Monday, August 10, 2015

Exchange 2010 UM Old Voicemails

I ran into an issue in applying Exchange 2010 Service Pack 3 on an Unified Messaging server - the Prerequisite Check came back with the following error:

Unified Messaging Role Prerequisites
Failed


Error:
The Unified Messaging voice mail folder 'C:\Program Files\Microsoft\Exchange Server\V14\unifiedmessaging\voicemail' isn't empty. This folder must be empty before upgrade can proceed.
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex28883C&l=0&cl=cp

I went and looked, and indeed this folder was not empty. Looking at the dates on the voicemails, it was obvious that they were all old, and had been there for some time (the most recent was 6 months old). I believe there had been some previous delivery issues that had prevented them from being delivered to the proper mailbox. Since they were all old, I merely made a copy of them, and then removed them from this folder. Once the voicmail folder was empty, SP3 was able to continue installing without issue.

------
Dustin Shaw
VCP

Thursday, July 23, 2015

Dump SMTP Relay and Connection Info from IIS on 2003 via VBS

I had the need to pull all the SMTP related information from an old 2003 IIS server setup to do relaying. The specific information I was looking for was:
  • IPs allowed to Relay
  • IPs allowed to Connect
  • Domains and if they had any SmartHost setup
Obviously, pulling this information via the GUI was not practical - you can only view 5 Relay IPs at a time, 2 Connection IPs at a time, and you have to manually check each domain's properties to verify SmartHost information.

I was also unable to pull the information straight out of the Metabase Explorer, as I would still have to go to each domain separately, and then convert the Relay and Connection IPs from Hex.

I looked around, but was unable to locate a ready-to-use VBScript that gave me what I wanted. I did find a script here that dumped the IIS SMTP Relay IPs, so I started there and adapted to also get the Connection IPs (listed as IPSecurity). Then I found this site that detailed how to get the Domains and their settings. I added this to the script, and voila, I had what I wanted in a nice CSV file.

To run the script, copy the below into notepad, save as ExportIISSMTPSettings.vbs and run with the following command:
cscript ExportIISSMTPSettings.vbs > IISSMTPServerSettings.csv

'#####================================================================================
'## Title: ExportIISSMTPSettings.vbs
'##    
'## 
'#####================================================================================

Set objSMTP = GetObject("IIS://localhost/smtpsvc/1") 'Connect to the IIS Namespace, You can change the "smtpsvc/1" to fit your needs.
Set objRelayIpList = objSMTP.Get("RelayIpList") 'Get the RelayIPListObject
Set objIPSecurity = objSMTP.Get("IPSecurity") 'Get the IPSecurityObject

' *** Get Relay List
' GrantByDefault returns 0 when "only the list below" is set (false) and -1 when all except the list below is set(true)
Wscript.echo "Results will be display based on the Relay Restrictions Radio Buttion Selection"
Wscript.echo "  o Only the list below"
Wscript.echo "  o All Except the list below"
Wscript.echo "-------------"
If objRelayIpList.GrantByDefault = true Then
    Wscript.Echo "All except the list below :"
    Wscript.echo "-------------"
    objCurrentList = objRelayIpList.IPDeny
Else
    Wscript.Echo "Only the list below :"
    Wscript.echo "-------------"
    objCurrentList = objRelayIpList.IPGrant
End If
    count = 0
For Each objIP in objCurrentList
    Wscript.Echo objIP
    count = count + 1
Next
If count = 0 Then
    Wscript.Echo "There were no IP Addresses Found"
End If

' *** Get Connection Control List
Wscript.echo "Results will be display based on the Connection Control Radio Buttion Selection"
Wscript.echo "  o Only the list below"
Wscript.echo "  o All Except the list below"
Wscript.echo "-------------"
If objIPSecurity.GrantByDefault = true Then
    Wscript.Echo "All except the list below :"
    Wscript.echo "-------------"
    objCurrentList = objIPSecurity.IPDeny
Else
    Wscript.Echo "Only the list below :"
    Wscript.echo "-------------"
    objCurrentList = objIPSecurity.IPGrant
End If
    count = 0
For Each objIP in objCurrentList
    Wscript.Echo objIP
    count = count + 1
Next
If count = 0 Then
    Wscript.Echo "There were no IP Addresses Found"
End If
Wscript.echo ""

' *** Get Domains and settings
Wscript.echo "Displaying list of Domains and settings"
Wscript.echo "-------------"
Wscript.echo "Route Actions:"
Wscript.echo "2: Use DNS to route to this domain"
Wscript.echo "4098: Forward all mail to smart host"
strComputer = "."
Set objWMIService = GetObject _
    ("winmgmts:{authenticationLevel=pktPrivacy}\\" _
        & strComputer & "\root\microsoftiisv2")

Set colItems = objWMIService.ExecQuery _
    ("Select * from IIsSmtpDomainSetting")

For Each objItem in colItems
    Wscript.echo ""
    For Each strTurn in objItem.AuthTurnList
        Wscript.Echo "Authentication Turn List: " & strTurn
    Next
    Wscript.Echo "CSide Etrn Domains: " & objItem.CSideEtrnDomains
    Wscript.Echo "Name: " & objItem.Name
    Wscript.Echo "Relay For Authentication: " & objItem.RelayForAuth
    Wscript.Echo "Relay IP List: " & objItem.RelayIpList
    Wscript.Echo "Route Action: " & objItem.RouteAction
    Wscript.Echo "Route Action String: " & objItem.RouteActionString
    Wscript.Echo "Route Password: " & objItem.RoutePassword
    Wscript.Echo "Route User Name: " & objItem.RouteUserName
Next

------
Dustin Shaw
VCP

Tuesday, June 2, 2015

EventID 9385 on Exchange 2010 After Demoting DC

I recently demoted an old Domain Controller in an effort to move forward in my domain - it was a 32-bit 2008 Server, and all the rest of the DCs are 2008R2 or 2012R2. I don't have any needs today to move up AD functionality today (we are already on 2008 Forest and Domain Functionality), but it never hurts to be ready.

After demoting an old Domain Controller, I recently started receiving Error 9385 on one of my Exchange 2010 Mailbox servers:

Log Name:      Application
Source:        MSExchangeSA
Date:          6/2/2015 8:43:34 AM
Event ID:      9385
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MailboxSVR.internal.domain
Description:
Microsoft Exchange System Attendant failed to read the membership of the universal security group '/dc=domain/dc=internal/ou=Microsoft Exchange Security Groups/cn=Exchange Servers'; the error code was '8007203a'. The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group. 

If this computer is not a member of the group '/dc=domain/dc=internal/ou=Microsoft Exchange Security Groups/cn=Exchange Servers', you should manually stop all Microsoft Exchange services, run the task 'add-ExchangeServerGroupMember,' and then restart all Microsoft Exchange services. 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeSA" />
    <EventID Qualifiers="49152">9385</EventID>
    <Level>2</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-02T13:43:34.000000000Z" />
    <EventRecordID>2199039</EventRecordID>
    <Channel>Application</Channel>
    <Computer>MailboxSVR.internal.domain</Computer>
    <Security />
  </System>
  <EventData>
    <Data>/dc=com/dc=wmfingrp/dc=internal/ou=Microsoft Exchange Security Groups/cn=Exchange Servers</Data>
    <Data>8007203a</Data>
  </EventData>
</Event>

After doing some research, most articles said that you need to make sure that it's a member of the group, etc, but all of that was correct. There weren't any references to the old DC in anything I checked (DNS was pointed elsewhere, Domain controllers and Global catalog servers that this Exchange server used were pointed elsewhere, etc). But, I knew it had to do with my demoted DC. For some reason this particular Exchange server was really hoping that the DC would answer his requests. I didn't notice any other performance or user issues during this time, so it looks like the Exchange server was able to get his answer elsewhere after checking here.

Once I was able to take a maintenance window, I rebooted the affected Exchange server, and all was well. It just needed to clear it's head after loosing it's good friend.

------
Dustin Shaw
VCP

Wednesday, May 6, 2015

FortiGate Extractors for Graylog 1.0

Graylog is a nice opensource alternative to Splunk and other SIEM tools. I've been using it for several years, and continue to make tweaks to improve its usefulness in my environment. I'm excited now that it is on version 1.0 (and was renamed Graylog instead of Graylog2), and is a lot more stable.

One of the tweaks I made a while back on a previous version was to create create a DRL extractor for FortiGate (a firewall made by FortiNet). I've now updated this extractor so that you can import it using the new JSON format directly into the web interface (instead of having to create the DRL file, etc).

To apply the extractors on Graylog, go to your FortiGate Input, and Import Extractors. The details on how to do that can be found on Graylog's site here.

Here's the JSON script for the extractors:

{
  "extractors": [
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sdevname=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "source",
      "title": "FGTsource"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\saction=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "action",
      "title": "FGTaction"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sapp=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "app",
      "title": "FGTapp"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sappact=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "appact",
      "title": "FGTappact"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sappcat=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "appcat",
      "title": "FGTappcat"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sapplist=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "applist",
      "title": "FGTapplist"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sattack=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "attack",
      "title": "FGTattack"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sdevid=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "devid",
      "title": "FGTdevid"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sdir=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "dir",
      "title": "FGTdir"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sdstcountry=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "dstcountry",
      "title": "FGTdstcountry"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sdstintf=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "dstintf",
      "title": "FGTdstintf"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sdstip=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "dstip",
      "title": "FGTdstip"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sdstport=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "dstport",
      "title": "FGTdstport"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sdtype=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "dtype",
      "title": "FGTdtype"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sduration=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "duration",
      "title": "FGTduration"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\serror_reason=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "error_reason",
      "title": "FGTerror_reason"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\seventtype=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "eventtype",
      "title": "FGTeventtype"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sfile=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "file",
      "title": "FGTfile"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sgroup=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "group",
      "title": "FGTgroup"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\shostname=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "hostname",
      "title": "FGThostname"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sidentidx=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "identidx",
      "title": "FGTidentidx"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sinit=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "init",
      "title": "FGTinit"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\slocip=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "locip",
      "title": "FGTlocip"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\slocport=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "locport",
      "title": "FGTlocport"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\slogid=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "logid",
      "title": "FGTlogid"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\smode=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "mode",
      "title": "FGTmode"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\smsg=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "msg",
      "title": "FGTmsg"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\soutintf=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "outintf",
      "title": "FGToutintf"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\speer_notif=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "peer_notif",
      "title": "FGTpeer_notif"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\spolicyid=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "policyid",
      "title": "FGTpolicyid"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sprofile=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "profile",
      "title": "FGTprofile"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sprofiletype=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "profiletype",
      "title": "FGTprofiletype"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sproto=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "proto",
      "title": "FGTproto"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\squarskip=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "quarskip",
      "title": "FGTquarskip"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\srcvdbyte=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "rcvdbyte",
      "title": "FGTrcvdbyte"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\srcvdpkt=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "rcvdpkt",
      "title": "FGTrcvdpkt"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sref=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "ref",
      "title": "FGTref"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sremip=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "remip",
      "title": "FGTremip"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sremport=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "remport",
      "title": "FGTremport"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sresult=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "result",
      "title": "FGTresult"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\srole=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "role",
      "title": "FGTrole"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\ssentbyte=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "sentbyte",
      "title": "FGTsentbyte"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\ssentpkt=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "sentpkt",
      "title": "FGTsentpkt"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sservice=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "service",
      "title": "FGTservice"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sservice=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "service",
      "title": "FGTservice"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\ssrccountry=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "srccountry",
      "title": "FGTsrccountry"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\ssrcintf=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "srcintf",
      "title": "FGTsrcintf"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\ssrcip=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "srcip",
      "title": "FGTsrcip"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\ssrcport=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "srcport",
      "title": "FGTsrcport"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sstage=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "stage",
      "title": "FGTstage"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sstatus=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "status",
      "title": "FGTstatus"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sstatus=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "status",
      "title": "FGTstatus"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\ssubtype=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "subtype",
      "title": "FGTsubtype"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\stransport=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "transport",
      "title": "FGTtransport"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\stype=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "type",
      "title": "FGTtype"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\strandisp=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "trandisp",
      "title": "FGTtrandisp"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\stransip=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "transip",
      "title": "FGTtransip"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\suser=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "user",
      "title": "FGTuser"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sutmaction=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "utmaction",
      "title": "FGTutmaction"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sutmevent=(\\S+)\\s"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "utmevent",
      "title": "FGTutmevent"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\svd=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "vd",
      "title": "FGTvd"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": ".+\\svirus=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "virus",
      "title": "FGTvirus"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\svpntunnel=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "vpntunnel",
      "title": "FGTvpntunnel"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sxauthgroup=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "xauthgroup",
      "title": "FGTxauthgroup"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^.+\\sxauthuser=\\\"(.+?)\\\""
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "xauthuser",
      "title": "FGTxauthuser"
    }
  ],
  "version": "1.0.0"
}

------
Dustin Shaw
VCP