在从2016升级到Exchange 2019之前,我正试图从Exchange协议日志中收集信息,以识别使用过时TLS 1.0的系统。我可以使用get childitem和select string在smtpreceive日志文件中搜索SP_PROT_TLS1_0_SERVER字符串,但我最终想做的是在Exchange smtpreceive-transport日志中搜索字符串SP_PROT_TLC1__SERVER。根据SP_PROT_TLS1_0_SERVER的命中率,我想使用会话id来收集EHLO和MAIL From信息,并将所有三个值记录在csv文件中,以便在传输日志中验证它们的准确性。到目前为止,我已经尝试将smtpreceive文件的所有字段加载到一个变量中,但有些地方不对劲,我没有得到任何输出。
您需要浏览Exchange协议日志扫描发送和接收流量(通过SMTP日志记录的邮件流(
Exchange Server TLS指南第2部分:启用TLS 1.2并识别未使用它的客户端https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and/ba-p/607761
Exchange服务器:搜索邮件跟踪日志https://learn.microsoft.com/en-us/Exchange/mail-flow/transport-logs/search-message-tracking-logs?view=exchserver-2019年
分析Exchange 2013中的协议日志和邮件跟踪日志https://social.technet.microsoft.com/wiki/contents/articles/23182.analyzing-the-protocol-logs-and-message-tracking-logs-in-exchange-2013.aspx
Exchange Server 2010中的示例条目
服务器使用TLS 1.2:向另一个系统发送邮件
2018-02-22T13:53:10.494Z,<CONNECTORNAME>,08D578EB9C3F6C39,28,10.0.0.240:15443,192.168.1.42:25,*,,"TLS protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 384 bits"
服务器使用TLS 1.2 从另一个系统接收邮件
2018-02-22T13:50:37.681Z,SERVERNAMECONNECTORNAME Internet,07C578BB0E912319,22,10.0.0.241:25,192.168.1.102:63767,*,,"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 256 bits"
SMTP日志解析脚本网站
https://scriptolog.blogspot.com/2007/08/smtp-log-parsing.html
https://www.axigen.com/community/t/made-a-powershell-script-to-parse-smtp-receiving-log/512