I try to decode "Exchange 2003 Message Tracking " the format like this: # Message Tracking Log File # Exchange System Attendant Version 6.5.6944.0 # Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report- Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address
2008-6-19 23:6:36 GMT 192.168.2.200 notify.ossec.net - 2K3R2 192.168.2.110 [EMAIL PROTECTED] 1019 [EMAIL PROTECTED] 0 0 393 1 2008-6-19 23:6:35 GMT 0 Version: 6.0.3790.3959 - OSSEC Notification - ossec - Alert level 3 [EMAIL PROTECTED] - 2008-6-19 23:6:45 GMT 192.168.2.200 notify.ossec.net - 2K3R2 192.168.2.110 [EMAIL PROTECTED] 1033 [EMAIL PROTECTED] 0 0 393 1 2008-6-19 23:6:35 GMT 0 Version: 6.0.3790.3959 - OSSEC Notification - ossec - Alert level 3 [EMAIL PROTECTED] - ####################################################################################### But i have some problem: 1) the Message-Subject, i can not defined it. it have some of space, and the number of space is vary. 2) can i use <TAB> to seperate the colume? (instread \s+) 3) Client side, which is <log_format> that i should select? Thankyou, Yongyoot
