Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
936 Views 5 Replies Latest reply: Mar 22, 2013 12:08 PM by Chris Boldiston RSS
pervan Newcomer 3 posts since
Feb 26, 2013
Currently Being Moderated

Mar 7, 2013 3:07 AM

Message Tracking/TMG/Oracle Logs parsing

Hi,

 

Thnx to Artur, I have succeded in collecting message tracking logs from Exchange 2010. However, although collected, the logs are not parsed (or normalized?) enough.

To be precise, almost all usefull information from message tracking logs, as log type (RECEIVE STORE), message subject, sender or receiver info, are showed in Packet tab where you can see original log message but cannot search for its parameters, for example: to search for all messages where sender or receiver is xx@mail.com.

 

By the way, I have noticed this also in logs comming from Microsoft Forefront TMG, and from Oracle DB

 

Any suggestions?

  • Chris Boldiston McAfee SME 79 posts since
    Oct 19, 2012
    Currently Being Moderated
    1. Mar 21, 2013 3:25 PM (in response to pervan)
    Re: Message Tracking/TMG/Oracle Logs parsing

    Hi Pervan

     


    From what I see in the Policy Editor there is one ASP rule for MS_Exchange Events. If that is not parsing correctly there are a couple of ways to resolve this.

     

    First you could make a copy of the current ASP rule and then edit the copy so the fields are parsed as needed.  Make sure you disable the original ASP rule and enable your new one at the correct scope in the Editor for your Data Source.

     

    Secondly, you could submitt a PER for an updated ASP rule at https://mcafee.acceptondemand.com/index.jsp

     

     

     

    Chris

  • artek Apprentice 76 posts since
    Sep 11, 2012
    Currently Being Moderated
    2. Mar 21, 2013 5:52 PM (in response to Chris Boldiston)
    Re: Message Tracking/TMG/Oracle Logs parsing

    Hi Chris,

     

    The Exchange Server (ASP) device source is a little bit curious. When you configure that data source and go to the policy editor you can see one ASP default rule (first on the picture):

     

    ESM23.PNG

     

    But, when you switch from the ASP to the Data Source rules, you can see more rules for this device. It is not possible to see, how exactly that rules are configured, and it is not possible to edit them! I did a lot of tests with my colleagues, and we did not find ANY way to add WORKING custom parsing rule for the Exchange Server ASP data source. AND - all events are parsing by the rules from the Data Source tab.

     

    ESM24.PNG

     

    So - is it ASP data source definition or not? How we can add a CUSTOM rules to this data source?

     

    Regards,

    Artur Sadownik

  • Chris Boldiston McAfee SME 79 posts since
    Oct 19, 2012
    Currently Being Moderated
    3. Mar 22, 2013 9:35 AM (in response to artek)
    Re: Message Tracking/TMG/Oracle Logs parsing

    Hi Artur

     

     

     

    When I check on my system which has not had any Exchange Server Events I see only the ASP rule with no Data Source Rules. So the ones that you are seeing have been learned by the ASP rule. Some ASP rules, which have been written in a certain way, will generate those DS Rules. This makes the parsing of events and generating of alerts more efficient.

     

    What you should be able to do is select one of those DS Rules and then go to Edit > Purge Autolearned Rules and Purge all auto learnined rules for this DS. That may have been the problem with testing your new ASP rule - those DS rules were getting triggered and not the new ASP rule.

     

     

     

    Regards

     

     


    Chris

  • artek Apprentice 76 posts since
    Sep 11, 2012
    Currently Being Moderated
    4. Mar 22, 2013 11:21 AM (in response to Chris Boldiston)
    Re: Message Tracking/TMG/Oracle Logs parsing

    Hi Chris,

     

    I checked that more than two times, and I have to say, that for Exchange ASP data source type are available one ASP rule and a lot of Data Source rules. I confirmed it in a few ours testing environments and in the our customer's production environments... Of course from time to time ESM creates anotler (autolearned) rules, but in this case we have Data Source rules out of the box.

     

    ESM25.PNG

     

    That rules can't be removed, because for them "purge autolearned rules" option is unavailable:

     

     

    2013-03-22 16_41_58-https___172.30.1.16_Application.html.png

     

    An again - below I show, that rules aren't autolearned, but just downloaded from the update server:

     

    2013-03-22 17_00_57-https___172.30.1.16_Application.html.png

     

     

    Chris - could you explain me how exactly the parsing mechanism work? Is it possible to create more than one ESM events from the one data source event, when event data fits to more than one rule? Which rule will be chosen first? We did some tests for the Exchange Message Tracking logs, and we can't to add our working ASP rule - always ESM choses the Data Source rules - so the ASP rules did not work.

     

    Regards,

    Artur Sadownik

  • Chris Boldiston McAfee SME 79 posts since
    Oct 19, 2012
    Currently Being Moderated
    5. Mar 22, 2013 12:08 PM (in response to artek)
    Re: Message Tracking/TMG/Oracle Logs parsing

    Hi Artur

     

     

     

    Yes you are correct that those have been added by McAfee Rules. I had only looked at the Rules for Device Type 348 and had not assigned a DS as Exchange Server (ASP). Once it is assigned then those are also part of the 348 rules. Some ASP Rules also include DS Rules and that varies on the DS that you are using.

     

    As you point out those DS Rules cannot be purged but can you try disabling those DS Rules and then the ASP Rule should be triggered.

     

     


    Chris

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points