Exchange Message Tracking

Hi,
I've been following this tutorial to get Exchange Message Tracking logs into an ELK stack on Windows (https://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/). The ELK stack is working, but is not getting the logs into logstash.

Looking at the nxlog.log I am getting this, so I guess nxlog is working:

2017-06-13 09:40:00 INFO nxlog-ce-2.9.1716 started
2017-06-13 10:00:02 WARNING input file was deleted: F:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK2017051409-1.LOG

How can I check that logstash is receiving the logs?

Thanks
Tony

Just restarted the logstash service and checked the logs and saw:

[2017-06-13T10:52:03,029][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2017-06-13T10:52:03,108][INFO ][logstash.pipeline ] Pipeline main started
[2017-06-13T10:52:03,342][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

Further investigation shows my logstash.json is the culprit:

input {
beats {
port => 5044
type => "log"
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

I am not using Beats, so I guess that logstash is expecting Beats input. I have used multiple sources to build my ELK stack I guess that this is why I can't see any data.

Is there some documentation on how to create logstash.json to get input from nxLog?

Thanks
Tony

To check if Logstash is processing some events you can use stats API. For example visit (or curl) this endpoint localhost:9600/_stats?pretty=true

To manually check what is the output of your config, you can let Logstash write events to console using this output:

output {
  stdout { codec => rubydebug }
}

At first you will need to setup input according to how is Exchange configured. Do you want to read lines from file ? On same computer where logstash resides or different one ? Or do you need to listen on tcp/udp port instead?

Thanks Oozza.

I've sorted it - The logstash should have been looking at a different file (one that I'd created later).

Cheers
Tony

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.