# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. sendmail_no_syslog = { plugin_version = "1.1" info.1.manufacturer = "Sendmail" info.1.device = "No Syslog" info.1.version.1 = "" # Initial creation - 1.0 # 2010-10-05 - 1.1 - MSG - Edited info lines. # The name of the log format log.format.format_label = "Sendmail (no syslog) Log Format" log.miscellaneous.log_data_type = "mail" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9]+ (>>>|===|<<<) [0-9][0-9][0-9] " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { source_ip = "" domain = "" subject = "" from = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # from to = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # to size = "" messages_sent = "" messages_received = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^([0-9]+) (<<<|===|>>>) (.*)$')) then ( v.key = $1; v.message = $3; # Get the source IP from CONNECT, and start the sent/received at 1/0 if (matches_regular_expression(v.message, '^CONNECT (.*)$')) then ( set_collected_field(v.key, 'source_ip', $1); set_collected_field(v.key, 'messages_sent', 1); set_collected_field(v.key, 'messages_received', 0); set_collected_field(v.key, 'data_found', false); ) # Get the domain from HELO/EHLO lines else if (matches_regular_expression(v.message, '^[EeHh][EeHh][Ll][Oo] (.*)$')) then set_collected_field(v.key, 'domain', $1); # Get the "from" address (and optional size) from MAIL FROM else if (matches_regular_expression(v.message, '^[Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm]: *(.*)$')) then ( v.mailfrom = $1; if (matches_regular_expression(v.mailfrom, '^(.*) [Ss][Ii][Zz][Ee]=([0-9]+)$')) then ( v.mailfrom = $1; set_collected_field(v.key, 'size', $2); ); if (matches_regular_expression(v.mailfrom, '^<(.*)> ')) then v.mailfrom = $1; set_collected_field(v.key, 'from', v.mailfrom); ) # Get the "to" address from RCPT TO, and increment messages_received else if (matches_regular_expression(v.message, '^[Rr][Cc][Pp][Tt] [Tt][Oo]: *(.*)$')) then ( v.rcptto = $1; if (matches_regular_expression(v.rcptto, '^<(.*)> *$')) then v.rcptto = $1; set_collected_field(v.key, 'to', v.rcptto); set_collected_field(v.key, 'messages_received', get_collected_field(v.key, 'messages_received') + 1); ) # Get the subject from Subject: lines else if (matches_regular_expression(v.message, '^[Ss][Uu][Bb][Jj][Ee][Cc][Tt]: *(.*)$')) then ( set_collected_field(v.key, 'subject', $1); ) # Set data_found to true if we have seen a DATA line now else if (matches_regular_expression(v.message, '^[Dd][Aa][Tt][Aa] *$')) then ( set_collected_field(v.key, 'data_found', true); ) # If we've seen a DATA line and this is a 240 line, it must be a delivery; accept it else if (matches_regular_expression(v.message, '^250 ')) then ( if (get_collected_field(v.key, 'data_found')) then ( accept_collected_entry(v.key, false); ) ) ) ` # Database fields database.fields = { source_ip = "" domain = "" from = "" to = "" subject = "" } # database.fields database.numerical_fields = { messages_sent = { label = "$lang_stats.field_labels.messages_sent" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_sent messages_received = { label = "$lang_stats.field_labels.messages_received" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_received size = { label = "$lang_stats.field_labels.size" default = false requires_log_field = true log_field = "size" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # size } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { source_ip = true domain = true from = true to = true subject = true } # report_groups } # create_profile_wizard_options } # sendmail_no_syslog