RPC Client access logs (MAPIhttp)

CurrencyExchange 1 Reputation point
2021-03-08T08:16:00.36+00:00

Hello,

Would anyone be able to provide the documentation that describes the log format for these logs? I believe they are RPC Access logs but I've also seen them referring to as MAPI http logs.

2017-01-02T12:29:47.946Z,45360,0,/o=domainco/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=f01996703bbf4d0a9fb073ebb71a154f-user name,,OUTLOOK.EXE,14.0.7172.5000,Cached,172.22.26.44,"Connection Info[GUID:074f8e3f-ab7e-4171-b212-c8f4f5b73a1b, Attempts:4, Flags:0, Ctx:]",::1,MapiHttp,,R:{E3840B23-6CE0-4FE3-9F34-54A1167A9EEA}:4|A:08ec51b8-fa1e-4943-b37f-1534ede81013|FE:CO-EXSRV4.domainCO.LOCAL,C:MAPIAAAAAOaphMGZypjO+tnr2+rc8cDy3+3e/s//xfDD+cr/pYawgrODs4C0gS+xAAAAAAAA,Connect,1010 (rpc::LoginPerm),00:00:00.0150000,"SID=S-1-5-21-3914747541-1987656476-2091229219-1465, Flags=None","RpcDispatch: [LoginPermException] 'User SID: S-1-5-21-3914747541-1987656476-2091229219-1465' can't act as owner of a UserMailbox object '/o=domainco/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=f01996703bbf4d0a9fb073ebb71a154f-user name' with SID S-1-5-21-3914747541-1987656476-2091229219-17161 and MasterAccountSid (StoreError=LoginPerm) at M.E.R.Server.UserManager.User.CorrelateIdentityWithLegacyDN(ClientSecurityContext clientSecurityContext) at M.E.R.Server.RpcDispatch.<>c__DisplayClasse.<EcDoConnectEx>b__a() at M.E.R.Server.RpcDispatch.Execute(Func1 getExecuteParameters, Func1 executeDelegate, Action`1 exceptionSerializationDelegate)",,S:ActivityStandardMetadata.UserId=ADGuid:4cb12591-1146-42a3-a1fd-c0d269e55105;S:ActivityStandardMetadata.Puid=;S:ActivityStandardMetadata.UserEmail=user@keyman .net;S:ActivityStandardMetadata.TenantId=domain.net;S:ActivityStandardMetadata.Component=RCA/Mailbox;S:WLM.BT=Rca;S:ActivityStandardMetadata.Protocol=RPC/MapiHttp;S:ActivityStandardMetadata.ClientInfo=OUTLOOK.EXE/14.0.7172.5000;S:ActivityStandardMetadata.TenantGuid=;I32:ADS.C[PDC]=2;F:ADS.AL[PDC]=2.3256;I32:ATE.C[PDC.domainco.local]=1;F:ATE.AL[PDC.domainco.local]=0;I32:ADS.C[DC]=2;F:ADS.AL[DC]=2.2548;I32:ATE.C[BDC.domainco.local]=2;F:ATE.AL[BDC.domainco.local]=0,user@keyman .net,,

Basically, each field is delimited by commas but I'd like to know precisely what each field is for although I understand that some are self-explanatory. I've been looking through multiple documents and I can't find anything regarding this information. Maybe its the way it is being parsed out but if there is a guide, that would be extremely helpful.

For example, here is Palo Alto providing a document for the format of their Traffic logs which are also typically comma-delimited.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html

If you would rather not click the link, here is the format they provide:

Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received

Then they provide a bit of documentation as to what each of these fields are for.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,494 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Xzsssss 8,861 Reputation points Microsoft Vendor
    2021-03-09T02:28:28.58+00:00

    Hi @CurrencyExchange ,

    I've checked these logs, and I think they are RPC Client Access logs($ExInstallPath\Logging\RPC Client Access).

    Fields: date-time,session-id,seq-number,client-name,organization-info,client-software,client-software-version,client-mode,client-ip,client-connection-info,server-ip,protocol,application-id,request-ids,session-cookie,operation,rpc-status,processing-time,operation-specific,failures,performance-data,activity-context-data,user-email,passport-unique-id

    Regards,
    Lou


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.