exchange-smtp-logs Log Parser

« exchange-smtp-logs »
v0.2 by crowdsecurity
Log parser

Parse exchange SMTP logs

Installation

cscli parsers install crowdsecurity/exchange-smtp-logs

Description

A parser for exchange SMTP protocol logs.

YAML Configuration

1filter: "evt.Parsed.program == 'exchange-smtp'"
2onsuccess: next_stage
3#debug: true
4name: crowdsecurity/exchange-smtp-logs
5description: "Parse exchange SMTP logs"
6#date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
7#2022-04-28T13:24:50.200Z,EXCHANGE-1\Default Frontend EXCHANGE-1,08DA28A9AF671267,15,192.168.9.241:25,192.168.9.212:28657,>,535 5.7.3 Authentication unsuccessful,
8grok:
9  pattern: "%{TIMESTAMP_ISO8601:date},%{DATA:connector_id},%{DATA:session_id},%{INT:sequence_number},%{IPORHOST:server_ip}:%{INT:server_port},%{IPORHOST:client_ip}:%{INT:client_port},%{DATA:event},%{INT:smtp_code} [^ ]+ %{DATA:smtp_message},"
10  apply_on: message
11statics:
12  - target: evt.StrTime
13    expression: evt.Parsed.date
14  - meta: source_ip
15    expression: evt.Parsed.client_ip
16  - meta: smtp_message
17    expression: evt.Parsed.smtp_message
18  - meta: service
19    value: exchange
20  - meta: log_type
21    value: smtp
22  - meta: sub_type
23    value: auth_fail

Hub configuration

« exchange-smtp-logs »v0.2 by crowdsecurityLog parser

« exchange-smtp-logs »
v0.2 by crowdsecurity
Log parser