Dear All,

I am delivering a sentinel project for our customer, Customer need to
collect exchange pop3 connect logs, They focus on sensitive account
logon success and failure from invalid client ip, but I found pop3 user
logon failure event are included in multiple logs with same sessionID,
I don`t how to write session collector, Can anyone help me? thanks!

pop3 user failure logon logs are following:

dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
#Software: Microsoft Exchange Server
#Log-type: POP3 Log
#Date: 2013-06-28T00:00:00.587Z
dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
2013-06-28T00:04:00.067Z,000000000000BC6B,0, 110,,,-2147483648,0,51,OpenSession,,
2013-06-28T00:04:00.083Z,000000000000BC6B,1, 110,,,0,23,5,user,zouminghua@tc,R=ok
2013-06-28T00:04:00.114Z,000000000000BC6B,2, 110,,,15,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
2013-06-28T00:04:00.114Z,000000000000BC6B,3, 110,,,0,4,61,quit,,R=ok

these logs have same sessionid, but "-ERR Logon failure" logs don`t
include username, but the second log(user, does not
include logon failure information but only include user information.

How to write the session collector? Thanks!

Steve zeng

steve_zeng's Profile:
View this thread: