admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5f23f3f2cf'
${ noResults }
Deploiement_Server/deployment-apps/DA-ITSI-CP-microsoft-exchange/default/macros.conf

177 lines
13 KiB
Raw Blame History

[exchange-client-access-server-status(5)]
args = CPUNow, MemoryNow, NetworkNow, RPCRequestsNow, OWAUserCountNow
definition = eval cpustatus="OK" | eval memorystatus="OK" | eval cpustatus=case(CPUNow > 95, "Critical", CPUNow > 89, "Warning", isnull(CPUNow), "unknown") | eval memorystatus=case(MemoryNow < 2000, "Critical", MemoryNow < 5000, "Warning", isnull(MemoryNow), "unknown") | eval status="OK" | eval status=case(cpustatus=="Critical" OR memorystatus=="Critical", "Critical", cpustatus=="Warning" OR memorystatus=="Warning", "Warning", isnotnull(status), "OK")
[exchange-hub-transport-status(4)]
args = CPUNow, MemoryNow, NetworkNow, MessagesNow
definition = eval cpustatus="OK" | eval memorystatus="OK" | eval cpustatus=case(CPUNow > 95, "Critical", CPUNow > 89, "Warning", isnull(CPUNow), "unknown") | eval memorystatus=case(MemoryNow < 2000, "Critical", MemoryNow < 5000, "Warning", isnull(MemoryNow), "unknown") | eval status="OK" | eval status=case(cpustatus=="Critical" OR memorystatus=="Critical", "Critical", cpustatus=="Warning" OR memorystatus=="Warning", "Warning", isnotnull(status), "OK")
[exchange-mail-server-status(4)]
args = CPUNow, MemoryNow, NetworkNow, RPCRequestsNow
definition = eval cpustatus="OK" | eval memorystatus="OK" | eval cpustatus=case(CPUNow > 95, "Critical", CPUNow > 89, "Warning", isnull(CPUNow), "unknown") | eval memorystatus=case(MemoryNow < 2000, "Critical", MemoryNow < 5000, "Warning", isnull(MemoryNow), "unknown") | eval status="OK" | eval status=case(cpustatus=="Critical" OR memorystatus=="Critical", "Critical", cpustatus=="Warning" OR memorystatus=="Warning", "Warning", isnotnull(status), "OK")
[core-counters]
definition = (object="Memory" counter="Available MBytes") OR (object="Processor" counter="% Processor Time" instance="_Total") OR (object="Network Interface" counter="Bytes Total/sec" NOT (instance="isatap.*" OR instance="Teredo*"))
[pop-imap-counters]
definition = (object="MSExchangePop3" OR object="MSExchangeImap4")
[cas-counters]
definition = (object="MSExchangeIS" counter="RPC Client Backoff/sec") OR (object="MSExchange *" (counter="Average Response Time" OR counter="Requests/sec" OR counter="*Requests per Second" OR counter="*Operations/sec"))
[hub-qlen-counters]
definition = (object="MSExchangeTransport Queues" instance="_total")
[store-calendar-counters]
definition = (object="MSExchange Resource Booking" OR object="MSExchange Calendar Attendant")
[fix-unlimited-value(1)]
args = var
definition = eval $var$=if($var$=="","Unlimited",$var$)
[msperfmon-windows-index]
definition = eventtype=msperfmon-index OR eventtype=windows-index
[fix-sender-case]
definition = eval sender=lower(sender)|eval sender_domain=lower(sender_domain)|eval sender_username=lower(sender_username)
[msgtrack-inbound-messages]
# Exchange ONLY system
definition = eventtype=smtp-inbound|`fix-sender-case`|`fix-recipient-case`|table _time,message_id,cs_ip,sender,sender_domain,recipient_count,recipients,total_bytes
[fix-recipient-case]
definition = eval recipients=lower(recipients)|eval recipient=lower(recipient)|eval recipient_domain=lower(recipient_domain)|eval recipient_username=lower(recipient_username)
[msgtrack-inbound-senderip]
definition = eventtype=smtp-inbound|`fix-sender-case`|`fix-recipient-case`|table _time,message_id,cs_ip,sender,sender_domain,recipient_count,recipients,total_bytes
[msgtrack-outbound-messages]
# Exchange ONLY system
definition = eventtype=smtp-outbound|join message_id [search eventtype=storedriver-receive|fields message_id,sender]|`fix-sender-case`|`fix-recipient-case`|table _time,message_id,sc_ip,sender,recipient_count,recipients,total_bytes
[msgtrack-outbound-clientip]
definition = eventtype=smtp-outbound|`fix-sender-case`|`fix-recipient-case`|table _time,message_id,cs_ip,sender,sender_domain,recipient_count,recipients,total_bytes
[msgtrack-internal-messages]
definition = eventtype=storedriver-deliver|join message_id [search eventtype=storedriver-receive|fields message_id,sender]|`fix-sender-case`|`fix-recipient-case`|table _time,message_id,cs_ip,sender,recipient_count,recipients,total_bytes
[track-message-by-username(1)]
args = user
definition = `all-messages-as-transactions`|search (sender="$user$" OR recipient="$user$")|`find-msg-direction`|eval total_kb=tonumber(mvindex(total_bytes,-1))/1024|eval msgcount=1|`fix-sender-case`|`fix-recipient-case`
[all-messages-as-transactions]
definition = eventtype=msexchange-msgtrack|transaction message_id keepevicted=t maxspan=15m
[find-msg-direction]
definition = eval inbound=if(eventtype=="storedriver-deliver",1,0)|eval outbound=if(eventtype=="storedriver-receive",1,0)|eval inout=inbound+outbound|eval Direction=case(inout==2,"Internal",inbound==1,"Inbound",outbound==1,"Outbound",isnotnull(inout),"Failed")
[track-message-by-ipaddress(1)]
args = ip
definition = `all-messages-as-transactions`|search (cs_ip="$ip$" OR ss_ip="$ip$")|`find-msg-direction`|eval total_kb=tonumber(mvindex(total_bytes,-1))/1024|eval msgcount=1|`fix-sender-case`|`fix-recipient-case`
[track-message-by-domain(1)]
args = domain
definition = `all-messages-as-transactions`|search (sender_domain="$domain$" OR recipient_domain="$domain$")|`find-msg-direction`|eval total_kb=tonumber(mvindex(total_bytes,-1))/1024|eval msgcount=1|`fix-sender-case`|`fix-recipient-case`
[msgtrack-onemessage(1)]
args=msgid
definition = eventtype=msexchange-msgtrack message_id="$msgid$"
[next-hop-view]
definition = eval srcevt=source_id."-".event_id|eval cs_ip=if(length(cs_ip)>0,cs_ip,"-")|eval sc_ip=if(length(sc_ip)>0,sc_ip,"-")|eval nexthop=case(srcevt=="DUPLICATE-DELIVER","To: ".recipient." on ".server_hostname,srcevt=="STOREDRIVER-DELIVER","To: ".recipient." on ".server_hostname,srcevt=="STOREDRIVER-RECEIVE",cs_ip.":".sender,srcevt=="SMTP-RECEIVE","From:".cs_ip,srcevt=="SMTP-SEND","To:".ss_ip,srcevt=="SMTP-TRANSFER",cs_ip." to ".sc_ip,srcevt!="","-")
[mailbox-info-for-user(1)]
args = username
definition = eventtype=msexchange-mailbox-usage| eval cs_username = User | `normalize_user` | search user_subject="$username$"
[normalize_user]
definition = lookup local=t ad_username cs_username output user_subject \
| eval user_subject_parts = split(user_subject, "@") \
| eval domainAlias = lower(mvindex(user_subject_parts, 1)) \
| lookup local=t domain_alias _key as domainAlias output domain \
| eval unqualifiedDomainAlias = "unqualifiedDomain-Reserved" \
| lookup local=t domain_alias _key as unqualifiedDomainAlias output domain as unqualifiedDomain \
| eval domain = if (isnull(domain), \
if(isnotnull(unqualifiedDomain) AND domainAlias == "unknown", \
unqualifiedDomain, \
domainAlias \
), \
domain) \
| eval user_subject = if (\
isnotnull(domain), \
mvindex(user_subject_parts, 0) . "@" . domain, \
user_subject \
)
[single-client-events-for-user(2)]
args = type,username
definition = eventtype=client-$type$-usage|eval cs_username=if(length(RemoteUser)>0,RemoteUser,cs_username)| `normalize_user` |search user_subject="$username$"
[msexchange-user-stats(1)]
args = username
definition = `msexchange-mailbox-user-stats("$username$")`|append [search `msexchange-mailbox-rules-stats("$username$")`]
[msexchange-mailbox-rules-stats(1)]
args = username
definition = eventtype="msexchange-inbox-rules"|rename Mailbox as cs_username| `normalize_user` |search user_subject="$username$"|dedup InternalRuleID|stats dc(InternalRuleID) as RuleCount,sum(Length) as RuleSize, max(Quota) as RuleQuota | transpose | rename column as Properties, "row 1" as Values
[msexchange-mailbox-user-stats(1)]
args = username
definition = eventtype="msexchange-mailbox-usage"|rename User as cs_username| `normalize_user` |search user_subject="$username$"|stats latest(Database) as Database,latest(LitigationHoldEnabled) as LitigationHold,latest(ThrottlingPolicy) as ThrottlingPolicy,latest(TotalItemSize) as MailboxSize|eval MailboxSize=round(MailboxSize/(1024*1024*1024), 3)."Gb" | transpose | rename column as Properties, "row 1" as Values
[is-internal-ip(1)]
args=ip
definition = case(cidrmatch("10.0.0.0/8",$ip$),1,cidrmatch("172.16.0.0/12",$ip$),1,cidrmatch("192.168.0.0/16",$ip$),1,$ip$=="FE80:*",1,isint(1),0)
[client-outlook-events]
definition = (eventtype=client-outlook-usage OR (eventtype=client-ews-usage cs_user_agent="*+Outlook+*")) NOT (cs_username="*\$*" OR cs_username="-")|eval cs_username=if(length(User)>0,User,cs_username)|eval RpcC=if(RpcC>0,RpcC,1)|eval c_ip=if(length(Address)>0,Address,c_ip)| `normalize_user` | lookup useragent cs_user_agent OUTPUT browser, browserversion | table _time,cs_username,user_subject,c_ip,browser,browserversion,RpcC
[client-outlook-webaccess-events]
definition = eventtype=client-owa-usage sc_status=200 NOT (cs_username="*\$*" OR cs_username="-")| `normalize_user` |table _time,c_ip,cs_username,user_subject,cs_user_agent
[client-activesync-events]
definition = eventtype=client-activesync-usage sc_status=200 Cmd="Sync" NOT (cs_username="*\$*" OR cs_username="-")| `normalize_user` |table _time,c_ip,cs_username,user_subject,cs_user_agent,DeviceId,DeviceType,cs_uri_query
[client-outlook-anywhere-events]
definition = eventtype=client-outlookanywhere-usage sc_status=200 NOT (cs_username="*\$*" OR cs_username="-")| `normalize_user` |table _time,cs_username,user_subject,c_ip
[client-ews-events]
definition = eventtype=client-ews-usage NOT (cs_username="*\$*" OR cs_username="-") | `normalize_user` | table _time,cs_username,user_subject,cs_user_agent,c_ip,MailboxRPCRequests,RpcC,raw_client | eval client=replace(raw_client,"\+"," ") | lookup useragent cs_user_agent OUTPUT browser,browserversion | eval RpcC=if(MailboxRPCRequests>0,MailboxRPCRequests,RpcC)
[client-pop-imap-events]
definition = eventtype=client-popimap-usage|eval cs_username=mvindex(Account_Domain,-1)."\\".mvindex(Account_Name,-1)| `normalize_user` |table _time,cs_username,user_subject,ProtocolServiceName
[client-pop-imap-events(1)]
args=protocol
definition = eventtype=client-popimap-usage ProtocolServiceName="$protocol$"|eval cs_username=mvindex(Account_Domain,-1)."\\".mvindex(Account_Name,-1)| `normalize_user` |table _time,ProtocolServiceName,cs_username,user_subject
[clients-environment-report]
definition = eventtype=summary-client-users|stats sum(totalevents) as totalevents,sum(internalevents) as internalevents,sum(externalevents) as externalevents by user_subject,AccessMethod
[all-client-events-for-user(1)]
args = username
definition = eventtype="client-*-usage"|eval PopImapUser=mvindex(Account_Domain,-1)."\\".mvindex(Account_Name,-1)|eval cs_username=if(eventtype=="client-popimap-usage",PopImapUser,cs_username)| `normalize_user` |search user_subject="$username$"|`eval-access-method`
[eval-access-method]
definition = rex field=cs_user_agent "(?<OutlookMethod>[^\(]+)\("|eval OutlookMethod=replace(OutlookMethod,"\+"," ")|eval AccessMethod=case(eventtype=="client-popimap-usage",ProtocolServiceName,eventtype=="client-activesync-usage","ActiveSync",eventtype=="client-owa-usage","Outlook Web Access",eventtype=="client-outlookanywhere-usage","Outlook Anywhere",eventtype=="client-outlook-usage","Outlook",eventtype=="client-ews-usage",OutlookMethod,eventtype=="client-autodiscover-usage",OutlookMethod)
[internal-spammer(2)]
args = msgs,rate
definition = eventtype=storedriver-receive|stats earliest(_time) as e,latest(_time) as l,sum(recipient_count) as n by sender|eval rate=(n/(l-e))*3600|where n>$msgs$ and rate>$rate$|table sender,n,rate|rename sender as Sender,n as "Recipients",rate as "Message Rate"
[multimailboxsearch]
definition = eventtype=msexchange-admin-audit ((Cmdlet="Add-RoleGroupMember" CmdletParam="-Identity 'Discovery Management'") OR Cmdlet="Search-Mailbox" OR Cmdlet="*-MailboxSearch")|eval Error=split(Error,"\n")|table _time,host,User,Cmdlet,CmdletParam,Success,Error|rename host as "Server",CmdletParam as "Parameters"
[noma-report]
definition = eventtype=msexchange-mailbox-audit NOT LogonType="Owner"|dedup _time,FolderId,Identity|table _time,MailboxOwnerUPN,LogonType,Operation,FolderPathName,ClientIPAddress,ClientProcessName,LogonUserDisplayName|rename MailboxOwnerUPN as MailboxOwner,FolderPathName as Folder,ClientIPAddress as "Actor IP Address",ClientProcessName as "Actor Process",LogonUserDisplayName as "Actor Name"
[store-counters]
definition = (object="MSExchange Database" (counter="I/O * Writes/sec" OR counter="I/O * Reads/sec")) OR (object="MSExchangeIS" counter="RPC Averaged Latency" instance="_Total") OR (object="MSExchangeIS Mailbox" counter="Messages */sec" instance="_Total") OR (object="MSExchangeIS" counter="User Count") OR (object="MSExchangeIS" counter="RPC Operations/sec")
[unused-mailboxes-report]
definition = eventtype=storedriver-deliver OR eventtype=storedriver-receive|fields _time,sender,recipient,eventtype|eval user=if(eventtype=="storedriver-deliver",recipient,sender)|eval msgtype=if(eventtype=="storedriver-deliver","Inbound","Outbound")|mvexpand user| eval cs_username = user | `normalize_user` |stats latest(_time) as ll,dc(msgtype) as dc,values(msgtype) as msgtypes by user_subject|eval ll=strftime(ll,"%c")|where dc==1 AND msgtypes=="Inbound"|rename ll as "Last Received Message",user_subject as "Username"
[msgs-per-hr-gauge]
definition = gauge count 0 1000 3500 5000
Reference in new issue View Git Blame Copy Permalink