# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. argosoft_mail_server = { plugin_version = "2.2.1" info.1.manfacturer = "ArGo Software Design" info.1.device = "Mail Server" info.1.version.1 = "" # 2006-09-15 - 2.0.1beta - KBB - added support for additional format # 2007-09-11 - 2.0.1 - KBB - renumbered per new beta policy and # changed file name from beta_argosoft_mail_server.cfg # 2008-11-10 - 2.2 - MSG - added a parsing filter for POP3 lines, and changed autodetect lines to 100 # 2010-10-04 - 2.2.1 - MSG - Edited info lines. # The name of the log format log.format.format_label = "Argosoft Mail Server Log Format" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" log.format.autodetect_lines = "100" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9]+[-/][0-9]+[-/][0-9][0-9][0-9][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9][APM ]* - Requested (SMTP|POP3) connection from [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" event_type = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # recipient server_domain = "" source_ip.type = "host" rejection_reason = "" error_message = "" size = "" spam_messages = "" messages_delivered = "" messages_queued = "" spam_messages_queued = "" spam_messages_delivered = "" bytes_delivered = "" bytes_queued = "" connections_rejected = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^([0-9/-]+) ([0-9:APM ]+) - (.*)$')) then ( v.date = $1; v.time = $2; v.message = $3; v.key = ''; # Parse "Requested SMTP connection" lines if (matches_regular_expression(v.message, '^Requested SMTP connection from ([0-9.]+) \\\\[([^]]*)\\\\], ID=([0-9]+)')) then ( v.key = $3; set_collected_field(v.key, 'source_ip', $1); set_collected_field(v.key, 'source_hostname', $2); ); # At the end of the SMTP message, add entries for sender and all recipients # Use connection end instead of "END SMTP" because some formats don't have "END SMTP" ##else if (matches_regular_expression(v.message, '^END SMTP')) then ( # SMTP connection with 99.99.99.99 [99.99.99.99] ended. ID=145 else if (matches_regular_expression(v.message, '^SMTP connection with [0-9.]+ \\\\[[^]]*\\\\] ended. ID=([0-9]+)')) then ( v.key = $1; v.original_event_type = get_collected_field(v.key, 'event_type'); # Add an entry to the database for each recipient if (v.original_event_type eq '(empty)') then set_collected_field(v.key, 'event_type', 'message delivered'); set_collected_field(v.key, 'messages_queued', 0); set_collected_field(v.key, 'messages_delivered', 1); set_collected_field(v.key, 'bytes_queued', 0); set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'spam_messages_queued', 0); set_collected_field(v.key, 'spam_messages_delivered', get_collected_field(v.key, 'spam_messages')); # set_collected_field(v.key, 'connections_rejected', 0); v.recipients = get_collected_field(v.key, 'recipient'); while (matches_regular_expression(v.recipients, '^([^]*)(.*)$')) ( set_collected_field(v.key, 'recipient', $1); accept_collected_entry(v.key, true); v.recipients = $2; ); # Add an entry to the database for the sender if (v.original_event_type eq '(empty)') then # if (v.original_event_type ne 'rejected') then set_collected_field(v.key, 'event_type', 'message queued'); set_collected_field(v.key, 'messages_queued', 1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'bytes_queued', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'spam_messages_queued', get_collected_field(v.key, 'spam_messages')); set_collected_field(v.key, 'spam_messages_delivered', 0); # set_collected_field(v.key, 'connections_rejected', 0); set_collected_field(v.key, 'recipient', ''); accept_collected_entry(v.key, false); ); # END SMTP # Parse "Requested POP3 connection" lines if (matches_regular_expression(v.message, '^Requested POP3 connection from ([0-9.]+) \\\\[([^]]*)\\\\], ID=([0-9]+)')) then ( v.key = $3; set_collected_field(v.key, 'source_ip', $1); set_collected_field(v.key, 'source_hostname', $2); ); # At the end of the POP3 message, add entries for sender and all recipients # Use connection end instead of "END SMTP" because some formats don't have "END POP3" ##else if (matches_regular_expression(v.message, '^END POP3')) then ( # POP3 connection with 99.99.99.99 [99.99.99.99] ended. ID=145 else if (matches_regular_expression(v.message, '^POP3 connection with [0-9.]+ \\\\[[^]]*\\\\] ended. ID=([0-9]+)')) then ( v.key = $1; v.original_event_type = get_collected_field(v.key, 'event_type'); # Add an entry to the database for each recipient if (v.original_event_type eq '(empty)') then set_collected_field(v.key, 'event_type', 'message delivered'); set_collected_field(v.key, 'messages_queued', 0); set_collected_field(v.key, 'messages_delivered', 1); set_collected_field(v.key, 'bytes_queued', 0); set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'spam_messages_queued', 0); set_collected_field(v.key, 'spam_messages_delivered', get_collected_field(v.key, 'spam_messages')); # set_collected_field(v.key, 'connections_rejected', 0); v.recipients = get_collected_field(v.key, 'recipient'); while (matches_regular_expression(v.recipients, '^([^]*)(.*)$')) ( set_collected_field(v.key, 'recipient', $1); accept_collected_entry(v.key, true); v.recipients = $2; ); # Add an entry to the database for the sender if (v.original_event_type eq '(empty)') then # if (v.original_event_type ne 'rejected') then set_collected_field(v.key, 'event_type', 'message queued'); set_collected_field(v.key, 'messages_queued', 1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'bytes_queued', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'spam_messages_queued', get_collected_field(v.key, 'spam_messages')); set_collected_field(v.key, 'spam_messages_delivered', 0); # set_collected_field(v.key, 'connections_rejected', 0); set_collected_field(v.key, 'recipient', ''); accept_collected_entry(v.key, false); ); # END POP3 # Handle keyed lines else ( # Extract the key if (matches_regular_expression(v.message, '^[({] *([0-9]+)[)}] (.*)$')) then ( v.key = $1; v.message = $2; ); # Set the date/time set_collected_field(v.key, 'date', v.date); set_collected_field(v.key, 'time', v.time); # Parse HELO/EHLO lines if (matches_regular_expression(v.message, '^([Hh][Ee][Ll][Oo]|[Ee][Hh][Ll][Oo]) (.*)$')) then set_collected_field(v.key, 'server_domain', $2); # Parse MAIL FROM lines else if (matches_regular_expression(v.message, '^[Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm]:(.*)$')) then ( v.sender = $1; if (matches_regular_expression(v.sender, '^ *([^ ]*)$')) then v.sender = $1; if (matches_regular_expression(v.sender, '^(.*) [Ss][Ii][Zz][Ee]=([0-9]*)')) then ( set_collected_field(v.key, 'size', $2); v.sender = $1; ); if (matches_regular_expression(v.sender, '<([^>]*)>')) then v.sender = $1; set_collected_field(v.key, 'sender', v.sender); ); # mail from # Parse RCPT TO lines else if (matches_regular_expression(v.message, '^[Rr][Cc][Pp][Tt] [Tt][Oo]:(.*)$')) then ( v.recipient = $1; if (matches_regular_expression(v.recipient, '^ *([^ ]*)$')) then v.recipient = $1; if (matches_regular_expression(v.recipient, '<([^>]*)>')) then v.recipient = $1; # set_collected_field(v.key, 'recipient', v.recipient); # Get the list fom the collected field v.recipients = get_collected_field(v.key, 'recipient'); if (v.recipients eq '(empty)') then v.recipients = ''; # Build up the list v.recipients .= v.recipient . ''; # Save the built list back in the collected field set_collected_field(v.key, 'recipient', v.recipients); ); # RCPT TO # Parse Connection Rejected lines else if (matches_regular_expression(v.message, '^5[0-9]+ Connection from (.*) rejected')) then ( set_collected_field(v.key, 'rejection_reason', v.message); # Add a "message delivered" event set_collected_field(v.key, 'event_type', 'rejected connection'); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'messages_queued', 0); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'bytes_queued', 0); set_collected_field(v.key, 'connections_rejected', 1); # accept_collected_entry(v.key, false); ); # rejected # Parse Connection Rejected lines else if (matches_regular_expression(v.message, '^Error: (.*)$')) then ( set_collected_field(v.key, 'rejection_reason', v.message); # Add a "message delivered" event set_collected_field(v.key, 'event_type', 'error'); set_collected_field(v.key, 'error_message', $1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'messages_queued', 0); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'bytes_queued', 0); set_collected_field(v.key, 'connections_rejected', 0); set_collected_field(v.key, 'errors', 1); # accept_collected_entry(v.key, false); ); # rejected # e.g. Rejected by DNS based Spam Database: Rejected by spamhaus.org else if (matches_regular_expression(v.message, '^Rejected by DNS based Spam Database: Rejected by ')) then ( set_collected_field(v.key, 'event_type', 'rejected spam'); set_collected_field(v.key, 'rejection_reason', v.message); set_collected_field(v.key, 'spam_messages', 1); ); # rejected ## # At the end of the SMTP message, add entries for sender and all recipients ## else if (matches_regular_expression(v.message, '^END SMTP')) then ( ## ## v.original_event_type = get_collected_field(v.key, 'event_type'); ## ## # Add an entry to the database for each recipient ## if (v.original_event_type eq '(empty)') then ## set_collected_field(v.key, 'event_type', 'message delivered'); ## set_collected_field(v.key, 'messages_queued', 0); ## set_collected_field(v.key, 'messages_delivered', 1); ## set_collected_field(v.key, 'bytes_queued', 0); ## set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'size')); ## set_collected_field(v.key, 'spam_messages_queued', 0); ## set_collected_field(v.key, 'spam_messages_delivered', get_collected_field(v.key, 'spam_messages')); ### set_collected_field(v.key, 'connections_rejected', 0); ## v.recipients = get_collected_field(v.key, 'recipient'); ## while (matches_regular_expression(v.recipients, '^([^]*)(.*)$')) ( ## set_collected_field(v.key, 'recipient', $1); ## accept_collected_entry(v.key, true); ## v.recipients = $2; ## ); ## ## # Add an entry to the database for the sender ## if (v.original_event_type eq '(empty)') then ### if (v.original_event_type ne 'rejected') then ## set_collected_field(v.key, 'event_type', 'message queued'); ## set_collected_field(v.key, 'messages_queued', 1); ## set_collected_field(v.key, 'messages_delivered', 0); ## set_collected_field(v.key, 'bytes_queued', get_collected_field(v.key, 'size')); ## set_collected_field(v.key, 'bytes_delivered', 0); ## set_collected_field(v.key, 'spam_messages_queued', get_collected_field(v.key, 'spam_messages')); ## set_collected_field(v.key, 'spam_messages_delivered', 0); ### set_collected_field(v.key, 'connections_rejected', 0); ## set_collected_field(v.key, 'recipient', ''); ## accept_collected_entry(v.key, false); ## ## ); # END SMTP ); # if keyed line ); # if header matches ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" event_type = "" sender = "" recipient = "" server_domain = "" source_ip = "" location = "" rejection_reason = "" error_message = "" } # database.fields database.numerical_fields = { messages_delivered.default = true messages_queued.default = true connections_rejected = "" bytes_delivered = { type = "float" display_format_type = "bandwidth" } bytes_queued = { type = "float" display_format_type = "bandwidth" } spam_messages_queued = "" spam_messages_delivered = "" errors = "" } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'messages = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # argosoft_mail_server