Microsoft Exchange Server sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage returns or line feed characters.
Microsoft Exchange Server sample message when you use the Microsoft Exchange protocol
The following sample shows a send external event.
SourceIp=10.91.5.110 AgentDevice=WindowsExchange AgentLogFile=MSGTRK2018112722-1.LOG AgentLogFormat=MSGTRK date-time=2018-11-27T22:40:02.966Z client-ip=10.4.11.100 client-hostname=testHostName server-ip=192.168.25.195 server-hostname=qradar.example.test source-context=;250 2.0.0 OK b139-v6si456977itb.104 - gsmtp;ClientSubmitTime: connector-id=Outbound Mail source=SMTP event-id=SENDEXTERNAL internal-message-id=64441689310559 message-id=<admin4@qradar.domain.test> network-message-id=0fd591fe-1cc4-47f0-0bbc-08d654b944f3 recipient-address=admin3@qradar.domain.test recipient-status=250 2.1.5 OK b139-v6si456977itb.104 - gsmtp total-bytes=7249 recipient-count=1 related-recipient-address= reference= message-subject=Receipt sender-address=admin1@qradar.domain.test return-path=admin2@qradar.domain.test message-info=2018-11-27T22:40:02.194Z;SRV=testHostName.BLAH.BLAH.BLAH:TOTAL-FE=0.006|SMR=0.004(SMRPI=0.002(SMRPI-FrontendProxyAgent=0.002))|SMS=0.001;SRV=testHostName.BLAH.BLAH.BLAH:TOTAL-HUB=0.765|SMR=0.103(SMRDE=0.001|SMRC=0.101(SMRCL=0.101))|CAT=0.030(CATOS=0.005(CATSM=0.005(CATSM-Unified Group Post Sent Item Routing Agent=0.004))|CATRESL=0.002|CATORES=0.020(CATRS=0020(CATRS-Transport Rule Agent=0.001(X-ETREX=0.001)|CATRS-Index Routing Agent=0.017)))|QDE=0.120|SMSC=0.127(X-SMSDR=0.120)|SMS=0.382 directionality=Originating tenant-id= original-client-ip= original-server-ip= custom-data=S:E2ELatency=0.771;S:ExternalSendLatency=0.141;S:ToEntity=Internet;S:FromEntity=Internet;S:MsgRecipCount=1;S:IncludeInSla=True;S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:Microsoft.Exchange.Transport.MailRecipient.EffectiveTlsAuthLevel=EncryptionOnly;S:IsSmtpResponseFromExternalServer=True;S:DeliveryPriority=Normal;S:OriginalFromAddress=admin1@qradar.domain.test;S:AccountForest=BLAH.BLAH.BLAH transport-traffic-type=Email log-id=755ab09c-9c04-44aa-8b07-08d654b94568 schema-version=15.01.1261.039| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | AgentLogFormat + event-id |
| Username | sender-address |
| Source IP | client-ip |
| Destination IP | server-ip |