question

CurrencyExchange-1588 avatar image
0 Votes"
CurrencyExchange-1588 asked ·

RPC Client access logs (MAPIhttp)

Hello,

Would anyone be able to provide the documentation that describes the log format for these logs? I believe they are RPC Access logs but I've also seen them referring to as MAPI http logs.

2017-01-02T12:29:47.946Z,45360,0,/o=domainco/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=f01996703bbf4d0a9fb073ebb71a154f-user name,,OUTLOOK.EXE,14.0.7172.5000,Cached,172.22.26.44,"Connection Info[GUID:074f8e3f-ab7e-4171-b212-c8f4f5b73a1b, Attempts:4, Flags:0, Ctx:]",::1,MapiHttp,,R:{E3840B23-6CE0-4FE3-9F34-54A1167A9EEA}:4|A:08ec51b8-fa1e-4943-b37f-1534ede81013|FE:CO-EXSRV4.domainCO.LOCAL,C:MAPIAAAAAOaphMGZypjO+tnr2+rc8cDy3+3e/s//xfDD+cr/pYawgrODs4C0gS+xAAAAAAAA,Connect,1010 (rpc::LoginPerm),00:00:00.0150000,"SID=S-1-5-21-3914747541-1987656476-2091229219-1465, Flags=None","RpcDispatch: [LoginPermException] 'User SID: S-1-5-21-3914747541-1987656476-2091229219-1465' can't act as owner of a UserMailbox object '/o=domainco/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=f01996703bbf4d0a9fb073ebb71a154f-user name' with SID S-1-5-21-3914747541-1987656476-2091229219-17161 and MasterAccountSid (StoreError=LoginPerm) at M.E.R.Server.UserManager.User.CorrelateIdentityWithLegacyDN(ClientSecurityContext clientSecurityContext) at M.E.R.Server.RpcDispatch.<>c_DisplayClasse.<EcDoConnectEx>b_a() at M.E.R.Server.RpcDispatch.Execute(Func`1 getExecuteParameters, Func`1 executeDelegate, Action`1 exceptionSerializationDelegate)",,S:ActivityStandardMetadata.UserId=ADGuid:4cb12591-1146-42a3-a1fd-c0d269e55105;S:ActivityStandardMetadata.Puid=;S:ActivityStandardMetadata.UserEmail=user@domain.net;S:ActivityStandardMetadata.TenantId=domain.net;S:ActivityStandardMetadata.Component=RCA/Mailbox;S:WLM.BT=Rca;S:ActivityStandardMetadata.Protocol=RPC/MapiHttp;S:ActivityStandardMetadata.ClientInfo=OUTLOOK.EXE/14.0.7172.5000;S:ActivityStandardMetadata.TenantGuid=;I32:ADS.C[PDC]=2;F:ADS.AL[PDC]=2.3256;I32:ATE.C[PDC.domainco.local]=1;F:ATE.AL[PDC.domainco.local]=0;I32:ADS.C[DC]=2;F:ADS.AL[DC]=2.2548;I32:ATE.C[BDC.domainco.local]=2;F:ATE.AL[BDC.domainco.local]=0,user@domain.net,,


Basically, each field is delimited by commas but I'd like to know precisely what each field is for although I understand that some are self-explanatory. I've been looking through multiple documents and I can't find anything regarding this information. Maybe its the way it is being parsed out but if there is a guide, that would be extremely helpful.

For example, here is Palo Alto providing a document for the format of their Traffic logs which are also typically comma-delimited.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html

If you would rather not click the link, here is the format they provide:

Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received


Then they provide a bit of documentation as to what each of these fields are for.

office-exchange-server-administration
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

had to clean it up a bit, should look better now.

0 Votes 0 ·

1 Answer

ZhengqiLou-MSFT avatar image
0 Votes"
ZhengqiLou-MSFT answered ·

Hi @CurrencyExchange-1588 ,

I've checked these logs, and I think they are RPC Client Access logs($ExInstallPath\Logging\RPC Client Access).

Fields: date-time,session-id,seq-number,client-name,organization-info,client-software,client-software-version,client-mode,client-ip,client-connection-info,server-ip,protocol,application-id,request-ids,session-cookie,operation,rpc-status,processing-time,operation-specific,failures,performance-data,activity-context-data,user-email,passport-unique-id

Regards,
Lou


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @CurrencyExchange-1588 ,

Do the suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

Regards,
Lou


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

Hi @CurrencyExchange-1588 ,

It has been a long time since last reply, did these suggestions help you? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.

Regards,
Lou


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·