License:
Public

Download Microsoft_Exchange_6_LOG_600_0.zip

With little effort modifying a regular expression, it’s possible to use this collector. It parses raw data from Microsoft Exchange tracker log.

This is the expression that I used.

"(/\d+)-(/\d+)-(/\d+)/\s+(/\d+):(/\d+):(/\d+)/\s/\w+/\s+(/\d+./\d+./\d+./\d+|-)/\s+(/\w+./\w+./\w+./\w+|-)/\s(/\*+|-|/O.+cn=SERVERNAME|CN.+CN=ADMINISTRATIVE)/\s(/\w+|/O.+SXC_GW_01|-)/\s(/\d+./\d+./\d+./\d+|-)/\s(.+)/\s(10/\d+|0)/\s(.+)/\s(0|1|3)/\s(0)/\s(/\d+)/\s(/\d+)/\s(.+GMT|-)/\s(/\d+|-)/\s(Version: X.X.XXXX.XXXX|-)/\s(c=MX;a=  ;p=GRUPO HOST.;l=/\w+-/\w+-/\w+|C=MX;A=  ;P=GRUPO HOST.;L=/\w+|-)/\s(.+)/\s(.+@.+|-|<>|.+)/\s-", i_Found, s_Match, s_Year, s_Month, s_Day, s_Hour, s_Min, s_Sec, s_SIP, s_SHN, s_PartnerHN, s_DHN, s_DIP, s_DUN, s_EVT, s_MSGID, s_Priority, s_RRS, s_CV1, s_CV2, s_OT, s_Encryption, s_SV, s_LMSGID, s_Subject, s_SUN)

Event Tag Mapping:

With little effort modifying a regular expression, it’s possible to use this collector. It parses raw data from Microsoft Exchange tracker log.

This is the expression that I used.

"(/\d+)-(/\d+)-(/\d+)/\s+(/\d+):(/\d+):(/\d+)/\s/\w+/\s+(/\d+./\d+./\d+./\d+|-)/\s+(/\w+./\w+./\w+./\w+|-)/\s(/\*+|-|/O.+cn=SERVERNAME|CN.+CN=ADMINISTRATIVE)/\s(/\w+|/O.+SXC_GW_01|-)/\s(/\d+./\d+./\d+./\d+|-)/\s(.+)/\s(10/\d+|0)/\s(.+)/\s(0|1|3)/\s(0)/\s(/\d+)/\s(/\d+)/\s(.+GMT|-)/\s(/\d+|-)/\s(Version: X.X.XXXX.XXXX|-)/\s(c=MX;a=  ;p=GRUPO HOST.;l=/\w+-/\w+-/\w+|C=MX;A=  ;P=GRUPO HOST.;L=/\w+|-)/\s(.+)/\s(.+@.+|-|<>|.+)/\s-", i_Found, s_Match, s_Year, s_Month, s_Day, s_Hour, s_Min, s_Sec, s_SIP, s_SHN, s_PartnerHN, s_DHN, s_DIP, s_DUN, s_EVT, s_MSGID, s_Priority, s_RRS, s_CV1, s_CV2, s_OT, s_Encryption, s_SV, s_LMSGID, s_Subject, s_SUN)

Event Tag Mapping:

Sentinel Display Name Source Field Example Data
Event Time
S_ET
2008-2-24 0:0:4
GMT
XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
2008-2-24 0:0:4 GMT
Source IP
S_IP
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
XXX.XXX.XXX.XXX
Source Host Name
S_IP
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
ironport.server.local
Extended Information – Partner Name
S_PartnerHN
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
Destination Hostname
S_DHN
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
SERVER
Destination IP
S_DIP
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
10.1.1.1
Destination User Name
S_DUN
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
usuario@dominio
Event Name
S_EVT
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
AA8FF26E8E1149EBBD
E0ECDD4B5A0DD9@
EPC
Extended Information – Message ID
S_MSGID
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
0
Extended Information – Priority
S_Priority
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
0
Extended Information – Recipient Report Status
S_RRS
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
0
TotalBytes
S_CV1
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4
GMT 0 Version: X.X.XXXX.XXXX – Message Subject usuario@domain –
1943
NumberRecipients
S_CV2
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
1
Extended Information – Encryption
S_Encryption
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX – Message Subject usuario@domain – 0
Extended information – Service Version
S_SV
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX
– Message Subject usuario@domain –
Version: X.X.XXX.XXX
Extended information – Linked Message ID
S_LMSGID
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
Extended information – Message Subject
S_Subject
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Subject usuario@domain –
Message Subject
Source User Name
S_SUN
2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local – SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX – Message Sub ject usuario@domain
usuario@domain
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...
Tags:
Categories: Cool Tools, Sentinel

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: otoquero
Apr 9, 2008
8:19 am
Reads:
1,548
Score:
Unrated