Microsoft Exchange Server produces a range of mail-related log data.

Exchange servers prior to Exchange 2008, and Exchange 2008 and newer, use slightly different log formats.

The Snare Central collection subsystem is able to collect both versions. For Exchange 2008 and newer, logs are injected into the Exch2008MTLog table.

Sample Events

COXXXXXXX02.corp.local    Exch2008MT    1    2015-01-14T05:58:10.906Z,172.xx.xx.xx, COXXXXXXX02.corp.local,172.27.50.82,COXXXXXXX02,08D1FCE6D4FBD9DA,,STOREDRIVER,RECEIVE,0,<f7c8217d13494738a4e840a9a7c29cb7@CORPPVEX02.corp.local>,c58fdeeb-cdd2-4e3f-5df9-08d1fdd63623, User1@issues.gov.au; User2@issues.gov.au; user3@issues.gov.au,To;To;To,13909,3,,,RE: Meeting with Ross to provide hime with an ERF Update [SEC=UNOFFICIAL],User4@issues.gov.au,User5@ issues.gov.au,04I:,Originating,,158.xx.xxx.xx,172.xx.xx.xx,S:MailboxDatabaseGuid=142410dc-d24b-41bd-8472-7624f2ed4672;S:ItemEntryId=00-00-00-00-49-E0-E1-9D-A4-07-51-42-99-6F-BF-2A-E4-7E-11-F2-07-00-2E-3B-F2-6E-E8-8D-7A-44-95-78-CE-20-07-F2-A4-78-00-00-00-00-01-0C-00-00-2E-3B-F2-6E-E8-8D-7A-44-95-78-CE-20-07-F2-A4-78-00-00-35-7C-1B-7E-00-00;S:DeliveryPriority=Normal;S:ExternalOrgIdNotSetReason=

mailserver.myorg.com    Exch2013MT    0    2015-06-09T07:42:05.663Z,::1,new_server.domain.name,::1,new_server,08D2709EE9F931CB,,STOREDRIVER,RECEIVE,1 <3241C2F7C7B8274186CC2371685316E2B5E2@new_server.domain.name>,test@i.ua,To,7671,1,,,test,user1@domain.name,user1@domain.name,04I:,Originating,,192.168.1.57,::1,S:MailboxDatabaseGuid=75874d96-7520-46fe-b99a-22197b911fb6;S:ItemEntryId=00-00-00-00-22-D6-75-A0-45-43-F1-48-9F-CC-D9-3C-E7-A4-B9-97-07-00-32-41-C2-F7-C7-B8-27-41-86-CC-23-71-68-53-16-E2-00-00-00-00-00-09-00-00-32-41-C2-F7-C7-B8-27-41-86-CC-23-71-68-53-16-E2-00-00-00-00-B5-E5-00-00

mailserver.myorg.com    Exch2013MT    0    2015-06-09T07:42:06.460Z,,,,new_server,ContentConversion,,ROUTING,TRANSFER,2,<3241C2F7C7B8274186CC2371685316E2B5E2@new_server.domain.name>,test@i.ua,,6272,1,,1,test,user1@domain.name,user1@domain.name,,Originating,