Monitor Microsoft Exchange Server 2013 logs


#1

Hello,
I have installed ELK 6.4.0 in Windows environment, I configured winlogbeat for Windows logs and it works fine.
Now I'd like to collect Exchange logs, so I have used filebeat but it is a little bit difficult to search some data because all data are in one field message. I found something like this http://robwillis.info/2017/05/elk-5-setting-up-a-grok-filter-for-iis-logs/ and I'd like to do the same with Exchange logs, is it possible, if yes, how do this?


(Alexander Reelsen) #2

Are you sending your data to logstash or to elasticsearch directly? if the latter, you could take a look at the ingest node functionality of Elasticsearch.

--Alex


#3

I am sending my data to elasticsearch directly. I opened link that you mentioned and try understand how to use it.
In what file I configure / define a pipeline, processors?
Could you give an example how to do this?


(Alexander Reelsen) #4

it's not a file, but rather an API call. The documentation includes a few examples. You might be interested in the grok processor in particular.

Also, in order to easily debug things, I suggest you take a look at the Simulate Pipeline API

If you have further questions, please provide your full pipeline or better yet the full simulate pipeline API call.


#5

That is the problem that I don't understand how to use that API, I'm not a programmer, I'd prefer to config a file with filter that "decompose" log file from Exchange to be more readable.
I have read about the grok procesor and it could be a solution for my data.
What should I do if I'd like send data to logstash?


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.