[ossec-list] Re: Exchange 2003 Message Tracking

Wed, 25 Jun 2008 10:14:35 -0700 

Hi, Daniel
 
Thank you for your reply.
But i still have problem in "Message-Subject" field. because that field cannot 
fix number of space and number of word. So, cannot use \s+.
Thank you,
Yongyoot



> Date: Tue, 24 Jun 2008 15:20:37 -0300> From: [EMAIL PROTECTED]> To: 
> [email protected]> Subject: [ossec-list] Re: Exchange 2003 Message 
> Tracking> > > Hi Yongyoot,> > You can use \t for tabs or \s+ for multiple 
> spaces. In this case it> looks like a tab. Also, since it> is one log per 
> line, you can just set the <log_format> to syslog,> which supports any log 
> that> is stored as one entry per line.> > Thanks,> > --> Daniel B. Cid> dcid 
> ( at ) ossec.net> > > > On Thu, Jun 19, 2008 at 6:37 AM, rMing <[EMAIL 
> PROTECTED]> wrote:> >> > I try to decode "Exchange 2003 Message Tracking "> > 
> the format like this:> > # Message Tracking Log File> > # Exchange System 
> Attendant Version 6.5.6944.0> > # Date Time client-ip Client-hostname 
> Partner-Name Server-hostname> > server-IP Recipient-Address Event-ID MSGID 
> Priority Recipient-Report-> > Status total-bytes Number-Recipients 
> Origination-Time Encryption> > service-Version Linked-MSGID Message-Subject 
> Sender-Address> >> >> > 2008-6-19 23:6:36 GMT 192.168.2.200 notify.ossec.net 
> - 2K3R2> > 192.168.2.110 [EMAIL PROTECTED] 1019> > [EMAIL PROTECTED] 0 0 393 
> 1 2008-6-19> > 23:6:35 GMT 0 Version: 6.0.3790.3959 - OSSEC Notification - 
> ossec -> > Alert level 3 [EMAIL PROTECTED] -> >> > 2008-6-19 23:6:45 GMT 
> 192.168.2.200 notify.ossec.net - 2K3R2> > 192.168.2.110 [EMAIL PROTECTED] 
> 1033> > [EMAIL PROTECTED] 0 0 393 1 2008-6-19> > 23:6:35 GMT 0 Version: 
> 6.0.3790.3959 - OSSEC Notification - ossec -> > Alert level 3 [EMAIL 
> PROTECTED] -> >> > 
> #######################################################################################>
>  >> > But i have some problem:> > 1) the Message-Subject, i can not defined 
> it. it have some of space,> > and the number of space is vary.> > 2) can i 
> use <TAB> to seperate the colume? (instread \s+)> > 3) Client side, which is 
> <log_format> that i should select?> >> > Thankyou,> > Yongyoot> >
_________________________________________________________________
NEW! Get Windows Live FREE.
http://www.get.live.com/wl/all

Reply via email to