-
-
Save tianchao-haohan/23754dc7fbc747ba8689cdb7f278b0a4 to your computer and use it in GitHub Desktop.
ELK Exchange logging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
tcp { | |
port => 3515 | |
host => "192.168.168.168" | |
type => "WindowsEventLog" | |
codec => "line" | |
} | |
tcp { | |
port => 3516 | |
host => "192.168.168.168" | |
type => "Exchange" | |
} | |
tcp { | |
port => 3517 | |
host => "192.168.168.168" | |
type => "EXIIS" | |
} | |
} | |
filter { | |
if [type] == "WindowsEventLog" { | |
json{ | |
source => "message" | |
} | |
mutate { | |
replace => [ "message", "%{Message}" ] | |
} | |
mutate { | |
lowercase => [ "EventType", "FileName", "Hostname", "Severity" ] | |
} | |
mutate { | |
rename => [ "Hostname", "logsource" ] | |
} | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
} | |
if [SubjectUserName] =~ "." { | |
mutate { | |
replace => [ "AccountName", "%{SubjectUserName}" ] | |
} | |
} | |
if [TargetUserName] =~ "." { | |
mutate { | |
replace => [ "AccountName", "%{TargetUserName}" ] | |
} | |
} | |
if [FileName] =~ "." { | |
mutate { | |
replace => [ "eventlog_channel", "%{FileName}" ] | |
} | |
} | |
mutate { | |
lowercase => [ "AccountName", "eventlog_channel" ] | |
} | |
mutate { | |
remove => [ "SourceModuleType", "EventTimeWritten", "EventReceivedTime", "EventType" ] | |
} | |
} | |
# For Exchange Message Tracking | |
if [type] == "Exchange" { | |
csv { | |
add_tag => [ 'exh_msg_trk' ] | |
columns => [ 'date-time', 'client-ip', 'client-hostname', 'server-ip', 'server-hostname', 'source-context', 'connector-id', 'source', 'event-id', 'internal-message-id', 'message-id', 'recipient-address', 'recipient-status', 'total-bytes', 'recipient-count', 'related-recipient-address', 'reference', 'message-subject', 'sender-address', 'return-path', 'message-info', 'directionality', 'tenant-id', 'original-client-ip', 'original-server-ip', 'custom-data' ] | |
remove_field => [ "date-time" ] | |
} | |
grok { | |
match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}" ] | |
} | |
mutate { | |
convert => [ "total-bytes", "integer" ] | |
convert => [ "recipient-count", "integer" ] | |
split => ["recipient-address", ";"] | |
split => [ "source-context", ";" ] | |
split => [ "custom-data", ";" ] | |
} | |
date { | |
match => [ "timestamp", "ISO8601" ] | |
timezone => "America/Los_Angeles" | |
remove_field => [ "timestamp" ] | |
} | |
if "_grokparsefailure" in [tags] { | |
drop { } | |
} | |
} | |
# For Exchange IIS | |
if [type] == "EXIIS" { | |
csv { | |
separator => [ " " ] | |
add_tag => [ 'exh_iis' ] | |
columns => [ 'date', 'time', 's-ip', 'cs-method', 'cs-uri-stem', 'cs-uri-query', 's-port', 'cs-username', 'c-ip', 'csUser-Agent', 'sc-status', 'sc-substatus', 'sc-win32-status', 'time-taken' ] | |
} | |
} | |
} | |
output { | |
rabbitmq { | |
host = "192.168.168.168" | |
exchange_type => direct | |
key => "logstash" | |
durable => "true" | |
persistent => "true" | |
exchange => "logstash" | |
user => "billy" | |
password => "badass" | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
define ROOT c:\Program Files (x86)\nxlog | |
Moduledir %ROOT%\modules | |
CacheDir %ROOT%\data | |
Pidfile %ROOT%\data\nxlog.pid | |
SpoolDir %ROOT%\data | |
LogFile %ROOT%\data\nxlog.log | |
<Extension json> | |
Module xm_json | |
</Extension> | |
<Extension syslog> | |
Module xm_syslog | |
</Extension> | |
define IISDIR C:\inetpub\logs\LogFiles\W3SVC1 | |
<Input IIS_IN> | |
Module im_file | |
File '%IISDIR%\\*.log' | |
SavePos TRUE | |
</Input> | |
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking | |
<Input in> | |
Module im_msvistalog | |
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); | |
</Input> | |
<Input in_exchange> | |
Module im_file | |
File '%BASEDIR%\\*.LOG' # Exports all logs in Directory | |
SavePos TRUE | |
Exec if $raw_event =~ /journaling\@tld.com/ drop(); | |
Exec if $raw_event =~ /^#/ drop(); | |
</Input> | |
<Output out> | |
Module om_tcp | |
Host 192.168.168.168 | |
Port 3515 | |
</Output> | |
<Route 1> | |
Path in => out | |
</Route> | |
<Output out_exchange> | |
Module om_tcp | |
Host 192.168.168.168 | |
Port 3516 | |
</Output> | |
<Output out_iis> | |
Module om_tcp | |
Host 192.168.168.168 | |
Port 3517 | |
</Output> | |
<Route exchange> | |
Path in_exchange => out_exchange | |
</Route> | |
<Route iis> | |
Path IIS_IN => out_iis | |
</Route> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment