# Copyright (c) 2014 Flowerfire, Inc. All Rights Reserved. microsoft_exchange_2013_csv = { plugin_version = "1.0" info.1.manufacturer = "Microsoft" info.1.device = "Exchange Server 2013" info.1.version.1 = "2013" # 2014-10-08 - 1.0 - Lew - Based on microsoft_exchange_2007_csv # The name of the log format log.format.format_label = "Microsoft Exchange Server 2013 Log Format (comma separated)" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # Don't treat as w3c log.format.ignore_format_lines = true # The log is in this format if any of the first ten lines match this regular expression # 2014-10-08 - Lew - Supported new format of 2013 CSV #Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data log.format.autodetect_regular_expression = '^#Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data$' # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = "" time = "" client_hostname = "" client_ip.type = "host" connector_id = "" event_id = "" internal_message_id = "" message_id = "" message_info = "" message_subject = "" network_message_id = "" recipient_address = "" recipient_count = "" recipient_status = "" reference = "" related_recipient_address = "" return_path = "" sender_address = "" server_hostname = "" server_ip = "" source = "" source_context = "" total_bytes.type = "size" # Additional fields of Exchange Server 2010 directionality = "" tenant_id = "" original_client_ip = "" original_server_ip = "" custom_data = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.line = current_log_line(); # Get date and time if (matches_regular_expression(v.line, '([0-9]{4}-[0-9]{2}-[0-9]{2})T([0-9]{2}:[0-9]{2}:[0-9]{2})\\\\.[^,]+,(.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); v.line = $3; ); # Handle Message Tracking Log from Exchange 2013 #Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data # 2014-09-22T12:00:01.067Z,,,,SERVER-001-11A,ExplicitlyDiscarded,,SMTP,HADISCARD,1692217114783,,57a21281-34b8-4d99-da64-08d1a4739834,HealthMailboxdd212ca59e1140ddac68acf836d6be11@jtest2.mail-test.jp,,1662,1,,,Inbound proxy probe,inboundproxy@contoso.com,inboundproxy@contoso.com,,Incoming,,,,S:DeliveryPriority=None;S:PrioritizationReason=ShadowRedundancy;S:IsProbe=true;S:PersistProbeTrace=False;S:ProbeType=OnPremisesInboundProxy;S:ExternalOrgIdNotSetReason= # http://regex101.com/r/iW5rS5/5 #if (matches_regular_expression(v.line, '([0-9.]*|[0-9a-f:%]*),([^,]*),([0-9.]*|[0-9a-f:%]*),([^,]*),("[^"]*"|[^,]*),([^,]*),([^,]*),([^,]*),([^,]*),<([^,]*)>,([^,]*),(".*"|[^,]*),([^,]*),([0-9]*),([0-9]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(.*)$')) then ( if (matches_regular_expression(v.line, '([0-9.]*|[0-9a-f:%]*),([^,]*),([0-9.]*|[0-9a-f:%]*),([^,]*),("[^"]*"|[^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(.*)$')) then ( set_collected_field('', 'client_ip', $1); set_collected_field('', 'client_hostname', $2); set_collected_field('', 'server_ip', $3); set_collected_field('', 'server_hostname', $4); set_collected_field('', 'source_context', $5); set_collected_field('', 'connector_id', $6); set_collected_field('', 'source', $7); set_collected_field('', 'event_id', $8); set_collected_field('', 'internal_message_id', $9); v.line = $10; # get the message ID, it might be surrounded by < > or not if (matches_regular_expression(v.line, '<([^,]*)>,(.*)$')) then ( set_collected_field('', 'message_id', $1); v.line = $2; ); else if (matches_regular_expression(v.line, '([^,]*),(.*)$')) then ( set_collected_field('', 'message_id', $1); v.line = $2; ); # get the rest of the line if (matches_regular_expression(v.line, '([^,]*),(".*"|[^,]*),([^,]*),([0-9]*),([0-9]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(.*)$')) then ( set_collected_field('', 'network_message_id', $1); set_collected_field('', 'recipient_address', $2); set_collected_field('', 'recipient_status', $3); set_collected_field('', 'total_bytes', $4); set_collected_field('', 'recipient_count', $5); set_collected_field('', 'related_recipient_address', $6); set_collected_field('', 'reference', $7); set_collected_field('', 'message_subject', $8); set_collected_field('', 'sender_address', $9); set_collected_field('', 'return_path', $10); set_collected_field('', 'message_info', $11); set_collected_field('', 'directionality', $12); set_collected_field('', 'tenant_id', $13); set_collected_field('', 'original_client_ip', $14); set_collected_field('', 'original_server_ip', $15); set_collected_field('', 'custom_data', $16); ); accept_collected_entry('', false); ); # Message Tracking Log (Exchange Server 2013) ` # Database fields database.fields = { date_time = "" hour_of_day = "" day_of_week = "" client_hostname = "" client_ip = "" connector_id = "" directionality = "" event_id = "" internal_message_id = "" message_id = "" message_info = "" message_subject = "" network_message_id = "" recipient_address = "" recipient_status = "" reference = "" related_recipient_address = "" return_path = "" sender_address = "" server_hostname = "" server_ip = "" source = "" source_context = "" # Additional fields of Exchange Server 2010 directionality = "" tenant_id = "" original_client_ip = "" original_server_ip = "" custom_data = "" } # database.fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events total_bytes = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # total_bytes recipient_count = "" } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" message_tracking_group = { client_ip = true client_hostname = true server_ip = true server_hostname = true source_context = true connector_id = true source = true event_id = true internal_message_id = true message_id = true network_message_id = true recipient_address = true recipient_status = true recipient_count = true related_recipient_address = true reference = true message_subject = true sender_address = true return_path = true message_info = true directionality = true tenant_id = true original_client_ip = true original_server_ip = true custom_data = true } } # report_groups } # create_profile_wizard_options } # microsoft_exchange_2013_csv