Build precise queries to find exactly what you need
Press ESC to close
Your review has been submitted and is pending approval.
This dashboard monitors the Message Tracking Logs in Exchange 2010 onwards. I can't take credit for developing this, I just adapted it for NLS - Original creator here: https://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/
Current Version
Last Release Date
October 19, 2017
Owner
Ben
License
GPL
Compatible With
This dashboard monitors the Message Tracking Logs in Exchange 2010 onwards.
I can't take credit for developing this, I just adapted it for NLS.
Original creator as follows: https://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/
_________________________________________ Setup an Input Filter on NLS with the following;
tcp { type => 'exchange' port => 5141 }
______________________________________________________ Install NXLog on Exchange CAS and add the following to conf file;
define BASEDIR C:Program FilesMicrosoftExchange ServerV14TransportRolesLogsMessageTracking
<Input in_exchange> Module im_file File '%BASEDIR%MSGTRK????????*-*.LOG' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); Exec $type = 'Exchange'; </Input>
<Output out_exchange> Module om_tcp Host host.ip.address.here Port 5141 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'Exchange'; </Output>
<Route exchange> Path in_exchange => out_exchange </Route>
________________________________________________ Setup a filter on NLS with the following;
if [type] == 'exchange' { csv { add_tag => [ 'exh_msg_trk' ] columns => [ 'date-time', 'client-ip', 'client-hostname', 'server-ip', 'server-hostname', 'source-context', 'connector-id', 'source', 'event-id', 'internal-message-id', 'message-id', 'recipient-address', 'recipient-status', 'total-bytes', 'recipient-count', 'related-recipient-address', 'reference', 'message-subject', 'sender-address', 'return-path', 'message-info', 'directionality', 'tenant-id', 'original-client-ip', 'original-server-ip', 'custom-data' ] separator => ',' remove_field => [ 'date-time' ] } grok { match => [ 'message', '%{TIMESTAMP_ISO8601:timestamp}' ] } mutate { convert => [ 'total-bytes', 'integer' ] convert => [ 'recipient-count', 'integer' ] split => [ 'recipient-address', ';'] split => [ 'source-context', ';' ] split => [ 'custom-data', ';' ] } if '_csvparsefailure' in [tags] { drop { } } if '_grokparsefailure' in [tags] { drop { } } }
_____________________________________________________ NOTES: You will need to modify the "host" section in the nxlog file. You will need to modify the query strings in the JSON file attached to match your "server/client hostnames" and also your "connector-id" to make your Exchange config. You will need to make sure Message Tracking Logging is turned on in Exchange, just google if unsure on how to do. You will need to open up the ports on the firewall on the NLS to connect into port 5141. You can use UDP if you prefer.
You must be logged in to submit a review.
To:
From: