Hi graylog community,
since doesn’t exist an extractor for the exchange message tracking log, I thought I’d have a go at it.
Please consider that I’m new to regex and it may be too compliacted or total nonsense.
An exchange message tracking log usually looks like this:
2016-04-02T16:06:58.552Z,18.104.22.168,client.fqdn.net,22.214.171.124,server-fqdn,08D31F74F20E83B8;2016-04-02T16:06:58.334Z;0,client-fqdn\Client Proxy client-fqdn,SMTP,RECEIVE,70132520976434,<firstname.lastname@example.org>,5478464c-b318-4880-66a6-08d35b10d1a3,,,1487,1,,,Client submission probe,HealthMailbox36b8315e56974a65af058f1f72987168@domain.com,HealthMailbox36b8315e56974a65af058f1f72987168@domain.com,00I: ,Originating,,127.0.0.1,126.96.36.199,S:FirstForestHop=client.fqdn.net;S:ProxiedClientIPAddress=127.0.0.1;S:ProxiedClientHostname=SmtpClientSubmissionProbe;S:DeliveryPriority=Normal;S:AccountForest=fqdn.net;S:IsProbe=true;S:PersistProbeTrace=False;S:ProbeType=OnPremisesSmtpClientSubmission;S:Mailbox=d9f070e0-eda9-4c5c-ab42-722cf42f4b62
This is what I’ve come up with so far:
Windows events are so horrible to parse…
does this even make any sense what I came up with?
I haven’t extracted all fields so far, just wanted to make sure I’m not running in the wrong direction…
Does something like “*?” as a wildcard work?
If I come up with a working solution I will put it online on github, because it could be useful to someone else as well.