Dear All,

I am delivering a sentinel project for our customer, Customer need to
collect exchange pop3 connect logs, They focus on sensitive account
logon success and failure from invalid client ip, but I found pop3 user
logon failure event are included in multiple logs with same sessionID,
I don`t how to write session collector, Can anyone help me? thanks!

pop3 user failure logon logs are following:

dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
#Software: Microsoft Exchange Server
#Version: 14.0.0.0
#Log-type: POP3 Log
#Date: 2013-06-28T00:00:00.587Z
#Fields:
dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
2013-06-28T00:04:00.067Z,000000000000BC6B,0,10.108.248.26: 110,218.17.164.20:26039,,-2147483648,0,51,OpenSession,,
2013-06-28T00:04:00.083Z,000000000000BC6B,1,10.108.248.26: 110,218.17.164.20:26039,,0,23,5,user,zouminghua@tc l.com,R=ok
2013-06-28T00:04:00.114Z,000000000000BC6B,2,10.108.248.26: 110,218.17.164.20:26039,,15,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LoginDenied"
2013-06-28T00:04:00.114Z,000000000000BC6B,3,10.108.248.26: 110,218.17.164.20:26039,,0,4,61,quit,,R=ok

these logs have same sessionid, but "-ERR Logon failure" logs don`t
include username, but the second log(user,zouminghua@tcl.com) does not
include logon failure information but only include user information.

How to write the session collector? Thanks!

BR
Steve zeng


--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=48087