knorkator
May 26, 2014, updated at 08:19:01 (UTC)
view5692
view3
1
Goto Top

Analyse der SMTP Traffic Log Dateien per Powershell

GermanTipExchange ServerMicrosoft
Hallo,

habe mir eine kleine Powershell Funktion geschrieben mit der ich die Exchange SMTP Logdateien Filtern kann.
Ist nichts besonderes und es gibt bestimmt auch andere Wege, aber ich wollte es einfach mal teilen um zu schauen, ob noch jemand was dazu beitragen kann / möchte.


Nach Eingabe einer Email Adresse werden die letzten 3 Logdateien nach Einträgen durchsucht, die diese Adresse betreffen.
Die Ausgabe wird in die Zwischenablage kopiert und kann dann z.b. in Notepad++ importiert werden.


function Exchangelog ()
{
$EmailAddr = Read-host "Nach welcher Email Adresse soll gesucht werden?"  
	$Exchfiles=gci "C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend" | sort creationtime | select -last 3  
	$exlog = "$env:temp\exlog.txt"  
	if (test-path $env:temp\exlog.txt) {remove-item $env:temp\exlog.txt}

	foreach ($ExLogFile in $Exchfiles) {
		$liste = select-string -Path $ExLogfile -pattern $EmailAddr | select line
			If ($Liste) {
				foreach ( $arr in $liste) {
				$arr = $arr.line -split ","  
				$ht =@{}
				$ht["Time"] = $arr  
				$ht["Connector"] = $arr[1]  
				$ht["ExchangeID"] = $arr[2]  
				$ht["MailFrom"] = $arr[7]   
				$ht | out-file $exlog -append
					foreach ($ExchangeID in $HT.ExchangeID) {
					$Treffer= select-string -path $ExLogFile -pattern $ExchangeID | select line | foreach-object { 
						$_.line.remove(0,56)					
						}					
					$Treffer | out-file $exlog -append        
					}
				}
			}
	}
	get-content $exlog | clip.exe
}
comment-contentCommentShareShare
Share on Facebook Share on Twitter Share on Reddit Share on Linkedin

Content-Key: 239155

Url: https://administrator.de/contentid/239155

Printed on: April 26, 2024 at 19:04 o'clock

3 Comments
Latest comment
Goto Top
Member: Knorkator
Knorkator May 26, 2014 updated at 08:21:16 (UTC)
Goto Top
Die Ausgabe sieht übrigens so aus:

Name                           Value                                                                                                                                                                                                                     
----                           -----                                                                                                                                                                                                                     
ExchangeID                     08D1437A9AEFF85E                                                                                                                                                                                                          
MailFrom                       RCPT TO:<echo@tu-berlin.de>                                                                                                                                                                                               
Connector                      SMTP über DNS                                                                                                                                                                                                             
Time                           2014-05-26T05:41:32.270Z                                                                                                                                                                                                  


0,,130.149.7.33:25,*,,attempting to connect
1,192.168.100.211:14329,130.149.7.33:25,+,,
2,192.168.100.211:14329,130.149.7.33:25,<,"220 mail.tu-berlin.de - ESMTP (exim-4.72/mailfrontend-8) ready at Mon, 26 May 2014 07:41:32 +0200",
3,192.168.100.211:14329,130.149.7.33:25,>,EHLO Mailserver.Domain.com,
4,192.168.100.211:14329,130.149.7.33:25,<,250-mail.tu-berlin.de Hello Mailserver.Domain.com [123.123.123.123],
5,192.168.100.211:14329,130.149.7.33:25,<,250-SIZE 157286400,
6,192.168.100.211:14329,130.149.7.33:25,<,250-8BITMIME,
7,192.168.100.211:14329,130.149.7.33:25,<,250-PIPELINING,
8,192.168.100.211:14329,130.149.7.33:25,<,250-STARTTLS,
9,192.168.100.211:14329,130.149.7.33:25,<,250 HELP,
10,192.168.100.211:14329,130.149.7.33:25,>,STARTTLS,
11,192.168.100.211:14329,130.149.7.33:25,<,220 TLS go ahead,
12,192.168.100.211:14329,130.149.7.33:25,*,,Sending certificate
13,192.168.100.211:14329,130.149.7.33:25,*,"CN=Domain.com, OU=Multi-Domain SSL, OU=IT, O=Firma, STREET=Straße, L=Ort, S=NRW, PostalCode=12345, C=DE",Certificate subject
14,192.168.100.211:14329,130.149.7.33:25,*,"CN=COMODO High-Assurance Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",Certificate issuer name
15,192.168.100.211:14329,130.149.7.33:25,*,4711,Certificate serial number
16,192.168.100.211:14329,130.149.7.33:25,*,4711,Certificate thumbprint
17,192.168.100.211:14329,130.149.7.33:25,*,Domain.com;autodiscover.Domain.com;Mailserver.Domain.com,Certificate alternate names
18,192.168.100.211:14329,130.149.7.33:25,*,,Received certificate
19,192.168.100.211:14329,130.149.7.33:25,*,FA5E6159F9C3AEFD62AC114BD45A2C4957A93053,Certificate thumbprint
20,192.168.100.211:14329,130.149.7.33:25,>,EHLO Mailserver.Domain.com,
21,192.168.100.211:14329,130.149.7.33:25,<,250-mail.tu-berlin.de Hello Mailserver.Domain.com [123.123.123.123],
22,192.168.100.211:14329,130.149.7.33:25,<,250-SIZE 157286400,
23,192.168.100.211:14329,130.149.7.33:25,<,250-8BITMIME,
24,192.168.100.211:14329,130.149.7.33:25,<,250-PIPELINING,
25,192.168.100.211:14329,130.149.7.33:25,<,250-AUTH PLAIN LOGIN GSSAPI,
26,192.168.100.211:14329,130.149.7.33:25,<,250 HELP,
27,192.168.100.211:14329,130.149.7.33:25,*,214540,sending message
28,192.168.100.211:14329,130.149.7.33:25,>,MAIL FROM:<Absender@domain.com> SIZE=4391,
29,192.168.100.211:14329,130.149.7.33:25,>,RCPT TO:<echo@tu-berlin.de>,
30,192.168.100.211:14329,130.149.7.33:25,<,250 OK,
31,192.168.100.211:14329,130.149.7.33:25,<,250 Accepted,
32,192.168.100.211:14329,130.149.7.33:25,>,DATA,
33,192.168.100.211:14329,130.149.7.33:25,<,"354 Enter message, ending with ""."" on a line by itself",
34,192.168.100.211:14329,130.149.7.33:25,<,250 OK id=1WonfA-0005j0-lN,
35,192.168.100.211:14329,130.149.7.33:25,>,QUIT,
36,192.168.100.211:14329,130.149.7.33:25,<,221 mail.tu-berlin.de closing connection,
37,192.168.100.211:14329,130.149.7.33:25,-,,Local
Member: colinardo
colinardo May 26, 2014 updated at 09:16:00 (UTC)
Goto Top
Moin Knorkator,
zur Info: Dafür gibts das schöne CMDLet Get-MessageTrackingLog face-smile in der EMC:
get-messagetrackinglog -resultsize unlimited -Sender "user@sender.com" | Select Sender,{$_.Recipients},{$_.RecipientStatus},MessageSubject,TimeStamp, EventId, Source, SourceContext,MessageId,InternalMessageId,ClientIP,ClientHostName,ServerIP,ServerHostName,ConnectorId,TotalBytes,RecipientCount,RelatedRecipientAddress,Reference,ReturnPath,MessageInfo | Export-Csv "C:\Nachrichtenlog.csv"
Grüße Uwe
heart1
Member: Knorkator
Knorkator May 26, 2014 at 09:16:22 (UTC)
Goto Top
Get-Messagetrackinglog zeigt mir aber nicht die SMTP Verbindungsdaten an.

Das o.a Script dient ja eher dazu, den genauen Gesprächsverlauf der beteiligten Server aufzulisten.

Ob man das jetzt braucht ist was anderes... face-smile
GermanTipExchange ServerMicrosoft