Home Directory Addons Nagios Log Server Dashboards Exchange 2010/2013 Message Tracking Logs

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Exchange 2010/2013 Message Tracking Logs

Rating
0 votes
Favoured:
0
Compatible With
  • Nagios Log Server
License
GPL
Hits
1877
Files:
FileDescription
Exchange Message Tracking Logs-1508391614806Exchange Message Tracking Logs-1508391614806
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Exchange 2010/2013 Message Tracking Logs
This dashboard monitors the Message Tracking Logs in Exchange 2010 onwards.

I can't take credit for developing this, I just adapted it for NLS - Original creator here: https://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/
This dashboard monitors the Message Tracking Logs in Exchange 2010 onwards.

I can't take credit for developing this, I just adapted it for NLS.

Original creator as follows:
https://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/


_________________________________________
Setup an Input Filter on NLS with the following;

tcp {
type => 'exchange'
port => 5141
}

______________________________________________________
Install NXLog on Exchange CAS and add the following to conf file;

define BASEDIR C:Program FilesMicrosoftExchange ServerV14TransportRolesLogsMessageTracking


Module im_file
File '%BASEDIR%MSGTRK????????*-*.LOG'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
Exec $type = 'Exchange';



Module om_tcp
Host host.ip.address.here
Port 5141
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'Exchange';



Path in_exchange => out_exchange



________________________________________________
Setup a filter on NLS with the following;


if [type] == 'exchange' {
csv {
add_tag => [ 'exh_msg_trk' ]
columns => [ 'date-time', 'client-ip', 'client-hostname', 'server-ip', 'server-hostname', 'source-context', 'connector-id', 'source', 'event-id', 'internal-message-id', 'message-id', 'recipient-address', 'recipient-status', 'total-bytes', 'recipient-count', 'related-recipient-address', 'reference', 'message-subject', 'sender-address', 'return-path', 'message-info', 'directionality', 'tenant-id', 'original-client-ip', 'original-server-ip', 'custom-data' ]
separator => ','
remove_field => [ 'date-time' ]
}
grok {
match => [ 'message', '%{TIMESTAMP_ISO8601:timestamp}' ]
}
mutate {
convert => [ 'total-bytes', 'integer' ]
convert => [ 'recipient-count', 'integer' ]
split => [ 'recipient-address', ';']
split => [ 'source-context', ';' ]
split => [ 'custom-data', ';' ]
}
if '_csvparsefailure' in [tags] {
drop { }
}
if '_grokparsefailure' in [tags] {
drop { }
}
}


_____________________________________________________
NOTES:
You will need to modify the "host" section in the nxlog file.
You will need to modify the query strings in the JSON file attached to match your "server/client hostnames" and also your "connector-id" to make your Exchange config.
You will need to make sure Message Tracking Logging is turned on in Exchange, just google if unsure on how to do.
You will need to open up the ports on the firewall on the NLS to connect into port 5141.
You can use UDP if you prefer.