# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. email_security_appliance = { plugin_version = "1.0" info.1.manfacturer = "McAfee" info.1.device = "Email Security Appliance" info.1.version.1 = "5.5" # 2010-09-21 - 1.0 - GMF - Created initial plug-in # The name of the log format log.format.format_label = "McAfee Email Security Appliance Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "mail_server" # e.g. # 2010-09-15 00:00:04 Mail.Info abc.def.com Sep 15 05:00:04 abcrelay1 Application=smtp, Event='Transport log. Defer, refuse and retry', From=<>, size=2977, source=(12.34.56.78), nrcpts=1, to=, msgid=5118_3b21_9d67c8d2_c022_11df_b1ba_00119b929bbd, relay=(), status='The email is deferred', subject='Delivery Status' # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = " Application=smtp, Event=" log.format.autodetect_lines = "2" # Log fields log.fields = { application = "" event = "" status = "" source = "" source_ip.type = "host" source_hostname = "" from = "" to = "" relay = "" subject = "" nrcpts = "" size = "" msgid = "" convid = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # Strip off leading "unix syslog" style header if (matches_regular_expression(v.syslog_message, "^[A-Z][a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]+ (.*)$")) then v.syslog_message = $1; if (matches_regular_expression(v.syslog_message, '^(Application=.*)$')) then ( collect_listed_fields('', $1, ', ', '=', ''); # Strip quotes off event and status if (matches_regular_expression(get_collected_field('', 'event'), "^'(.*)'$")) then set_collected_field('', 'event', $1); if (matches_regular_expression(get_collected_field('', 'status'), "^'(.*)'$")) then set_collected_field('', 'status', $1); # Strip parentheses off source if (matches_regular_expression(get_collected_field('', 'source'), '^([^)]*)[(]([^]]+)[)]$')) then ( set_collected_field('', 'source_hostname', $1); set_collected_field('', 'source_ip', $2); ); # Strip <> from "from" if (matches_regular_expression(get_collected_field('', 'from'), '^<([^>]*)>$')) then set_collected_field('', 'from', $1); if (matches_regular_expression(get_collected_field('', 'to'), '^<([^>]*)>$')) then set_collected_field('', 'to', $1); set_collected_field('', 'events', 1); accept_collected_entry('', false); ) ` log.filters = { clear_msgid = `msgid = "omitted"` clear_convid = `convid = "omitted"` } # Database fields database.fields = { date_time = "" hour_of_day = "" day_of_week = "" application = "" event = "" status = "" source_ip = "" from = "" source_hostname = "" location = "" organization = "" isp = "" domain = "" to = "" relay = "" subject = "" nrcpts = "" size = "" msgid = "" convid = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events unique_source_ips = { log_field = "source_ip" type = "unique" } # unique_source_ips size = { type = "float" display_format_type = "bandwidth" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { from = true source_ip = true source_hostname = true from = true location = true organization = true isp = true domain = true } to = "" application = "" event = "" status = "" msgid = "" convid = "" nrcpts = "" relay = "" subject = "" } # report_groups } # create_profile_wizard_options } # email_security_appliance