admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a480f5a4bd'
${ noResults }
Deploiement_Server/deployment-apps/DA-ITSI-CP-microsoft-exchange/default/props.conf

327 lines
16 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

###### Add Host value for Standard Windows Performance Counter Information ######
[source::(Perfmon|WMI:Perfmon)...]
FIELDALIAS-Host_for_windows_perfmon = host as Host
[source::...Perfmon...]
EVAL-componentId = "Perfmon-" . object . "-" . counter
EVAL-componentInstance = instance
EVAL-componentValue = Value
LOOKUP-exc_host = hostInformation host OUTPUT ms_exchange_host
[source::...(service|process)...]
LOOKUP-exc_host = hostInformation host OUTPUT ms_exchange_host
[WinHostMon]
EVAL-componentId = "WinHostMon-" . Name
EVAL-componentInstance = Path
EVAL-componentValue = if((isnull(State) AND Type == "Process") OR (State == "Running" AND Type == "Service"), 1, 0)
[MSExchange:2007:Topology]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-mv=ProductVersion="(?<MajorVersion>\d+\.\d+)
[MSExchange:2010:Topology]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-mv=ProductVersion="(?<MajorVersion>\d+\.\d+)
[MSExchange:2013:Topology]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-mv=ProductVersion="(?<MajorVersion>\d+\.\d+)
[MSExchange:2007:Mailbox-Usage]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
FIELDALIAS-Username = User as Username
[MSExchange:2010:Mailbox-Usage]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
FIELDALIAS-Username = User as Username
[MSExchange:2013:Mailbox-Usage]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
FIELDALIAS-Username = User as Username
[MSExchange:2007:Database-Stats]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[MSExchange:2010:Database-Stats]
TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD = 26
NO_BINARY_CHECK = true
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[MSExchange:2013:Database-Stats]
TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD = 26
NO_BINARY_CHECK = true
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[MSExchange:Reputation]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[source::XmlWinEventLog:Application]
FIELDALIAS-Status_as_Error_Code = Status AS Error_Code
EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code)
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
FIELDALIAS-dest_for_xmlwineventlog_application = Computer AS dest
###### All Windows Event Log ######
###### Windows Application Event Log ######
## All Windows Application
[source::WinEventLog:Application]
EVAL-dest = coalesce('ComputerName','Computer')
## Below Extractions are for XmlWinEventLog:Application and have been kept for backward compatibility
FIELDALIAS-Status_as_Error_Code = Status AS Error_Code
EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code)
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
##Below fields extractions have been moved from [source::*:Security] and [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
[WMI:WinEventLog:Application]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
FIELDALIAS-dest_for_wmi = ComputerName AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
###### Backward Compatibility ######
## Perfmon Disk Space
# "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf.
[MSExchange:2007:MessageTracking]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = msexchange2007msgtrack-fields,msgtrack-extract-psender,msgtrack-psender,msgtrack-sender,msgtrack-recipients,msgtrack-recipient
TRANSFORMS-comments = ignore_comments
FIELDALIAS-server_hostname_as_dest = server_hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original_client_ip,cs_ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action
FIELDALIAS-user = sender_username AS user
FIELDALIAS-orig_dest = ss_ip AS orig_dest
FIELDALIAS-dest_ip = ss_ip AS dest_ip
FIELDALIAS-return_addr = return_path AS return_addr
FIELDALIAS-size = message_size AS size
FIELDALIAS-subject = message_subject AS subject
EVAL-orig_src = coalesce(original_client_ip,cs_ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)
[MSExchange:2010:MessageTracking]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = msexchange2010msgtrack-fields,msgtrack-extract-psender,msgtrack-psender,msgtrack-sender,msgtrack-recipients,msgtrack-recipient
TRANSFORMS-comments = ignore_comments
FIELDALIAS-server_hostname_as_dest = server_hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original_client_ip,cs_ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action
FIELDALIAS-user = sender_username AS user
FIELDALIAS-orig_dest = ss_ip AS orig_dest
FIELDALIAS-dest_ip = ss_ip AS dest_ip
FIELDALIAS-return_addr = return_path AS return_addr
FIELDALIAS-size = message_size AS size
FIELDALIAS-subject = message_subject AS subject
EVAL-orig_src = coalesce(original_client_ip,cs_ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)
[MSExchange:2013:MessageTracking]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = msexchange2013msgtrack-fields,msgtrack-extract-psender,msgtrack-psender,msgtrack-sender,msgtrack-recipients,msgtrack-recipient
TRANSFORMS-comments = ignore_comments
FIELDALIAS-server_hostname_as_dest = server_hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original_client_ip,cs_ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action
FIELDALIAS-user = sender_username AS user
FIELDALIAS-orig_dest = ss_ip AS orig_dest
FIELDALIAS-dest_ip = ss_ip AS dest_ip
FIELDALIAS-return_addr = return_path AS return_addr
FIELDALIAS-size = message_size AS size
FIELDALIAS-subject = message_subject AS subject
EVAL-orig_src = coalesce(original_client_ip,cs_ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)
[MSWindows:2003:IIS]
TZ = GMT
REPORT-fields = mswin_2003_iis_fields, extract_webapp, extract_client
TRANSFORMS-comments = ignore_comments
FIELDALIAS-ipaddress = c_ip as IPAddress
FIELDALIAS-cs_user_agent = cs_User_Agent as cs_user_agent
[MSWindows:2008R2:IIS]
TZ = GMT
REPORT-fields = mswin_2008r2_iis_fields, extract_webapp, extract_client
TRANSFORMS-comments = ignore_comments
FIELDALIAS-ipaddress = c_ip as IPAddress
FIELDALIAS-cs_user_agent = cs_User_Agent as cs_user_agent
[MSWindows:2012:IIS]
TZ = GMT
REPORT-fields = mswin_2012_iis_fields, extract_webapp, extract_client
TRANSFORMS-comments = ignore_comments
FIELDALIAS-ipaddress = c_ip as IPAddress
FIELDALIAS-cs_user_agent = cs_User_Agent as cs_user_agent
FIELDALIAS-cs_referer = cs_Referer as cs_referer
[MSWindows:2013EWS:IIS]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = mswindows2013ews_fields
FIELDALIAS-csusername_usersubject = user_subject AS cs_username
FIELDALIAS-rawclient_csuseragent = cs_user_agent AS raw_client
EVAL-cs_uri_stem = "/EWS/"
TRANSFORMS-comments = ignore_comments
TRANSFORMS-header = ignore_header
EVAL-RpcC = if(ServiceTaskMetadata_RpcCount>0,ServiceTaskMetadata_RpcCount,0)
[MSWindows:2010EWS:IIS]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = mswindows2010ews_fields
FIELDALIAS-csusername_usersubject = user_subject AS cs_username
FIELDALIAS-rawclient_csuseragent = cs_user_agent AS raw_client
EVAL-cs_uri_stem = "/EWS/"
TRANSFORMS-comments = ignore_comments
TRANSFORMS-header = ignore_header
EVAL-RpcC = if(ServiceTaskMetadata_RpcCount>0,ServiceTaskMetadata_RpcCount,0)
[MSExchange:2010:DistributionLists]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[MSExchange:2013:DistributionLists]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[MSExchange:2010:AdminAudit]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = AdminAudit_ExtractParam,AdminAudit_ExtractError
[MSExchange:2013:AdminAudit]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = AdminAudit_ExtractParam,AdminAudit_ExtractError
[MSExchange:2013:MailboxAudit]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[source::WinEventLog:Exchange Auditing]
REPORT-fields = exch_audit_user_extraction
FIELDALIAS-ipaddress = Address as IPAddress
[source::WinEventLog:Security]
EXTRACT-4625-fields = (?ms)EventCode=4625.*?Message=.*?\n.*?Subject\s*:.*?Account Name:\s*(?<dst_user>.*?)\n.*?Account Domain:\s*(?<dst_nt_domain>.*?)\n.*?Logon ID:\s*(?<session_id>.*?)\n.*?\nLogon Type:.*?\n.*?Account For Which Logon Failed.*?\n.*?Security ID:(?<user_sid>.*?)\n.*?Account Name:(?<user>.*?)\n.*?Account Domain:(?<src_nt_domain>.*?)\n
EXTRACT-4624-srcip = (?ms)EventCode=4624\n.*?Source Network Address:\s+?(?<src_ip>[^\n]+)
EXTRACT-4624-user = (?ms)New Logon:\n*?.*?Security ID:\s*?(?<dest_nt_domain>[^\\]+)\\(?<src_host>.*?)\n.*?Account Name:(?<user>.*?)\s*\n.*?Account Domain:\s+(?<dst_nt_domain>[^\n]+).*?Logon ID:\s+(?<session_id>[^\n]+)
EXTRACT-group_changes = (?ms)EventCode=(4727|4730|4731|4734|4735|4737|4744|4745|4748|4749|4750|4753|4754|4755|4758|4759|4760|4763|4764).*Message=A (?<MSADGroupClass>.*)\-(?<MSADGroupClassID>(enabled|disabled))\s(?<MSADGroupType>.*)\sgroup\swas\s(?<msad_action>[^\.]+).*Subject:.*Security ID:\s*(?<src_nt_domain>.*)\\(?<src_user>.*)\s*\n.*Account Name:.*Group:.*Security ID:\s*(?<member_id>.*)\s*\n.*Group Name:.*Group Domain:(?<dest_nt_domain>[^(\r|\n)]+).*Attributes:
EXTRACT-group_change_4764 = (?ms)EventCode=(4764)(\n|\r).*Message\=A groups type was (?<msad_action>[^\.]+)
EXTRACT-groupmembership_changes = (?ms)EventCode=(4728|4729|4732|4733|4746|4747|4751|4752|4756|4757|4761|4762).*Message=A member was (?<msad_action>.*) (to|from) a (?<MSADGroupClass>.*)\-(?<MSADGroupClassID>(enabled|disabled)) (?<MSADGroupType>.*) group.*Subject:.*Security ID:\s*(?<src_nt_domain>.*)\\(?<src_user>.*)\n.*Account Name:.*Account Domain:.*Member:.*Security ID:\s*.*\\(?<member>.*)\n.*Account Name:.*Group:.*
EXTRACT-dest_nt_domain_for_4756 = (?msi)EventCode=4756.*(?:Account Domain.*Account Domain|Account Domain(?!(Account Domain)))\:\s+(?<dest_nt_domain>[a-zA-Z0-9._[\S\-\S]+)$
EXTRACT-group_changes_event_4756 = (?ms)EventCode\=4756\s*\n.*Member\:.*CN\=(?<member_id>[^\,]+),CN.*Group\:.*Account\sName\:\s+(?<user_group>[^(\n|\r|\s)]+).*Account\sDomain\:\s+(?<member_nt_domain>[^(\n|\r|\s)]+).*
EXTRACT-group_change_groupname = (?ms)EventCode=(4756)(\n|\r).*Group:(\n|\r).*Security ID:(?<Group_Domain>.*)\\(?<Group_Name>[^(\n|\r)]+)(\r|\n).*Account Name:
EXTRACT-4662-fields = (?ms)EventCode=4662\s*\n.*Message=.*?\n.*?Subject\s*:.*?Account Name:\s*(?<src_user>.*?)\s*\n.*?Account Domain:\s*(?<src_nt_domain>.*?)\s*\n.*?Logon ID:\s*(?<session_id>.*?)\s*\n
EXTRACT-ObjectNameGuid = (?ms)EventCode=4662\s*\n.*Message=.*?Object\s*:.*?Object\sName:\s*(CN=|%)*{*(?<Object_Name_Guid>[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})}*.*
LOOKUP-msadgroupclass = GroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
EXTRACT-gpo_changes = (?ms)Object Type\:\s+groupPolicyContainer(\n|\r).*Object\sName\:\s+CN(=|=\")(?<Object_Name_Guid>\{.*\})
EXTRACT-msad_changes_oldevents = (?ms)EventCode=(624|628)(\n|\r).*Message\=(?<MSADChanges>[^\:]+)
EXTRACT-msad_action_oldevents = (?ms)EventCode=(624|628|642)(\n|\r).*Message\=User\sAccount\s(?<msad_action>[^\:]+)
EXTRACT-unlocked_accounts = (?msi)Message\=A\suser\saccount\swas\s(?<msad_action>[^\.]+)\.(\s+|\n+|\r+).*Subject\:(\s+|\n+|\r+).*Account\sName\:\s+(?<src_user>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Logon\sID\:\s+(?<session_id>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Target\sAccount\:(\s+|\n+|\r+).*?Account Name\:\s+(?<user>[^(\s+|\n+|\r+)]+)
EXTRACT-locked_accounts = (?msi)Message\=A\suser\saccount\swas\s(?<msad_action>[^(\.|\s)]+)(\.|\s+|\n+|\r+).*Subject\:(\s+|\n+|\r+).*Account\sName\:\s+(?<src_user>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Logon\sID\:\s+(?<session_id>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*(Account\sThat\sWas\sLocked\sOut|Target\sAccount)\:(\s+|\n+|\r+).*?Account Name\:\s+(?<user>[^(\s+|\n+|\r+)]+)
EXTRACT-group_changes_srcuser = (?ms)Account Name\:\s+(?<src_user>[^(\n|\r|\s)]+)(\r|\n|\s).*Account\sDomain\:\s+(?<src_nt_domain>[^(\n|\r|\s)]+)(\r|\n|\s).*Logon\sID\:\s+(?<session_id>[^(\n|\r|\s)]+)(\r|\n|\s).*Group\:
EXTRACT-PSN=Process Name:.*Microsoft\.Exchange\.(?<ProtocolServiceName>[^\.]+)\.exe
[source::*:System]
REPORT-bestmatch_for_windows_system = ComputerName_as_dest,ComputerName_as_src
REPORT-package_for_windows_system_update = package_title_for_windows_system_update,package_for_windowsupdatelog
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
REPORT-user_for_windows_system = user_for_windows_system_ias
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host as dest
REPORT-0package_message_for_windowsupdatelog = package_message_for_windowsupdatelog
REPORT-1package_title_for_windowsupdatelog = package_title_for_windowsupdatelog,package_title_for_windowsupdatelog_restartrequired,package_title_for_windowsupdatelog_package_message
REPORT-package_for_windowsupdatelog = package_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
Reference in new issue View Git Blame Copy Permalink