# Parse-SMTPReceiveLog # # Exchange Receive Connectoren können alle übertragenen Daten protokollieren # Allerdings sind die Protokolle nicht immer einfach zu lesen # Dieses Skript liest die Protokolle ein und gibt sie in einer leichter lesbaren Form aus # Hier ein paar Beispiele #Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context #2024-09-06T18:00:44.736Z,NAWEX19\Default Frontend NAWEX19,08DCC21699BAA536,9,192.168.100.33:25,40.93.77.2:45301,<,EHLO BEUP281CU002.outbound.protection.outlook.com, # # Das Feld sessionID kennzeichnet eine Nachricht einer Verbindung # Das Feld sequence-number kennzeichnet einen Befehl innerhalb einer Verbindung und zählt hoch # Das Feld event gibt an, ob es sich um eine eingehende oder ausgehende Nachricht handelt # < eingehend, > ausgehend, + Neue Verbindung, - Verbindung beendet, * TLS Informationen # # Das Script liest die übergebenen Protokolle ein und gibt sie in einer leicht lesbaren Form aus [CmdletBinding()] param ( [Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [string[]]$Path ) begin { Write-Host "BEGIN:init Variables" $fields = "date-time","connector-id","session-id","sequence-number","local-endpoint","remote-endpoint","event","data","context" [hashtable]$connections = @{} } process { Write-Host "Process:Start" foreach ($file in $Path) { Write-Host "Process:File $($file)" Import-CSV -Path $file -Header $fields -Delimiter "," | ForEach-Object { if ($null -eq $_.'session-ID') { Write-Verbose "Skip lines without sequence Number" Write-host "S" -NoNewline } elseif ($_.'date-time'.startswith('#')) { Write-Verbose "Skip lines with comment #" Write-host "#" -NoNewline } else { $sessionID = $_.'session-ID' $timestamp = get-date $_.'date-time' if (!$Connections.ContainsKey($sessionID)) { #Write-Host "N" -NoNewline Write-Verbose "New SessionID: $($sessionID)" $connections[$sessionID] = [PSCustomObject][ordered]@{ Sessionid = $null localendpoint = $null remoteendpoint = $null connectiontime = $null helotime = $null tlstime = $null authtime = $null authuser = $null mailstarttime = $null disconnecttime = $null totaltimesec = $null } $connections[$sessionID].Sessionid = $sessionID $connections[$sessionID].localendpoint = $_.'local-endpoint' $connections[$sessionID].remoteendpoint = $_.'remote-endpoint' $connections[$sessionID].Connectiontime = $timestamp } if ($_.data.startswith("EHLO")) { $connections[$sessionID].helotime = $timestamp } if ($_.data.startswith("HELO")) { $connections[$sessionID].helotime = $timestamp } if ($_.data.startswith("AUTH")) { $connections[$sessionID].authtime = $timestamp } if ($_.data.endswith("authenticated")) { $connections[$sessionID].authuser = $_.context } switch ($_.event) { "+" { $connections[$sessionID].Connectiontime = $timestamp } "<" { $connections[$sessionID].mailstarttime = $timestamp } "*" { $connections[$sessionID].tlstime = $timestamp } "-" { $connections[$sessionID].disconnecttime = $timestamp $connections[$sessionID].totaltimesec = ($connections[$sessionID].disconnecttime - $connections[$sessionID].Connectiontime).TotalSeconds } } } } } } end { write-host "Export Data:Start" $connections.GetEnumerator() | ForEach-Object { $_.Value } write-host "Export Data:Done" }