Welcome to Cool Solutions
Sentinel Collector for Exchange
Submitted By otoquero on Wed. 04.09.2008
license:
Public"(/\d+)-(/\d+)-(/\d+)/\s+(/\d+):(/\d+):(/\d+)/\s/\w+/\s+(/\d+./\d+./\d+./\d+|-)/\s+(/\w+./\w+./\w+./\w+|-)/\s(/\*+|-|/O.+cn=SERVERNAME|CN.+CN=ADMINISTRATIVE)/\s(/\w+|/O.+SXC_GW_01|-)/\s(/\d+./\d+./\d+./\d+|-)/\s(.+)/\s(10/\d+|0)/\s(.+)/\s(0|1|3)/\s(0)/\s(/\d+)/\s(/\d+)/\s(.+GMT|-)/\s(/\d+|-)/\s(Version: X.X.XXXX.XXXX|-)/\s(c=MX;a= ;p=GRUPO HOST.;l=/\w+-/\w+-/\w+|C=MX;A= ;P=GRUPO HOST.;L=/\w+|-)/\s(.+)/\s(.+@.+|-|<>|.+)/\s-", i_Found, s_Match, s_Year, s_Month, s_Day, s_Hour, s_Min, s_Sec, s_SIP, s_SHN, s_PartnerHN, s_DHN, s_DIP, s_DUN, s_EVT, s_MSGID, s_Priority, s_RRS, s_CV1, s_CV2, s_OT, s_Encryption, s_SV, s_LMSGID, s_Subject, s_SUN)Event Tag Mapping: With little effort modifying a regular expression, it's possible to use this collector. It parses raw data from Microsoft Exchange tracker log. This is the expression that I used.
"(/\d+)-(/\d+)-(/\d+)/\s+(/\d+):(/\d+):(/\d+)/\s/\w+/\s+(/\d+./\d+./\d+./\d+|-)/\s+(/\w+./\w+./\w+./\w+|-)/\s(/\*+|-|/O.+cn=SERVERNAME|CN.+CN=ADMINISTRATIVE)/\s(/\w+|/O.+SXC_GW_01|-)/\s(/\d+./\d+./\d+./\d+|-)/\s(.+)/\s(10/\d+|0)/\s(.+)/\s(0|1|3)/\s(0)/\s(/\d+)/\s(/\d+)/\s(.+GMT|-)/\s(/\d+|-)/\s(Version: X.X.XXXX.XXXX|-)/\s(c=MX;a= ;p=GRUPO HOST.;l=/\w+-/\w+-/\w+|C=MX;A= ;P=GRUPO HOST.;L=/\w+|-)/\s(.+)/\s(.+@.+|-|<>|.+)/\s-", i_Found, s_Match, s_Year, s_Month, s_Day, s_Hour, s_Min, s_Sec, s_SIP, s_SHN, s_PartnerHN, s_DHN, s_DIP, s_DUN, s_EVT, s_MSGID, s_Priority, s_RRS, s_CV1, s_CV2, s_OT, s_Encryption, s_SV, s_LMSGID, s_Subject, s_SUN)Event Tag Mapping:
| Sentinel Display Name | Source Field | Example Data |
| Event Time S_ET |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | 2008-2-24 0:0:4 GMT |
| Source IP S_IP |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | XXX.XXX.XXX.XXX |
| Source Host Name S_IP |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | ironport.server.local |
| Extended Information – Partner Name S_PartnerHN |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | - |
| Destination Hostname S_DHN |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | SERVER |
| Destination IP S_DIP |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | 10.1.1.1 |
| Destination User Name S_DUN |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | usuario@dominio |
| Event Name S_EVT |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | AA8FF26E8E1149EBBD E0ECDD4B5A0DD9@ EPC |
| Extended Information - Message ID S_MSGID |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | 0 |
| Extended Information - Priority S_Priority |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | 0 |
| Extended Information – Recipient Report Status S_RRS |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | 0 |
| TotalBytes S_CV1 |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | 1943 |
| NumberRecipients S_CV2 |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | 1 |
| Extended Information – Encryption S_Encryption |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | 0 |
| Extended information – Service Version S_SV |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | Version: X.X.XXX.XXX |
| Extended information – Linked Message ID S_LMSGID |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | - |
| Extended information – Message Subject S_Subject |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain - | Message Subject |
| Source User Name S_SUN |
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Sub ject usuario@domain - | usuario@domain |
Print
Email
RSS
Digg
Slashdot| Attachment | Size |
|---|---|
| Microsoft_Exchange_6_LOG_600.zip | 140.58 KB |
- To leave a comment you need to Login or Register
- 827 reads
Search
Act Now!
Who's online
Shameless Plugs
Quick Poll
How quickly do you buy new electronic gadgets?
I like to be the first one to have anything new.
3%
I like to wait until they work out all the kinks.
8%
I like to wait until the price comes down.
26%
I wait until I really need the new functionality.
47%
I wait till someone gives it to me as a gift.
16%
Total votes: 38
- 1 comment
- 409 reads
- Older polls
Recent comments
1 day 4 hours ago
1 day 8 hours ago
46 weeks 2 days ago
46 weeks 2 days ago
46 weeks 4 days ago
46 weeks 5 days ago
47 weeks 1 day ago
1 year 40 weeks ago
1 year 41 weeks ago
1 year 41 weeks ago