xml/ExchangeLogs.Types.ps1xml
|
<?xml version="1.0" encoding="utf-8"?>
<Types> <Type> <Name>ExchangeLog.IMAP4Log.Record</Name> <Members> <AliasProperty> <Name>DateLogFile</Name> <ReferencedMemberName>Date</ReferencedMemberName> </AliasProperty> <CodeProperty IsHidden="true"> <Name>SerializationData</Name> <GetCodeReference> <TypeName>PSFramework.Serialization.SerializationTypeConverter</TypeName> <MethodName>GetSerializationData</MethodName> </GetCodeReference> </CodeProperty> </Members> <TypeConverter> <TypeName>PSFramework.Serialization.SerializationTypeConverter</TypeName> </TypeConverter> </Type> <Type> <Name>ExchangeLog.POP3Log.Record</Name> <Members> <AliasProperty> <Name>DateLogFile</Name> <ReferencedMemberName>Date</ReferencedMemberName> </AliasProperty> <CodeProperty IsHidden="true"> <Name>SerializationData</Name> <GetCodeReference> <TypeName>PSFramework.Serialization.SerializationTypeConverter</TypeName> <MethodName>GetSerializationData</MethodName> </GetCodeReference> </CodeProperty> </Members> <TypeConverter> <TypeName>PSFramework.Serialization.SerializationTypeConverter</TypeName> </TypeConverter> </Type> <Type> <Name>ExchangeLog.SMTPReceiveProtocolLog.TypedRecord</Name> <Members> <ScriptProperty> <Name>DateLogFile</Name> <GetScriptBlock> $this.Date -as [datetime] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>DateStart</Name> <GetScriptBlock> ($this.Group | Sort-Object 'date-time')[0].'date-time' -as [datetime] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>DateEnd</Name> <GetScriptBlock> ($this.Group | Sort-Object 'date-time')[-1].'date-time' -as [datetime] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>SequenceCount</Name> <GetScriptBlock> $this.Group.count </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>ConnectorID</Name> <GetScriptBlock> $this.Group.'connector-id'[0] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>ServerName</Name> <GetScriptBlock> $this.Group.'connector-id'[0].split("\")[0] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>ConnectorName</Name> <GetScriptBlock> $this.Group.'connector-id'[0].split("\")[1] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>ConnectorNameWithoutServerName</Name> <GetScriptBlock> $this.Group.'connector-id'[0].split("\")[1].replace($this.ServerName, "").trim() </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>LocalIP</Name> <GetScriptBlock> $this.Group.'local-endpoint'[0].split(":")[0] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>LocalPort</Name> <GetScriptBlock> $this.Group.'local-endpoint'[0].split(":")[1] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>RemoteIP</Name> <GetScriptBlock> $this.Group.'remote-endpoint'[0].split(":")[0] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>RemotePort</Name> <GetScriptBlock> $this.Group.'remote-endpoint'[0].split(":")[1] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>ServerNameHELO</Name> <GetScriptBlock> $null = $this.Group | where data -Match "^220\s(?'ServerName'\S+)\sMicrosoft" $Matches['ServerName'] </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>ServerOptions</Name> <GetScriptBlock> [string]::Join(",", ($this.Group.data | ForEach-Object { if($_ -match "^250\s\s(?'ServerName'\S+)\sHello\s\[\S+]\s(?'ServerOptions'(\S|\s)+)") { $Matches['ServerOptions'] }}) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>ClientNameHELO</Name> <GetScriptBlock> [string]::Join(",", (($this.Group | where data -like "EHLO *").data.trim("EHLO ") | Select-Object -Unique) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsEnabled</Name> <GetScriptBlock> if($this.Group | Where-Object data -CLike "STARTTLS") { $true } else { $false } </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>AuthenticationEnabled</Name> <GetScriptBlock> if($this.Group.data -clike "AUTH *") { $true } else { $false} </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>AuthenticationType</Name> <GetScriptBlock> if($this.AuthenticationEnabled) { $null = $this.Group | where data -Match "^AUTH\s(?'Method'\S+)" $Matches['Method'] } </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>AuthenticationUser</Name> <GetScriptBlock> if($this.AuthenticationEnabled) { ($this.Group | Where-Object context -like "authenticated").data } </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>AuthenticationMessage</Name> <GetScriptBlock> if($this.AuthenticationEnabled) { $text = @( "235 2.7.0 Authentication successful","504 5.7.4 Unrecognized authentication type","535 5.7.3 Authentication unsuccessful" ) [array]$authMsg = $this.Group | Where-Object data -in $text | select-Object -Last 1 if($authMsg) { $authMsg.data } } </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TarpitDetect</Name> <GetScriptBlock> if($this.Group | where data -like "Tarpit*") { $true } else { $false} </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TarpitDuration</Name> <GetScriptBlock> if($this.IsTarpit) { [timespan]::FromSeconds( (($this.Group | where-Object data -like "Tarpit*").data.replace("Tarpit for '","") | ForEach-Object { $_.split("'")[0] -as [timespan] } | Measure-Object Seconds -Sum).Sum ) } </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TarpitMessage</Name> <GetScriptBlock> if($this.IsTarpit) { (($this.Group | Where-Object data -like "Tarpit*").data -split "(due\sto\s')")[-1].trim("'") } </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>MailFrom</Name> <GetScriptBlock> [string]::Join(",", (($this.Group.data | ForEach-Object { if($_ -match "^MAIL FROM:<(?'mailadress'\S+)>") { $Matches['mailadress'] } }).trim()) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>RcptTo</Name> <GetScriptBlock> [string]::Join(",", (($this.Group.data | ForEach-Object { if($_ -match "^RCPT TO:<(?'mailadress'\S+)>") { $Matches['mailadress'] } }).trim()) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>XOOrg</Name> <GetScriptBlock> [string]::Join(",", (($this.Group.data | ForEach-Object { if($_ -match "XOORG=(?'xoorg'\S+)") { $Matches['xoorg'] } }).trim()) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>SmtpId</Name> <GetScriptBlock> [string]::Join(",", (($this.Group.data | ForEach-Object { if($_ -match "^250\s2.6.0\s(?'SmtpId'\S+)") { $Matches['SmtpId'] } }).trim(">").trim("<") ) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>RemoteServerHostName</Name> <GetScriptBlock> [string]::Join(",", (($this.Group.data | ForEach-Object { if($_ -match "^250\s2.6.0\s(?'SmtpId'\S+)") { $Matches['SmtpId'].split("@")[1] } }).trim(">") ) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>InternalId</Name> <GetScriptBlock> [string]::Join(",", (($this.Group.data | ForEach-Object { if($_ -match "^250\s2\.6\.0\s.*InternalId=(?'InternalId'\w+)") { $Matches['InternalId'] } })) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>MailSize</Name> <GetScriptBlock> [string]::Join(",", (($this.Group.data | ForEach-Object { if($_ -match "\w+(?=\sbytes\sin\s)") { $Matches[0] } })) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>DeliveryDuration</Name> <GetScriptBlock> $duration = [timespan]::new(0) $this.Group.data | ForEach-Object { if($_ -match "(?<=\sbytes\sin\s)(\d|\.)+") { $duration = $duration + [timespan]::FromSeconds( [System.Convert]::ToDouble($Matches[0], [cultureinfo]::GetCultureInfo('en-us') )) }} $duration </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>DeliveryBandwidth</Name> <GetScriptBlock> $bandwidth = 0 $this.Group.data | ForEach-Object { if($_ -match "(?'duration'(\d*|,)+)(?=\sKB\/sec\sQueued\smail\sfor\sdelivery)") { $bandwidth = $bandwidth + [double]::Parse($Matches['duration']) }} $bandwidth </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>FinalizeMessage</Name> <GetScriptBlock> ($this.Group | Where-Object event -NotLike "-")[-1].data </GetScriptBlock> </ScriptProperty> <ScriptProperty IsHidden="true"> <Name>TlsRecords</Name> <GetScriptBlock> [int]$start = [int](($this.Group | Where-Object data -like "220 2.0.0 SMTP server ready").'sequence-number') | Select-Object -First 1 [int]$stop = ($this.Group | Where-Object data -like "250 * Hello *").'sequence-number' | ForEach-Object { [int]$_ } | Where-Object { $_ -ge $start } | Select-Object -First 1 $this.Group | Where-Object event -eq '*' | where { $_.'sequence-number' -gt $start -or $_.'sequence-number' -lt $stop } | Where-Object { $_.data -like "" -or $_.data -like " CN=" -or $_.context -like "* certificate *"} | where { $_.context -like "tls*" -or $_.context -like "* certificate *" -or $_.context -like "Validated*" } | Select-Object 'sequence-number', data, context </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsCrypto</Name> <GetScriptBlock> ($this.TlsRecords | Where-Object context -like "TLS *").context </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsProtocol</Name> <GetScriptBlock> [string]::Join(",", ($this.TlsRecords | ForEach-Object { if($_ -match "(?<=\sprotocol\s)\S+") { $Matches[0] }}) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsAlgorithmEncryption</Name> <GetScriptBlock> [string]::Join(",", ($this.TlsRecords | ForEach-Object { if($_ -match "(?<=\sencryption\salgorithm\s)\S+") { $Matches[0] }}) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsAlgorithmMacHash</Name> <GetScriptBlock> [string]::Join(",", ($this.TlsRecords | ForEach-Object { if($_ -match "(?<=\shash\salgorithm\s)\S+") { $Matches[0] }}) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsAlgorithmKeyExchange</Name> <GetScriptBlock> [string]::Join(",", ($this.TlsRecords | ForEach-Object { if($_ -match "(?<=\sexchange\salgorithm\s)\S+") { $Matches[0] }}) ) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsCertificateServer</Name> <GetScriptBlock> ($this.TlsRecords | where-Object context -Like "Sending certificat*").data.trim() </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsCertificateClient</Name> <GetScriptBlock> ($this.TlsRecords | where-Object context -Like "Remote certificat*").data.trim() </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsDomainCapabilities</Name> <GetScriptBlock> [string]::Join(",", ( (((($this.TlsRecords | Where-Object context -Like "*; Status='*").context -Split "; ") | Where-Object { $_ -like "TlsDomainCapabilities=*" }) -split "=").trim("'") )) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsStatus</Name> <GetScriptBlock> [string]::Join(",", ( (((($this.TlsRecords | Where-Object context -Like "*; Status='*").context -Split "; ") | Where-Object { $_ -like "Status=*" }) -split "=").trim("'") )) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>TlsDomain</Name> <GetScriptBlock> [string]::Join(",", ( (((($this.TlsRecords | Where-Object context -Like "*; Status='*").context -Split "; ") | Where-Object { $_ -like "Domain=*" }) -split "=").trim("'") )) </GetScriptBlock> </ScriptProperty> <ScriptProperty> <Name>LogText</Name> <GetScriptBlock> $logtext = "" foreach($item in $this.Group) { if($item.data.Length -gt 0) { $logtext = $logtext + "$(if($logtext){"`n"})" + $item.event + " " + $item.data if($item.context.Length -gt 0) { $logtext = $logtext + "$(if($logtext){"`n"})" + $item.event + " " + $item.context } } else { $logtext = $logtext + "$(if($logtext){"`n"})" + $item.event + " " + $item.context } } $logtext </GetScriptBlock> </ScriptProperty> <CodeProperty IsHidden="true"> <Name>SerializationData</Name> <GetCodeReference> <TypeName>PSFramework.Serialization.SerializationTypeConverter</TypeName> <MethodName>GetSerializationData</MethodName> </GetCodeReference> </CodeProperty> </Members> <TypeConverter> <TypeName>PSFramework.Serialization.SerializationTypeConverter</TypeName> </TypeConverter> </Type> </Types> |