Sentinel Collector for Exchange

0 Likes
With little effort modifying a regular expression, it's possible to use this collector. It parses raw data from Microsoft Exchange tracker log.

This is the expression that I used.

"(/\d )-(/\d )-(/\d )/\s (/\d ):(/\d ):(/\d )/\s/\w /\s (/\d ./\d ./\d ./\d |-)/\s (/\w ./\w ./\w ./\w |-)/\s(/\* |-|/O. cn=SERVERNAME|CN. CN=ADMINISTRATIVE)/\s(/\w |/O. SXC_GW_01|-)/\s(/\d ./\d ./\d ./\d |-)/\s(. )/\s(10/\d |0)/\s(. )/\s(0|1|3)/\s(0)/\s(/\d )/\s(/\d )/\s(. GMT|-)/\s(/\d |-)/\s(Version: X.X.XXXX.XXXX|-)/\s(c=MX;a=  ;p=GRUPO HOST.;l=/\w -/\w -/\w |C=MX;A=  ;P=GRUPO HOST.;L=/\w |-)/\s(. )/\s(. @. |-||. )/\s-", i_Found, s_Match, s_Year, s_Month, s_Day, s_Hour, s_Min, s_Sec, s_SIP, s_SHN, s_PartnerHN, s_DHN, s_DIP, s_DUN, s_EVT, s_MSGID, s_Priority, s_RRS, s_CV1, s_CV2, s_OT, s_Encryption, s_SV, s_LMSGID, s_Subject, s_SUN)



Event Tag Mapping:

With little effort modifying a regular expression, it's possible to use this collector. It parses raw data from Microsoft Exchange tracker log.

This is the expression that I used.

"(/\d )-(/\d )-(/\d )/\s (/\d ):(/\d ):(/\d )/\s/\w /\s (/\d ./\d ./\d ./\d |-)/\s (/\w ./\w ./\w ./\w |-)/\s(/\* |-|/O. cn=SERVERNAME|CN. CN=ADMINISTRATIVE)/\s(/\w |/O. SXC_GW_01|-)/\s(/\d ./\d ./\d ./\d |-)/\s(. )/\s(10/\d |0)/\s(. )/\s(0|1|3)/\s(0)/\s(/\d )/\s(/\d )/\s(. GMT|-)/\s(/\d |-)/\s(Version: X.X.XXXX.XXXX|-)/\s(c=MX;a=  ;p=GRUPO HOST.;l=/\w -/\w -/\w |C=MX;A=  ;P=GRUPO HOST.;L=/\w |-)/\s(. )/\s(. @. |-||. )/\s-", i_Found, s_Match, s_Year, s_Month, s_Day, s_Hour, s_Min, s_Sec, s_SIP, s_SHN, s_PartnerHN, s_DHN, s_DIP, s_DUN, s_EVT, s_MSGID, s_Priority, s_RRS, s_CV1, s_CV2, s_OT, s_Encryption, s_SV, s_LMSGID, s_Subject, s_SUN)



Event Tag Mapping:



Sentinel Display Name

Source Field

Example Data



Event Time
S_ET

2008-2-24 0:0:4
GMT
XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

2008-2-24 0:0:4 GMT



Source IP
S_IP

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

XXX.XXX.XXX.XXX



Source Host Name
S_IP

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

ironport.server.local



Extended Information – Partner Name
S_PartnerHN

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

-



Destination Hostname
S_DHN

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

SERVER



Destination IP
S_DIP

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

10.1.1.1



Destination User Name
S_DUN

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

usuario@dominio



Event Name
S_EVT

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

AA8FF26E8E1149EBBD
E0ECDD4B5A0DD9@
EPC



Extended Information - Message ID
S_MSGID

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

0



Extended Information - Priority
S_Priority

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

0



Extended Information – Recipient Report Status
S_RRS

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

0



TotalBytes
S_CV1

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4
GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain -

1943



NumberRecipients
S_CV2

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

1



Extended Information – Encryption
S_Encryption

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version: X.X.XXXX.XXXX - Message Subject usuario@domain -

0



Extended information – Service Version
S_SV

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX
- Message Subject usuario@domain -

Version: X.X.XXX.XXX



Extended information – Linked Message ID
S_LMSGID

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

-



Extended information – Message Subject
S_Subject

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Subject usuario@domain -

Message Subject



Source User Name
S_SUN

2008-2-24 0:0:4 GMT XXX.XXX.XXX.XXX ironport.server.local - SERVER 10.1.1.1 usuario@domain 1019 AA8FF26E8E1149EBBDE0ECDD4B5A0DD9@EPC 0 0 1943 1 2008-2-24 0:0:4 GMT 0 Version:
X.X.XXXX.XXXX - Message Sub ject usuario@domain -

usuario@domain


Tags:

Labels:

Collateral
How To-Best Practice
Comment List
Related
Recommended