Dear community,

I'm currently working on parsing MS Exchange logs and sending them via GELF to my graylog instance.

I'd like to convert the sender- and recipient-address field to lowercase. Sounds pretty easy, in fact, I need help :(

my current config looks like this (below). Any help is appreciated.

I've tried to work with "Exec       $sender-address = lc($sender-address);" within the input as well as Output backet - neither did work.

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

<Extension csv>
   Module      xm_csv
   Fields      $date-time, $client-ip, $client-hostname, $server-ip, $server-hostname, $source-context, $connector-id, $exchange_source, $event-id, $internal-message-id, $message-id, $recipient-address, $recipient-status, $total-bytes, $recipient-count, $related-recipient-address, $reference, $message-subject, $sender-address, $return-path, $message-info, $directionality, $tenant-id, $original-client-ip, $original-server-ip, $custom-data
   FieldTypes  string, string, string, string, string, string, string, string, string, integer, string, string, string, integer, integer, string, string, string, string, string, string, string, string, string, string, string
   Delimiter   ,
</Extension>

<Input in_exchange>  
   Module     im_file
   File       '%BASEDIR%\MSGTRK????????*-*.LOG'
   SavePos    TRUE
   Exec       if $raw_event =~ /HealthMailbox/ drop();
   Exec       if $raw_event =~ /^#/ drop();
   Exec       csv->parse_csv();
</Input>

<Output out_exchange>  
   Module     om_udp
   Host       graylog.local
   Port       12203
   OutputType GELF
   Exec       $SourceName = 'exchange_msgtrk_log';
</Output>

<Route exchange>  
    Path      in_exchange => out_exchange
</Route>