Exchange Message Tracking

teejayuu · June 13, 2017, 9:39am

Hi,
I've been following this tutorial to get Exchange Message Tracking logs into an ELK stack on Windows (https://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/). The ELK stack is working, but is not getting the logs into logstash.

Looking at the nxlog.log I am getting this, so I guess nxlog is working:

2017-06-13 09:40:00 INFO nxlog-ce-2.9.1716 started
2017-06-13 10:00:02 WARNING input file was deleted: F:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK2017051409-1.LOG

How can I check that logstash is receiving the logs?

Thanks
Tony

teejayuu · June 13, 2017, 10:18am

Just restarted the logstash service and checked the logs and saw:

[2017-06-13T10:52:03,029][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2017-06-13T10:52:03,108][INFO ][logstash.pipeline ] Pipeline main started
[2017-06-13T10:52:03,342][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

Further investigation shows my logstash.json is the culprit:

input {
beats {
port => 5044
type => "log"
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

I am not using Beats, so I guess that logstash is expecting Beats input. I have used multiple sources to build my ELK stack I guess that this is why I can't see any data.

Is there some documentation on how to create logstash.json to get input from nxLog?

Thanks
Tony

Oozza · June 13, 2017, 10:48am

To check if Logstash is processing some events you can use stats API. For example visit (or curl) this endpoint localhost:9600/_stats?pretty=true

To manually check what is the output of your config, you can let Logstash write events to console using this output:

output {
  stdout { codec => rubydebug }
}

At first you will need to setup input according to how is Exchange configured. Do you want to read lines from file ? On same computer where logstash resides or different one ? Or do you need to listen on tcp/udp port instead?

teejayuu · June 13, 2017, 11:04am

Thanks Oozza.

I've sorted it - The logstash should have been looking at a different file (one that I'd created later).

Cheers
Tony

system · July 11, 2017, 11:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.