Exchange Message Tracking Logs - localfile/location wildcard
799 views
Skip to first unread message
James Glaves
Feb 20, 2018, 7:22:46 AM2/20/18
to Wazuh mailing list
Hi,
We need to collect Exchange Message Tracking logs (2013) which are logged to flat files similar to IIS. The challenge I have is the filename convention is:
I understand from the reference documentation, wildcards cannot be used on Windows systems. But strftime parameters are supported. How can I collect these logs in via agent.conf centralised configuration? The below results in an error from bin/verify-agent-conf, I suppose due to the wildcard (although it can't know if this source is Windows/Linux at this stage!)
<agent_config name="exsrv1|exsrv2|exsrv3">
<localfile>
<log_format>syslog</log_format>
<location>C:\Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/MSGTRK%Y%m%d-*.log</location>
</localfile>
</agent_config>
https://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx
I don't believe the filename can be defined from within Exchange. So other than a local Scheduled Task script to rename them, I am at a loss.
Any suggestions?
Thanks,
James
We need to collect Exchange Message Tracking logs (2013) which are logged to flat files similar to IIS. The challenge I have is the filename convention is:
MSGTRKyyyymmdd-nnnn.logI understand from the reference documentation, wildcards cannot be used on Windows systems. But strftime parameters are supported. How can I collect these logs in via agent.conf centralised configuration? The below results in an error from bin/verify-agent-conf, I suppose due to the wildcard (although it can't know if this source is Windows/Linux at this stage!)
<agent_config name="exsrv1|exsrv2|exsrv3">
<localfile>
<log_format>syslog</log_format>
<location>C:\Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/MSGTRK%Y%m%d-*.log</location>
</localfile>
</agent_config>
https://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx
I don't believe the filename can be defined from within Exchange. So other than a local Scheduled Task script to rename them, I am at a loss.
Any suggestions?
Thanks,
James
alberto....@wazuh.com
Feb 21, 2018, 10:41:38 AM2/21/18
to Wazuh mailing list
Hello James
There is there is no immediate solution to this. As you know, wildcards can't be used in Windows. There are some workarounds that could be applied here:
- Using environment variables: if you define an environment variable with the number of files created at the moment, this could be used as follow:
This method has inconveniences: it's necesary to update the enviroment variable every time with the total of file created in the desired folder. Maybe a script could be performed for that (cound files and save the value into the enviroment variable). And it's necesary to restart the agent every time that the environment variable is updated.
- Using external script: if an agent configuration has a <location> with a "general file" (i.e MSGTRK%Y%m%d-total.log), could be possible to create a script that updates this file with the contents of the other files.
This workaround and the one you mentioned (script for renaming) could be the possibilities. We have the wildcards use in Windows included in our roadmap. Anyway if you need assistant with some of those workarounds don't hesitate to ask help here.
Best regards,
Alberto R.
James Glaves
Feb 22, 2018, 4:36:35 AM2/22/18
to Wazuh mailing list
Hi Alberto,
Thanks for your reply and suggested workarounds. It turns out the logs rarely rotate more than twice. As such, can you tell me, will this work? I appreciate this isn't the best solution!
<location>C:\Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/MSGTRK%Y%m%d%h-1.log</location>
<location>C:\Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/MSGTRK%Y%m%d%h-2.log</location>
<location>C:\Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/MSGTRK%Y%m%d%h-3.log</location>
James
Thanks for your reply and suggested workarounds. It turns out the logs rarely rotate more than twice. As such, can you tell me, will this work? I appreciate this isn't the best solution!
<location>C:\Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/MSGTRK%Y%m%d%h-1.log</location>
<location>C:\Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/MSGTRK%Y%m%d%h-2.log</location>
<location>C:\Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/MSGTRK%Y%m%d%h-3.log</location>
James
alberto....@wazuh.com
Feb 22, 2018, 10:54:40 AM2/22/18
to Wazuh mailing list
Hello James
This custom rule will be triggered when the path of the file match with the path in which I have configured the Syscheck for ExChange. This custom rule allows you to have 554 alerts (file added) in other places of your system and the agent will be restarted only in cases of new ExChange log file addition.
This configuration is not enough because the agent will not recognize dynamically if a new file to monitor is added. But, we could configure an active response which if a new file is created in our folder, the agent will be restarted. This way allow the agent to take the newly created file and monitor them.
This configuration must be placed on Manager ossec.conf:
<active-response>
<command>restart-ossec</command>
<location>defined-agent</location>
<agent_id>003</agent_id>
<rules_id>100005</rules_id>
</active-response>As you can see in the configuration, the command for restart the agent will be executed on agent 003 (replace with your ID) and if an alert 100005 (file added) is added in the agent who triggered the alert (defined-agent). Normally, the rule_id could be 554, is the official one. But I recommend you to create a custom rule like this:
<group name="customexchange,">
<rule id="100005" level="5">
<if_sid>554</if_sid>
<match>Users\alber\test</match>
<description>A new ExChange log file has been added</description>
</rule>
</group>This custom rule will be triggered when the path of the file match with the path in which I have configured the Syscheck for ExChange. This custom rule allows you to have 554 alerts (file added) in other places of your system and the agent will be restarted only in cases of new ExChange log file addition.
Please, let us know if you need further assistance.
Best regards,
Alberto R.
Reply all
Reply to author
Forward
0 new messages