我们分析下发送量最大的来源IP和地址,我们需要执行两个命令,第一个命令是将用户从日志中读取并写入XML文件,第二个命令是读取XML文件并以图形方式呈现!
我们先执行第一条命令将数据写入XML文件:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT TOP 10 EXTRACT_PREFIX(remote-endpoint,0,':') AS RemoteSendingHost, count(*) AS Hits INTO topsenders.xml FROM C:\Progra~1\Microsoft\Exchan~1\TransportRoles\Logs\ProtocolLog\SmtpReceive\RECV*.LOG WHERE event='+' GROUP BY RemoteSendingHost ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -o:XML
我们稍微解析一下这条命令:
logparser.exe" "SELECT TOP 10 EXTRACT_PREFIX(remote-endpoint,0,':') AS RemoteSendingHost, count(*) AS Hits INTO topsenders.xml ‘把数据输出为XML文件 FROM C:\Progra~1\Microsoft\Exchan~1\TransportRoles\Logs\ProtocolLog\SmtpReceive\RECV*.LOG ’这里是数据来源 WHERE event='+' 当event= + GROUP BY RemoteSendingHost ORDER BY Hits DESC" -i:CSV 输入日志格式 -nSkipLines:4 跳过行数,这里是开始的4行,因为开始4行是表头,所以跳过 -o:XML 输出格式是XML
接下来是将XML文件读取出来并以图表方式进行呈现:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT TOP 10 REVERSEDNS(RemoteSendinghost), Hits INTO topsenders.gif FROM TopSenders.xml" -i:XML -o:CHART -chartType:PieExploded3D -chartTitle:"TOP 10 Senders" -groupSize:1024x768
一样来解析下这条命令:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT TOP 10 REVERSEDNS(RemoteSendinghost), Hits INTO topsenders.gif 数据输出为当前目录下的topsenders.gif 图片 FROM TopSenders.xml 数据来源" -i:XML 输入格式为XML -o:CHART 输出格式为图表 -chartType:PieExploded3D 图标格式为圆形3D图 -chartTitle:"TOP 10 Senders" 表的Title 名称 -groupSize:1024x768
接下来我们要分析出谁对外发出的邮件数量最多,这个就需要靠我们分析Message tracking 的日志了,默认的目录C:\Progra~1\Microsoft\Exchan~1\TransportRoles\Logs\MessageTracking\ 目录。
C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT TOP 20 sender-address, Count(*) AS messagesSent FROM C:\Progra~1\Microsoft\Exchan~1\V14\TransportRoles\Logs\MessageTracking\MSG*.log WHERE recipient-status LIKE '250%%' AND connector-id='TOInterNet' GROUP BY sender-address ORDER BY messagesSent DESC" -rtp:-1 -i:CSV -nSkipLines:4 -o:DATAGRID
以上命令我也稍微解释一下:
C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT TOP 20 sender-address, Count(*) AS messagesSent FROM C:\Progra~1\Microsoft\Exchan~1\V14\TransportRoles\Logs\MessageTracking\MSG*.log 输入日志为此路径下日志 WHERE recipient-status LIKE '250%%' AND connector-id='TOInterNet' connect-id 是我们的发送连接器 GROUP BY sender-address ORDER BY messagesSent DESC" -rtp:-1 -i:CSV 输入日志文件为CSV格式 -nSkipLines:4 跳过的数据行 4 -o:DATAGRID 以数据表展现
下面的图表体现出发送邮件的最多20人:
接下来我们分析了相应的日志,得出在当前组织内发送数据最多的用户:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT TOP 10 sender-address, DIV(Sum(total-bytes),1048576) AS TotalBytes(MB) INTO TopVolumeSenders.gif FROM C:\Progra~1\Microsoft\Exchan~1\V14\TransportRoles\Logs\MessageTracking\MSG*.log WHERE recipient-status LIKE '250%%' GROUP BY sender-address ORDER BY TotalBytes(MB) DESC" -chartType:Barclustered3d -i:CSV -nSkipLines:4 -o:CHART
基本上命令的用法请参考上面的解释,结果如下:
如果我们要在一张图上显示这些用户的邮件发送最多的用户和最多邮件,我们需要执行以下的命令:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT TOP 10 sender-address, Count(*) AS messagesSent, DIV(Sum(total-bytes),1048576) AS TotalBytes(MB) INTO TopSendersCombined.gif FROM C:\Progra~1\Microsoft\Exchan~1\V14\TransportRoles\Logs\MessageTracking\MSG*.log WHERE recipient-status LIKE '250%%' GROUP BY sender-address ORDER BY messagesSent DESC" -chartType:BarClustered3D -i:CSV -nSkipLines:4 -o:CHART
执行完成后我们看看GIF 结果: