2
responses

Currently we are sending our Exchange 2013 logs to our Graylog server using the CSV converter built into Graylog. We parse based on the following fields in 2013.

Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data

FieldTypes Datetime,ip4addr,String,ip4addr,String,String,String,String,String,String,String,String,String,String,Integer,String,String,String,String,String,String,String,String,String,ip4addr,ip4addr,String`

When I use these strings to parse Exchange 2016 logs I am unable to breakup the data within the CSV being sent. It appears that some fields changed but I don't know what the fields should be labeled or what type of field they are.

Does anyone have a working Exchange 2016 Message Tracking exporter for NXLog-CE?

AskedMay 23, 2018 - 4:46pm

Answer (1)

Was able to fix this by adding four fields, all string type. Here is the working configs.

Fields $date_time, $client_ip, $client_hostname, $server_ip, $server_hostname, $source_context, $connector_id, $exchange_source, $event_id, $internal_message_id, $message_id, $network-message-id, $recipient_address, $recipient_status, $total_bytes, $recipient_count, $related_recipient_address, $reference, $message_subject, $sender_address, $return_path, $message_info, $directionality, $tenant_id, $original_client_ip, $original_server_ip, $custom_data, $transport-traffic-type, $log-id, $schema-version


FieldTypes string, string, string, string, string, string, string, string, string, integer, string, string, string, integer, integer, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string

Comments (1)