# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. iis_smtp_comma_separated = { plugin_version = "1.0.1" # 2007-09-11 - 1.0 - KBB - added version number and changed file name from # beta_iis_smtp_comma_separated.cfg # 2010-12-27 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Microsoft" info.1.device = "IIS SMTP (Comma Separated)" info.1.version.1 = "" # The name of the log format log.format.format_label = "IIS SMTP Comma Separated Log Format" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = " matches_regular_expression(volatile.log_data_line, '^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+, [^,]+, [0-9]+/[0-9]+/[0-9][0-9][0-9][0-9], [0-9]:[0-9][0-9]:[0-9][0-9], SMTPSVC') " log.format.collected_entry_lifespan = 1000 # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" client_ip.type = "host" from = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # from to = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # to response_code = "" response = "" domain = "" event_type = "" messages_received = "" messages_sent = "" errors = "" size = "" } # log.fields # # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^([0-9.]+), [^,]+, ([0-9/]+), ([0-9:]+), [^,]+, [^,]+, [^,]+, [0-9]+, [0-9]+, [0-9]+, [0-9]+, [0-9]+, ([^,]+), [^,]+, (.*),$')) then ( v.key = $1; set_collected_field(v.key, 'client_ip', $1); set_collected_field(v.key, 'date', $2); set_collected_field(v.key, 'time', $3); v.type = $4; v.message = $5; # Handle HELO/EHLO if (matches_regular_expression(v.type, '^[HhEe][HhEe][Ll][Oo]$')) then ( set_collected_field(v.key, 'domain', v.message); ); # Handle MAIL FROM if (matches_regular_expression(v.type, '^[Mm][Aa][Ii][Ll]$') and matches_regular_expression(v.message, '^[Ff][Rr][Oo][Mm] *:<([^>]*)>(.*)$')) then ( set_collected_field(v.key, 'from', $1); v.remainder = $2; if (matches_regular_expression(v.remainder, ' [Ss][Ii][Zz][Ee]=([0-9]+)')) then set_collected_field(v.key, 'size', 1); set_collected_field(v.key, 'event_type', 'received'); set_collected_field(v.key, 'messages_received', 1); set_collected_field(v.key, 'messages_sent', 0); set_collected_field(v.key, 'errors', 0); accept_collected_entry(v.key, true); ); # Handle RCPT TO else if (matches_regular_expression(v.type, '^[Rr][Cc][Pp][Tt]$') and matches_regular_expression(v.message, '^[Tt][Oo] *:<([^>]+)>')) then ( set_collected_field(v.key, 'to', $1); # set_collected_field(v.key, 'messages_received', 0); # set_collected_field(v.key, 'messages_sent', 1); # set_collected_field(v.key, 'errors', 0); # accept_collected_entry(v.key, true); ); # Handle 2xx responses else if (matches_regular_expression(v.message, '^(2[0-9][0-9]) (.*)$')) then ( # If we have both sender and recipient, then this is a successful send if ((get_collected_field(v.key, 'to') ne '') and (get_collected_field(v.key, 'from') ne '')) then ( set_collected_field(v.key, 'response_code', $1); set_collected_field(v.key, 'response', $2); set_collected_field(v.key, 'messages_received', 0); set_collected_field(v.key, 'messages_sent', 1); set_collected_field(v.key, 'errors', 0); set_collected_field(v.key, 'event_type', 'sent'); accept_collected_entry(v.key, true); ) ) # if 2xx # Handle 4xx responses; mark then as errors else if (matches_regular_expression(v.message, '^(4[0-9][0-9]) (.*)$')) then ( set_collected_field(v.key, 'response_code', $1); set_collected_field(v.key, 'response', $2); set_collected_field(v.key, 'messages_received', 0); set_collected_field(v.key, 'messages_sent', 0); set_collected_field(v.key, 'errors', 1); set_collected_field(v.key, 'event_type', 'error'); accept_collected_entry(v.key, true); ) # if 2xx ) # if matches basic format ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" event_type = "" client_ip = "" location = "" from = "" to = "" response_code = "" response = "" domain = "" } # database.fields database.numerical_fields = { messages_sent = { label = "$lang_stats.field_labels.messages_sent" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_sent messages_received = { label = "$lang_stats.field_labels.messages_received" default = true requires_log_field = false type = "int" display_format_type = "integer" } # messages_received errors = { label = "$lang_stats.field_labels.errors" default = true requires_log_field = false type = "int" display_format_type = "integer" } # errors size = { label = "$lang_stats.field_labels.size" default = false log_field = "size" requires_log_field = true type = "float" display_format_type = "bandwidth" } # size unique_client_ips = { label = "$lang_stats.field_labels.unique_client_ips" default = false requires_log_field = true log_field = "client_ip" type = "unique" display_format_type = "integer" } # unique_client_ips } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" event_type = true client_ip = true location = true from = true to = true response_code = true response = true domain = true } # report_groups } # create_profile_wizard_options } # iis_smtp_comma_separated