Created
June 23, 2016 23:28
-
-
Save slarti5191/1de10b74d57a493941791b0ce1583b0f to your computer and use it in GitHub Desktop.
ELK Exchange logging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
tcp { | |
port => 3515 | |
host => "192.168.168.168" | |
type => "WindowsEventLog" | |
codec => "line" | |
} | |
tcp { | |
port => 3516 | |
host => "192.168.168.168" | |
type => "Exchange" | |
} | |
tcp { | |
port => 3517 | |
host => "192.168.168.168" | |
type => "EXIIS" | |
} | |
} | |
filter { | |
if [type] == "WindowsEventLog" { | |
json{ | |
source => "message" | |
} | |
mutate { | |
replace => [ "message", "%{Message}" ] | |
} | |
mutate { | |
lowercase => [ "EventType", "FileName", "Hostname", "Severity" ] | |
} | |
mutate { | |
rename => [ "Hostname", "logsource" ] | |
} | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
} | |
if [SubjectUserName] =~ "." { | |
mutate { | |
replace => [ "AccountName", "%{SubjectUserName}" ] | |
} | |
} | |
if [TargetUserName] =~ "." { | |
mutate { | |
replace => [ "AccountName", "%{TargetUserName}" ] | |
} | |
} | |
if [FileName] =~ "." { | |
mutate { | |
replace => [ "eventlog_channel", "%{FileName}" ] | |
} | |
} | |
mutate { | |
lowercase => [ "AccountName", "eventlog_channel" ] | |
} | |
mutate { | |
remove => [ "SourceModuleType", "EventTimeWritten", "EventReceivedTime", "EventType" ] | |
} | |
} | |
# For Exchange Message Tracking | |
if [type] == "Exchange" { | |
csv { | |
add_tag => [ 'exh_msg_trk' ] | |
columns => [ 'date-time', 'client-ip', 'client-hostname', 'server-ip', 'server-hostname', 'source-context', 'connector-id', 'source', 'event-id', 'internal-message-id', 'message-id', 'recipient-address', 'recipient-status', 'total-bytes', 'recipient-count', 'related-recipient-address', 'reference', 'message-subject', 'sender-address', 'return-path', 'message-info', 'directionality', 'tenant-id', 'original-client-ip', 'original-server-ip', 'custom-data' ] | |
remove_field => [ "date-time" ] | |
} | |
grok { | |
match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}" ] | |
} | |
mutate { | |
convert => [ "total-bytes", "integer" ] | |
convert => [ "recipient-count", "integer" ] | |
split => ["recipient-address", ";"] | |
split => [ "source-context", ";" ] | |
split => [ "custom-data", ";" ] | |
} | |
date { | |
match => [ "timestamp", "ISO8601" ] | |
timezone => "America/Los_Angeles" | |
remove_field => [ "timestamp" ] | |
} | |
if "_grokparsefailure" in [tags] { | |
drop { } | |
} | |
} | |
# For Exchange IIS | |
if [type] == "EXIIS" { | |
csv { | |
separator => [ " " ] | |
add_tag => [ 'exh_iis' ] | |
columns => [ 'date', 'time', 's-ip', 'cs-method', 'cs-uri-stem', 'cs-uri-query', 's-port', 'cs-username', 'c-ip', 'csUser-Agent', 'sc-status', 'sc-substatus', 'sc-win32-status', 'time-taken' ] | |
} | |
} | |
} | |
output { | |
rabbitmq { | |
host = "192.168.168.168" | |
exchange_type => direct | |
key => "logstash" | |
durable => "true" | |
persistent => "true" | |
exchange => "logstash" | |
user => "billy" | |
password => "badass" | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
define ROOT c:\Program Files (x86)\nxlog | |
Moduledir %ROOT%\modules | |
CacheDir %ROOT%\data | |
Pidfile %ROOT%\data\nxlog.pid | |
SpoolDir %ROOT%\data | |
LogFile %ROOT%\data\nxlog.log | |
<Extension json> | |
Module xm_json | |
</Extension> | |
<Extension syslog> | |
Module xm_syslog | |
</Extension> | |
define IISDIR C:\inetpub\logs\LogFiles\W3SVC1 | |
<Input IIS_IN> | |
Module im_file | |
File '%IISDIR%\\*.log' | |
SavePos TRUE | |
</Input> | |
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking | |
<Input in> | |
Module im_msvistalog | |
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); | |
</Input> | |
<Input in_exchange> | |
Module im_file | |
File '%BASEDIR%\\*.LOG' # Exports all logs in Directory | |
SavePos TRUE | |
Exec if $raw_event =~ /journaling\@tld.com/ drop(); | |
Exec if $raw_event =~ /^#/ drop(); | |
</Input> | |
<Output out> | |
Module om_tcp | |
Host 192.168.168.168 | |
Port 3515 | |
</Output> | |
<Route 1> | |
Path in => out | |
</Route> | |
<Output out_exchange> | |
Module om_tcp | |
Host 192.168.168.168 | |
Port 3516 | |
</Output> | |
<Output out_iis> | |
Module om_tcp | |
Host 192.168.168.168 | |
Port 3517 | |
</Output> | |
<Route exchange> | |
Path in_exchange => out_exchange | |
</Route> | |
<Route iis> | |
Path IIS_IN => out_iis | |
</Route> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thank you a lot!)