# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. brightmail_gateway = { plugin_version = "1.1" # 2012-05-01 - GMF - 1.0 - Initial creation (ThreadID:1264833) # 2012-05-08 - GMF - 1.1 - Fixed logging_device collection. Fixed messages processed/delivered miscount. Added additional field tracking: orcpts, accept, attach, untested, verdict, trackerid, ircptaction; added log filters to suppress some of these by default. # log file format info, latest changes info.1.manufacturer = "Symantec" info.1.device = "Brightmail Gateway (via syslog)" info.1.version.1 = "9" # 9.5.3 # The name of the log format log.format.format_label = "Symantec Brightmail Gateway (via syslog)" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if there is a match this regular expression log.format.autodetect_regular_expression = "[0-9]+[|][^|]+[|](ORCPTS|ACCEPT|SENDER|SOURCE|MSGID|SUBJECT|ATTACH|UNTESTED|VERDICT|IRCPTACTION|DELIVER)[|]" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # This discards uncollected entries after 10000 lines log.format.collected_entry_lifespan = "10000" log.format.discard_expired_entries = true # Log fields log.fields = { sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } source = "" subject = "" msgid = "" orcpts = "" accept = "" attach = "" untested = "" verdict = "" trackerid = "" ircptaction = "" messages_delivered = "" messages_processed = "" } # log.fields # Log Parsing Filters # Example session: #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:07 mailgateway01 xyz: 1334829667|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|ORCPTS|someone@somewhere.com #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:07 mailgateway01 xyz: 1334829661|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|ACCEPT|12.34.56.78:56432 #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:07 mailgateway01 xyz: 1334829661|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|SENDER|someone@somewhere.com #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:08 mailgateway01 abc: 1334829667|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|SOURCE|external #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:08 mailgateway01 abc: 1334829667|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|MSGID| <734308407@localhost.localdomain> #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:08 mailgateway01 abc: 1334829667|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|SUBJECT|My email subject #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:08 mailgateway01 abc: 1334829667|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|ATTACH|abc.gif|arrow.gif #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:08 mailgateway01 abc: 1334829668|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|UNTESTED|someone@somewhere.com|suspect|content_500|content_100|content_200|content_1327920582337|content_300|content_520|content_521|content_1327920741190|content_400|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|blockedlang|knownlang #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:08 mailgateway01 abc: 1334829668|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|VERDICT|someone@somewhere.com|none|default|default #Apr 19 15:39:17 Apr 19 15:31:08 mailgateway01 xyz: 1334829668|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|TRACKERID|someone@somewhere.com|H4sIABCDa7zaslkh73429xSalFhasdF #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:08 mailgateway01 xyz: 1334829668|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|IRCPTACTION|someone@somewhere.com|deliver #Apr 19 15:39:17 172.25.50.48 Apr 19 15:31:08 mailgateway01 xyz: 1334829668|ac193230-b7f0f6d000007a1f-bf-4f8fe25d9824|DELIVER|172.16.14.41:25|someone@somewhere.com log.parsing_filters.parse = ` # Remove extra syslog header if (matches_regular_expression(v.syslog_message, '^[A-Z][a-z][a-z] +[0-9]+ +[0-9:]+ [^ ]+ [^:]+: (.*)$')) then v.syslog_message = $1; if (matches_regular_expression(v.syslog_message, '^([0-9]+)[|]([^|]+)[|]([A-Z]+)[|](.*)$')) then ( v.key = $2; set_collected_field(v.key, 'date', normalize_date($1, "seconds_since_jan1_1970")); set_collected_field(v.key, 'time', normalize_time($1, "seconds_since_jan1_1970")); v.event_type = $3; v.remainder = $4; set_collected_field(v.key, 'logging_device', get_collected_field('', 'logging_device')); set_collected_field(v.key, 'log_level', get_collected_field('', 'log_level')); if (v.event_type eq "SENDER") then ( set_collected_field(v.key, 'sender', v.remainder); set_collected_field(v.key, 'messages_processed', 1); set_collected_field(v.key, 'messages_delivered', 0); accept_collected_entry(v.key, true); ); else if (v.event_type eq "SOURCE") then set_collected_field(v.key, 'source', v.remainder); else if (v.event_type eq "ORCPTS") then set_collected_field(v.key, 'orcpts', v.remainder); else if (v.event_type eq "ACCEPT") then set_collected_field(v.key, 'accept', v.remainder); else if (v.event_type eq "ATTACH") then set_collected_field(v.key, 'attach', v.remainder); else if (v.event_type eq "UNTESTED") then set_collected_field(v.key, 'untested', v.remainder); else if (v.event_type eq "TRACKERID") then set_collected_field(v.key, 'trackerid', v.remainder); else if (v.event_type eq "MSGID") then set_collected_field(v.key, 'msgid', v.remainder); else if (v.event_type eq "VERDICT") then set_collected_field(v.key, 'verdict', v.remainder); else if (v.event_type eq "IRCPTACTION") then set_collected_field(v.key, 'ircptaction', v.remainder); else if (v.event_type eq "SUBJECT") then set_collected_field(v.key, 'subject', v.remainder); else if (v.event_type eq "DELIVER") then ( if (matches_regular_expression(v.remainder, '^[^|]+[|](.*)$')) then ( set_collected_field(v.key, 'recipient', v.remainder); set_collected_field(v.key, 'messages_processed', 0); set_collected_field(v.key, 'messages_delivered', 1); accept_collected_entry(v.key, true); ); ); # DELIVER ); ` # parse log.filters = { suppress_message_id = { label = "$lang_admin.log_filters.suppress_message_id_label" comment = "$lang_admin.log_filters.suppress_message_id_comment" value = `msgid = "[omitted]"` } # suppress_message_id suppress_attach = { label = "Suppress attach" value = `attach = "[omitted]"` } # suppress_attach suppress_untested = { label = "Suppress untested" value = `untested = "[omitted]"` } # suppress_untested suppress_trackerid = { label = "Suppress trackerid" value = `trackerid = "[omitted]"` } # suppress_trackerid # suppress_verdict = { # label = "Suppress verdict" # value = `verdict = "[omitted]"` # } # suppress_verdict # suppress_ircptaction = { # label = "Suppress ircptaction" # value = `ircptaction = "[omitted]"` # } # suppress_ircptaction # suppress_orcpts = { # label = "Suppress orcpts" # value = `orcpts = "[omitted]"` # } # suppress_orcpts # suppress_xxx = { # label = "Suppress xxx" # value = `untested = "[omitted]"` # } # suppress_xxx } # log.filters # Database fields database.fields = { sender = { itemnums_hash_function = "rand_sum" } recipient = { itemnums_hash_function = "rand_sum" } source = "" subject = "" msgid = "" orcpts = "" accept = "" attach = "" untested = "" verdict = "" trackerid = "" ircptaction = "" } # database.fields database.numerical_fields = { messages_delivered = { default = true } messages_processed = { default = true } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # brightmail_gateway