbox" TA which will do what is needed.

View solution in original post

0 Karma


As I found out through support and through the doco, the config I needed has moved to the "Exchange-Mailbox" TA which will do what is needed.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...