Exchange 2010/2013 Message Tracking Logs

This dashboard monitors the Message Tracking Logs in Exchange 2010 onwards. I can't take credit for developing this, I just adapted it for NLS. Original creator as follows: https://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/ _________________________________________ Setup an Input Filter on NLS with the following; tcp { type => 'exchange' port => 5141 } ______________________________________________________ Install NXLog on Exchange CAS and add the following to conf file; define BASEDIR C:Program FilesMicrosoftExchange ServerV14TransportRolesLogsMessageTracking Module im_file File '%BASEDIR%MSGTRK????????*-*.LOG' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); Exec $type = 'Exchange';

Module om_tcp Host host.ip.address.here Port 5141 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'Exchange';

Path in_exchange => out_exchange ________________________________________________ Setup a filter on NLS with the following; if [type] == 'exchange' { csv { add_tag => [ 'exh_msg_trk' ] columns => [ 'date-time', 'client-ip', 'client-hostname', 'server-ip', 'server-hostname', 'source-context', 'connector-id', 'source', 'event-id', 'internal-message-id', 'message-id', 'recipient-address', 'recipient-status', 'total-bytes', 'recipient-count', 'related-recipient-address', 'reference', 'message-subject', 'sender-address', 'return-path', 'message-info', 'directionality', 'tenant-id', 'original-client-ip', 'original-server-ip', 'custom-data' ] separator => ',' remove_field => [ 'date-time' ] } grok { match => [ 'message', '%{TIMESTAMP_ISO8601:timestamp}' ] } mutate { convert => [ 'total-bytes', 'integer' ] convert => [ 'recipient-count', 'integer' ] split => [ 'recipient-address', ';'] split => [ 'source-context', ';' ] split => [ 'custom-data', ';' ] } if '_csvparsefailure' in [tags] { drop { } } if '_grokparsefailure' in [tags] { drop { } } } _____________________________________________________ NOTES: You will need to modify the "host" section in the nxlog file. You will need to modify the query strings in the JSON file attached to match your "server/client hostnames" and also your "connector-id" to make your Exchange config. You will need to make sure Message Tracking Logging is turned on in Exchange, just google if unsure on how to do. You will need to open up the ports on the firewall on the NLS to connect into port 5141. You can use UDP if you prefer.

You must be logged in to submit a review.

Your review has been submitted and is pending approval.

Your recommendation has been sent.

Project Overview Project Files Project Photos Project Notes Reviews