filter { if "exchange2016" in [tags] { if [log][file][path] =~ /MessageTracking/ { csv { columns => [ "ex_logdatetime", "ex_client_ip", "ex_client_hostname", "ex_server_ip", "ex_server_hostname", "ex_source_context", "ex_connector_id", "ex_source", "ex_event_id", "ex_internal_message_id", "ex_message_id", "ex_network_message_id", "ex_recipient_address", "ex_recipient_status", "ex_total_bytes", "ex_recipient_count", "ex_related_recipient_address", "ex_reference", "ex_message_subject", "ex_sender_address", "ex_return_path", "ex_message_info", "ex_directionality", "ex_tenant_id", "ex_original_client_ip", "ex_original_server_ip", "ex_custom_data", "ex_transport_traffic_type", "ex_log_id", "ex_schema_version" ] separator => "," source => "message" } } if [log][file][path] =~ /(Imap4|Pop3)/ { csv { columns => [ "ex_logdatetime", "ex_sessionId", "ex_seqNumber", "ex_sIpPort", "ex_cIpPort", "ex_user", "ex_duration", "ex_rqsize", "ex_rpsize", "ex_command", "ex_parameters", "ex_context", "ex_puid" ] separator => "," source => "message" } if [ex_sIpPort] { csv { columns => [ "ex_sIp", "ex_sPort" ] separator => ":" source => "ex_sIpPort" } } if [ex_cIpPort] { csv { columns => [ "ex_cIp", "ex_cPort" ] separator => ":" source => "ex_cIpPort" } } } if [log][file][path] =~ /(Smtp)/ { csv { columns => [ "ex_logdatetime", "ex_connector_id", "ex_session_id", "ex_sequence_number", "ex_local_endpoint", "ex_remote_endpoint", "ex_event", "ex_data", "ex_context" ] separator => "," source => "message" } if [ex_local_endpoint] { csv { columns => [ "ex_local_endpoint_ip", "ex_local_endpoint_port" ] separator => ":" source => "ex_local_endpoint" } } if [ex_remote_endpoint] { csv { columns => [ "ex_remote_endpoint_ip", "ex_remote_endpoint_port" ] separator => ":" source => "ex_remote_endpoint" } } } if [ex_logdatetime] { date { locale => "en" match => [ "ex_logdatetime", "YYYY-MM-dd'T'HH:mm:ss'.'SSS'Z'", "ISO8601" ] timezone => "UTC" target => "@timestamp" } } } if "exchange2013" in [tags] { if [log][file][path] =~ /MessageTracking/ { csv { columns => [ "ex_logdatetime", "ex_client_ip", "ex_client_hostname", "ex_server_ip", "ex_server_hostname", "ex_source_context", "ex_connector_id", "ex_source", "ex_event_id", "ex_internal_message_id", "ex_message_id", "ex_network_message_id", "ex_recipient_address", "ex_recipient_status", "ex_total_bytes", "ex_recipient_count", "ex_related_recipient_address", "ex_reference", "ex_message_subject", "ex_sender_address", "ex_return_path", "ex_message_info", "ex_directionality", "ex_tenant_id", "ex_original_client_ip", "ex_original_server_ip", "ex_custom_data" ] separator => "," source => "message" } } if [log][file][path] =~ /(Imap4|Pop3)/ { csv { columns => [ "ex_logdatetime", "ex_sessionId", "ex_seqNumber", "ex_sIpPort", "ex_cIpPort", "ex_user", "ex_duration", "ex_rqsize", "ex_rpsize", "ex_command", "ex_parameters", "ex_context" ] separator => "," source => "message" } if [ex_sIpPort] { csv { columns => [ "ex_sIp", "ex_sPort" ] separator => ":" source => "ex_sIpPort" } } if [ex_cIpPort] { csv { columns => [ "ex_cIp", "ex_cPort" ] separator => ":" source => "ex_cIpPort" } } } if [log][file][path] =~ /(Smtp)/ { csv { columns => [ "ex_logdatetime", "ex_connector_id", "ex_session_id", "ex_sequence_number", "ex_local_endpoint", "ex_remote_endpoint", "ex_event", "ex_data", "ex_context" ] separator => "," source => "message" } if [ex_local_endpoint] { csv { columns => [ "ex_local_endpoint_ip", "ex_local_endpoint_port" ] separator => ":" source => "ex_local_endpoint" } } if [ex_remote_endpoint] { csv { columns => [ "ex_remote_endpoint_ip", "ex_remote_endpoint_port" ] separator => ":" source => "ex_remote_endpoint" } } } if [ex_logdatetime] { date { locale => "en" match => [ "ex_logdatetime", "YYYY-MM-dd'T'HH:mm:ss'.'SSS'Z'", "ISO8601" ] timezone => "UTC" target => "@timestamp" } } } }