« Previous Next »

Thread: Exchange Message Tracking to Syslog - Can it be done?

Last post 03-07-2006 9:06 AM by LogParser User : montm. 10 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (11 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 06-08-2005, 8:01 AM

    Exchange Message Tracking to Syslog - Can it be done?

    Reply Contact
    Hello all,

    I have a need to send the Exchange 2000/2003 Message Tracking logs to a syslog server. I know that you can do this with the log parser command and output to syslog, or so it seems thru my reading. Does anyone have any advice on how to do this? Some considerations are:

    1) Done ever hour or so for backup purposes to a remote syslog server
    2) Only parse what has happend in the last hour, not all files.


    I am not for sure if you can do the last option. Is there a way to make it look at only the newest file and then archive it when done so it will not get re-parsed?

    Thanks for the advice and help.

    Nick
    Tags:

  • 06-08-2005, 10:04 AM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact

    Sure you can do all of this!

    First off, it's up to you to figure out how to 'map' an exchange log entry to a syslog message. To see how mappings can be done, checkout the SYSLOG output format help in the online docs.

    Second, to parse only new data, checkout the "Incremental Parsing" feature, aka "checkpointing" under "Advanced Features" in the online docs. It's exactly what you're looking for.

    Finally, a hint: you can parse Exchange Tracking log files with the W3C input format.
    Tags:

  • 06-08-2005, 11:12 AM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact
    Gabriele,

    Thanks for you assitance. That is what I was looking for.

    On another question, is there any large test data for Message Tracking that I could run the command against?

    THanks again.

    Nick
    Tags:

  • 06-09-2005, 9:04 AM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact
    I don't have any, sorry...may be some other forum user might have a large file for you....
    Tags:

  • 03-04-2006, 9:58 PM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact

    I too am looking to strean the message tracking log to syslog.  I am still working on the basic sript, then willl look at the syslog part.  I am hoping someone can give me a hand and expedite the sollution.

    Here is what I currently have:

    logparser "SELECT TO_TIME( TO_LOCALTIME( TO_TIMESTAMP (REPLACE_STR(STRCAT(STRCAT(date,' '), time),' GMT',''),'yyyy-M-d h:m:s') ) ) as DateTime, [client-ip], [Client-hostname], [Partner-name], [Server-hostname], [server-IP], [Recipient-Address], [Event-ID], [MSGID], [Priority], [Recipient-Report-Status], [total-bytes], [Number-Recipients], TO_Timestamp(REPLACE_STR([Origination-time], ' GMT',''),'yyyy-M-d h:m:s') as [Origination Time], Encryption, [service-Version], [Linked-MSGID], [Message-Subject], [Sender-Address] from D:\MEX_LOG\TITAN.LOG\20060305.log" -i:w3c

    This is only returning the time though.  I am a newbie on this, but did pick up the Log Parser Toolkit book today.  This actually work beautifully short of not returning the date.

     

    Any help would be appreciated.

     

    TIA

     

    Mont 
    Tags:

  • 03-05-2006, 9:27 AM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact
    The TO_TIME function strips the date off of DateTime.

    Also I would think the date and time fields of W3C shouldn't require any string manipulation..
    Instead of this:
    TO_LOCALTIME( TO_TIMESTAMP (REPLACE_STR(STRCAT(STRCAT(date,' '), time),' GMT',''),'yyyy-M-d h:m:s') ) as DateTime

    You should be able to do just this:
    TO_LOCALTIME( TO_TIMESTAMP(date,time) ) AS DateTime
    Tags:

  • 03-05-2006, 4:52 PM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact

    Daniel,

     

    Thanks for the reply.  I tried what you suggest and I got nulls for the datetime.  Perhaps I am not picking up on something I should be assuming.  I am trying to transform the 2 GMT timestamps in the message tracking logs to UTC formatted localtime ( i.e. 2006-03-04 17:44:40 ).  I do wonder if there is not a much simpler way of getting there.  That being said, I know I am close.  I realized after my initial post that I could simply change the expression from TO_TIME to TO_DATE to get the date and vice versa.  From there I tried to concatenate the 2, but that would seem to require string formatting (?).  I was able to reduce both to string format.  So from here it would seem a small step to STRCAT the 2.  Been at it for an hour or so and no joy.

    Here's the date piece:

    logparser "SELECT TO_STRING (TO_DATE( TO_LOCALTIME( TO_TIMESTAMP (REPLACE_STR(STRCAT(STRCAT(date,' '), time),' GMT',''),'yyyy-M-d h:m:s') ) ),'yyyy-MM-dd hh:mm:ss') as DateTime,  TO_Timestamp(REPLACE_STR([Origination-time], ' GMT',''),'yyyy-M-d h:m:s') as [Origination Time] from D:\MEX_LOG\TITAN.LOG\20060305.log" -i:w3c

    ... and the time piece:

    logparser "SELECT TO_STRING (TO_TIME( TO_LOCALTIME( TO_TIMESTAMP (REPLACE_STR(STRCAT(STRCAT(date,' '), time),' GMT',''),'yyyy-M-d h:m:s') ) ),'yyyy-MM-dd hh:mm:ss') as DateTime,  TO_Timestamp(REPLACE_STR([Origination-time], ' GMT',''),'yyyy-M-d h:m:s') as [Origination Time] from D:\MEX_LOG\TITAN.LOG\20060305.log" -i:w3c
     

     
    Tags:

  • 03-05-2006, 7:53 PM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact
    Could you give me an excerpt of your log file that I could play around with? I don't have any w3c files so it hampers my ability to test ideas.
    Tags:

  • 03-05-2006, 8:05 PM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact

    Daniel,

     

    Thanks for engaging.  Here's a bit of the file...  Am hoping I have not mangled the format in presenting/anoymizing this scrap.
    Tags:

  • 03-06-2006, 10:59 AM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact
    That was exactly what I needed.

    The ultimate issue here is that LogParser's Timestamp data type has no support for timezone identifiers or offsets. Something I sincerely think should be fixed in the next version.

    The -i:W3C format example shows that it recognizes the Date and Time fields as Timestamp fields, but apparently the format that is being used for your log files isn't understood so they are coming in as regular strings. This means that you do have to do some string processing. :/

    Here is my attempt at making the transformation to localtime timestamps as concise and simple as possible. HTH

    SELECT
          DateTime
        , [Origination Time]
    USING
          TO_TIMESTAMP(date, 'yyyy-M-d') AS RealDate
        , TO_TIMESTAMP(time, 'h:m:s G\MT') AS RealTime
        , TO_LOCALTIME(TO_TIMESTAMP(RealDate,RealTime)) as DateTime
        , TO_LOCALTIME(TO_TIMESTAMP([Origination-time], 'yyyy-M-d h:m:s G\MT')) as [Origination Time]
    FROM message.log
    Tags:

  • 03-07-2006, 9:06 AM In reply to

    RE: Exchange Message Tracking to Syslog - Can it be done?

    Mark as Answer
    Reply Contact

    Daniel,

    IO.  This is great !!  Much cleaner... and works.

    TY TY TY

    Regards,

    Mont
    Tags:
Page 1 of 1 (11 items)
Microsoft Communities