Dear all,

Customer have a monitor exchange configuration violation correlation
rules requirement. Detail description is following:
When exchange administrator or unauthorization person stealthily
configure a mailbox transport rule in exchange transport rule into
console, for example: He build a rule named "tran-f-ceo-muser", all ceo
outgoing mails will stealthily BCC to stevezeng@soclab.novell and
admin@soclab.novell, but ceo and anyone don`t know the hidden action,
so I use sentinel to MSExchange CmdletLogs, But I encounter a issue, in
this case, exchange logs administrator: exadmin do this configuration
and setup ceo(from=ceo@soclab.novell) send out any mail , exchange will
BCC mail to stevezeng and
admin(BlindCopyTo={stevezeng@soclab.novell,admin@s oclab.novell}}),
exchange administrator can setup from={A user,B user,C user......}, and
can also setup BlindCopyTo={A,B,C,D....} multiple mailbox user.
management and IT manager need real time to know which configuration is
compliance and which configuration actions are unathorization, for
example, CEO had approved his assistant(cathy@soclab.novell) can receive
and open CEO`s email, But others(stevezeng@soclab.novell and
admin@soclab.novell ) can not receive his email via BCC.

I have some trouble issues as following:
1. if BlindCopyTo or From user have multiple, { ,, ,.....}, which sentinel fields can map to
these usernames and domains?
2. If we use two fields named sun and dun, I resumed we will not use
multiple fields to map these username, then sun field perhaps value are:
{admin@soclab.novell, stevezeng@soclab.novell, huchang@soclab.novell,
......}, dun field value is : ceo@soclab.novell, how can i write the
correlation rule?

s_RXBufferString field message(have do some dispose) in my dump file
seems like as following:

"Index:81EntryType:InformationInstanceId:107374182 5Message:Cmdlet
suceeded. Cmdlet New-TransportRule, parameters
{Name=tran-f-ceo-bcc-muser, Comments=, Priority=0, Enabled=True,
From={ceo@soclab.novell}, BlindCopyTo={stevezeng@soclab.novell,
{Name=tran-f-ceo-bcc-muser, Comments=, Priority=0, Enabled=True,
From={ceo@soclab.novell}, BlindCopyTo={stevezeng@soclab.novell,
admin@soclab.novell}}, soclab.novell/Users/exadmin,
S-1-5-21-3874457998-3291786455-3773857442-1104, ServerRemoteHost-EMC,
7780, , 171, 00:00:00.1718728, View Entire Forest: 'True', Configuration
Domain Controller: 'ADServer.soclab.novell', Preferred Global Catalog:
'ADServer.soclab.novell', Preferred Domain Controllers: '{
ADServer.soclab.novell }', , , }Source:MSExchange
CmdletLogsTimeGenerated:8/16/2013 9:45:07 AMTimeWritten:8/16/2013
9:45:07 AMUserName:"

My portion collector development section into release.js is following:

Record.prototype.preParse = function(e) {

if (this.CONNECTION_ERROR != null) {
return false;

this.msg = "";
this.msg = this.s_RXBufferString.trim();

return true;

Record.prototype.parse = function(e){
if (this.s_RXBufferString == "" || this.s_RXBufferString.length == 0
) {
return false;

this.msg = this.msg.replace(/ /g,'');
this.msg = this.msg.replace(/\r\n/g,'');
this.msg = this.msg.replace(/\n/g,'');
this.msg = this.msg.replace(/\s+:\s/g,':');
this.msg = this.msg.replace(/\s+:/g,':');
\{Name\=(.*), Comments\=.*Enabled\=(.*), From\=\{(.*)\},
BlindCopyTo\=\{(.*)\}\}, (.*), S\-[\d\-]+, S\-[\d\-]+.*Configuration
Domain Controller\: '(.*)', Preferred Global
this.evt = "New-TransportRule";
this.cv21 = RegExp.$1;
this.cv22 = RegExp.$2;
var dmails = RegExp.$3;
if (dmails.valueOf != "" || dmails.length !=0){
var dmail = dmails.split(",");
if (dmail.length == 1){
this.temail = dmail[0];
var tmptemail = dmail[0].split("@");
this.dun = tmptemail[0];
this.rv45 = tmptemail[1];
}else if (dmail.length > 1){
this.dun = dmails;
var smails = RegExp.$4;
if (smails.valueOf != "" || dmails.length !=0){
var smail = smails.split(",");
if (smail.length == 1){
this.iemail = smail[0];
var tmpiemail = smail[0].split("@");
this.sun = tmpiemail[0];
this.rv35 = tmpiemail[1];
}else if (smail.length > 1){
this.sun = smails;

this.euname = RegExp.$5;
this.dhn = RegExp.$6;
var dt1 = RegExp.$7;
var devEvtTime = new Date(dt1);
return true;
} else if
(/^Index.*Set-TransportRule.*ReplacementStrings:\{(.*)\.\.\.\}So urce:.*UserName.*$/.test(this.msg))
this.evt = "Set-TransportRule";
var tmpstr = RegExp.$1;

return true;
}else if
(/^Operation.*LogonType.*Delegate.*ClientIPAddress.* :\s(\d+\.\d+\.\d+\.\d+)ClientMachineName.*MailboxO wnerUPN.*:\s(\S+).*MailboxOwnerSid.*LogonUserDispl ayName.*:\s(\S+).*LogonUserSid.*MailboxResolvedOwn erName.*:\s(\S+).*LastAccessed.*$/.test(this.msg))
this.evt = "Delegate";
this.sip = RegExp.$1;
this.temail = RegExp.$2;
this.sun = RegExp.$3;
this.dun = RegExp.$4;
return true;
} else {
return false;


Record.prototype.normalize = function(e){

instance.SEND_EVENT = true;
return true;

Record.prototype.postParse = function(e){

return true;

steve_zeng's Profile:
View this thread: