Hello Bruno,
You sample event is missing some fields necessary for the Exchange DSM to properly set the Event ID. For the W3C format, it's looking for a "cs-version" field and if not found it falls back to "s-sitename". The value taken from one of these fields is then paired with the "cs-method" field to form a compound Event ID like so:
<cs-version or s-sitename>::<cs-method>
because your sample event has neither cs-version or s-sitename, the DSM cannot produce a complete Event ID and is rejecting the event. I'm not sure why they aren't there, presumably they are not included in the actual log file being monitored, which may require a change to logging configuration.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Mon February 15, 2021 06:32 PM
From: BrunoMarX
Subject: MS Exchange Logs and Wincollect - Unknown message
Hi Community,
I configured Wincollect to retrieve OWA logs from MS Exchange and send to QRadar. It works fine and I get them in my QRadar. However, it displays all messages as Unknown Exchange Message after I created a Log Source of type Exchange. DSM and Custom Properties Package are updated.
Here an example
<13>Feb 15 23:21:50 ExchangeXYZ AgentDevice=MicrosoftExchange AgentLogFile=file.log PluginVersion=7.3.0.41 AgentLogFormat=W3C AgentLogProtocol=OWA date=2021-02-15 time=22:21:46 s-ip=y.y.y..y cs-method=POST cs-uri-stem=/EWS/Exchange.asmx cs-uri-query=&CorrelationID=<empty>;&cafeReqId=cbe38615-7d78-47a5-8017-1bc6fc860753; s-port=443 cs-username=blahblha c-ip=x.x.x.x cs(User-Agent)=AppleExchangeWebServices/814+Mail/3654.60.0.2.21 cs(Referer)=- sc-status=200 sc-substatus=0 sc-win32-status=0 time-taken=14
Thank you!
Regards,
Bruno
------------------------------
BrunoMarX
------------------------------