Hello,
Would anyone be able to provide the documentation that describes the log format for these logs? I believe they are RPC Access logs but I've also seen them referring to as MAPI http logs.
2017-01-02T12:29:47.946Z,45360,0,/o=domainco/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=f01996703bbf4d0a9fb073ebb71a154f-user name,,OUTLOOK.EXE,14.0.7172.5000,Cached,172.22.26.44,"Connection Info[GUID:074f8e3f-ab7e-4171-b212-c8f4f5b73a1b, Attempts:4, Flags:0, Ctx:]",::1,MapiHttp,,R:{E3840B23-6CE0-4FE3-9F34-54A1167A9EEA}:4|A:08ec51b8-fa1e-4943-b37f-1534ede81013|FE:CO-EXSRV4.domainCO.LOCAL,C:MAPIAAAAAOaphMGZypjO+tnr2+rc8cDy3+3e/s//xfDD+cr/pYawgrODs4C0gS+xAAAAAAAA,Connect,1010 (rpc::LoginPerm),00:00:00.0150000,"SID=S-1-5-21-3914747541-1987656476-2091229219-1465, Flags=None","RpcDispatch: [LoginPermException] 'User SID: S-1-5-21-3914747541-1987656476-2091229219-1465' can't act as owner of a UserMailbox object '/o=domainco/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=f01996703bbf4d0a9fb073ebb71a154f-user name' with SID S-1-5-21-3914747541-1987656476-2091229219-17161 and MasterAccountSid (StoreError=LoginPerm) at M.E.R.Server.UserManager.User.CorrelateIdentityWithLegacyDN(ClientSecurityContext clientSecurityContext) at M.E.R.Server.RpcDispatch.<>c__DisplayClasse.<EcDoConnectEx>b__a() at M.E.R.Server.RpcDispatch.Execute(Func1 getExecuteParameters, Func1 executeDelegate, Action`1 exceptionSerializationDelegate)",,S:ActivityStandardMetadata.UserId=ADGuid:4cb12591-1146-42a3-a1fd-c0d269e55105;S:ActivityStandardMetadata.Puid=;S:ActivityStandardMetadata.UserEmail=user@keyman .net;S:ActivityStandardMetadata.TenantId=domain.net;S:ActivityStandardMetadata.Component=RCA/Mailbox;S:WLM.BT=Rca;S:ActivityStandardMetadata.Protocol=RPC/MapiHttp;S:ActivityStandardMetadata.ClientInfo=OUTLOOK.EXE/14.0.7172.5000;S:ActivityStandardMetadata.TenantGuid=;I32:ADS.C[PDC]=2;F:ADS.AL[PDC]=2.3256;I32:ATE.C[PDC.domainco.local]=1;F:ATE.AL[PDC.domainco.local]=0;I32:ADS.C[DC]=2;F:ADS.AL[DC]=2.2548;I32:ATE.C[BDC.domainco.local]=2;F:ATE.AL[BDC.domainco.local]=0,user@keyman .net,,
Basically, each field is delimited by commas but I'd like to know precisely what each field is for although I understand that some are self-explanatory. I've been looking through multiple documents and I can't find anything regarding this information. Maybe its the way it is being parsed out but if there is a guide, that would be extremely helpful.
For example, here is Palo Alto providing a document for the format of their Traffic logs which are also typically comma-delimited.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html
If you would rather not click the link, here is the format they provide:
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received
Then they provide a bit of documentation as to what each of these fields are for.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 68%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)