# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. imail = { plugin_version = "1.3" info.1.manufacturer = "Ipswitch" info.1.device = "IMail" info.1.version.1 = "7" info.1.version.2 = "8" # Plugin Version # 09/May/2006 14:11 - 1.0Beta - Renamed imail7.cfg as this format supports v7 and v8 logs - GAS # 14/May/2006 - 1.1 - GMF - Fixed/reenabled rekeying, so source IPs get carried properly from the # connection to the delivery. ("Beta" removed by GMF with version 1.1. # Note added by KBB.) # 2008-06-04 - 1.2 - GMF - Updated to simplified v7 format. Added error reporting. Split messages and # bytes into forwards/delivered. # 2009-02-11 - 1.2.1 - GMF - Renamed "from" and "to" to "sender" and "recipient" and made them hierarchical. # This also fixed a bug, since the log fields had already been renamed, but not the dbfields. # 2012-02-07 - 1.3 - GMF - Added "spam source" numerical fields. Added support for variant format. Removed <> from sender. # The name of the log format log.format.format_label = "IMail Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "(SMTP|POP3D|SMTPD)[ -]*\\([^)]*\\) " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # An entry in this log is called a "message" in the statistics (not a "hit") statistics.miscellaneous.entry_name = "messages" # Log fields log.fields = { operation = "" protocol = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # recipient user = "" server_domain = "" source_ip.type = "host" error_message = "" relay_host = "" relay_ip = "" bytes = "" bytes_forwarded = "" bytes_delivered = "" messages_forwarded = "" messages_delivered = "" errors = "" connections_dropped_suspected_spam = "" connections_dropped_confirmed_spam = "" } # log.fields # # Log Parsing Filters log.parsing_filters = { # # 2006-05-14: GMF suspects that the following comment was written by Graham, except # for the paragraph by GMF. See REKEYING ALGORITHM below, which is an attempt to restore # the rekeyings and make them work right; so hopefully this comment is now obsolete. # # Note: lots of rekeys here don't look right -- why rekey from ce6300070104a542 ti ce6300070104a542.SMD, # as filter 1 would do for this: # # 20040803 013006 127.0.0.1 SMTP (ce6300070104a542) processing d:\IMail\spool\Qce6300070104a542.SMD # # I changed these all to rekey from "" (the syslog date/time) to carry date/time over from syslog. Otherwise, # We don't get the date/time at all. Is there something fancy going on here? -GMF # # if (matches_regular_expression(v.message, '^Connect')) then # rekey_collected_entry('', v.key); # if (matches_regular_expression(v.message, '^processing [A-Za-z]:.*[Ss]pool.Q(.*)$')) then # rekey_collected_entry($1, v.key); # accept_collected_entry($1, false); # if (v.protocol eq 'SMTPD') then ( # if (matches_regular_expression(v.message, '^\\\\[[0-9.]*\\\\] [A-Za-z]:.*spool.D([^ ]*) [0-9]*')) then # rekey_collected_entry(v.key, $1); # ) # if (matches_regular_expression(v.message, '^\\\\[[0-9.]*\\\\] connect')) then # rekey_collected_entry('', v.key); # rekey_collected_entry('', v.key); parse = ` if (matches_regular_expression(v.syslog_message, '^(SMTP|SMTPD|POP3D)[- ]*\\\\(([A-Za-z0-9]*)\\\\) (.*)$')) then ( v.protocol = $1; v.key = $2; v.message = $3; set_collected_field(v.key, 'protocol', v.protocol); # REKEYING ALGORITHM: # # 2006-05-14: GMF restored this; otherwise the information collected by the SMTPD lines # never gets copied into the SMTP line keys. E.g.: # # 1. 20060404 000133 127.0.0.1 SMTPD (0E84015E) [194.164.103.66] connect 194.164.103.113 port 4777 # ... # 2. 20060404 000133 127.0.0.1 SMTPD (0E84015E) [194.164.103.113] M:\IMail\spool\Da94d0e84015eea03.SMD 23824 # 3. 20060404 000134 127.0.0.1 SMTP (04F85090) processing M:\IMail\spool\qa94caac30022e550.smd # ... # 4. 20060404 000134 127.0.0.1 SMTP (04F85090) >MAIL FROM:<> # # (1) is the first SMTPD line, and that's where the date/time and other syslog header fields are # rekeyed from "" to 04F8508F. We also get the source IP in (1), and put it in the SMTPD key 0E84015E. # Then (2) puts that in the queue file M:\IMail\spool\Da94d0e84015eea03.SMD, which contains the queue # key, a94d0e84015eea03. Later, (3) takes that out of the queue file, and begins the SMTP work on it. # We can associate this with the original SMTPD key because it also contains the queue key, # a94caac30022e550. So the sequence of rekeying which has to occur to handle this is: # # '' -> 0E84015E -> 94d0e84015eea03 -> 04F85090 # # Each arrow is a rekey_collected_entry() call. The first one occurs in line (1) to rekey the syslog # fields over to the SMTPD key; the second one occurs on line (2) to rekey the SMTPD fields into # the queue key; and the third one occurs on line (3) to rekey the queue fields into the SMTP key. # # -GMF if (v.protocol eq 'SMTP') then ( # This is the third rekey from the REKEYING ALGORITHM (see comment above), # to rekey queue fields into SMTP fields. if (matches_regular_expression(v.message, '^processing [A-Za-z]:.*[Ss]pool.[Qq]([^.]+)')) then ( rekey_collected_entry($1, v.key); ); # 04:28 00:00 SMTP-(59f200002ad89893) Connect somewhere.com [12.34.56.78:25] (1) if (matches_regular_expression(v.message, '^Connect ([^ ]+) [[]([^]]+)[]] ')) then ( set_collected_field(v.key, 'relay_host', $1); set_collected_field(v.key, 'relay_ip', $2); ); else if (matches_regular_expression(v.message, '^([lrg]deliver) [^ ]* ([^ ]*) \\\\([0-9]\\\\) ([^ ]*) ([0-9]*)')) then ( set_collected_field(v.key, 'operation', $1); set_collected_field(v.key, 'recipient', $2); set_collected_field(v.key, 'sender', $3); set_collected_field(v.key, 'bytes', $4); # Strip <> off sender if (matches_regular_expression($3, '^<(.*)>$')) then set_collected_field(v.key, 'sender', $1); ); # Handle 5xx errors; if we see one, add an event for this into the database else if (matches_regular_expression(v.message, '^(5[0-9][0-9] .*)$')) then ( set_collected_field(v.key, 'date', get_collected_field('', 'date')); set_collected_field(v.key, 'time', get_collected_field('', 'time')); set_collected_field(v.key, 'error_message', $1); set_collected_field(v.key, 'errors', 1); accept_collected_entry(v.key, true); ); ); # if SMTP else if (v.protocol eq 'SMTPD') then ( # This is the first rekey from the REKEYING ALGORITHM (see comment above), # to rekey syslog fields into SMTPD fields. if (matches_regular_expression(v.message, '^\\\\[([0-9.]*)\\\\] connect')) then ( rekey_collected_entry('', v.key); set_collected_field(v.key, 'source_ip', $1); ); # This is the second rekey from the REKEYING ALGORITHM (see comment above), # to rekey SMTPD fields into queue fields. else if (matches_regular_expression(v.message, '^\\\\[[0-9.]*\\\\] [A-Za-z]:.*[Ss]pool.[Dd]([^.]+)[^ ]+ [0-9]*')) then ( rekey_collected_entry(v.key, $1); ); else ( # Extract leading source IP, if any if (matches_regular_expression(v.message, '^\\\\[([0-9.]*)\\\\] (.*)$')) then ( set_collected_field(v.key, 'source_ip', $1); v.smtpd_message = $2; ); # But there sometimes isn't a leading source IP: # 11:05 00:00 SMTPD(075a000027832319) <<< MAIL FROM:> else v.smtpd_message = v.message; # Strip off direction marker, if any if (matches_regular_expression(v.smtpd_message, '^(<<<|>>>) (.*)$')) then v.smtpd_message = $2; if (matches_regular_expression(v.smtpd_message, '^HELO (.*)')) then set_collected_field(v.key, 'server_domain', $1); else if (matches_regular_expression(v.smtpd_message, '^MAIL FROM: *([^ ].*)$')) then ( if (matches_regular_expression($1, '^<(.*)>$')) then ( ); # This strips the <> off $1 set_collected_field(v.key, 'sender', $1); ); else if (matches_regular_expression(v.smtpd_message, '^RCPT TO: *([^ ].*)$')) then set_collected_field(v.key, 'recipient', $1); else if (matches_regular_expression(v.smtpd_message, '^[A-Za-z]:.*[Ss]pool[^ ]* ([0-9]*)$')) then set_collected_field(v.key, 'bytes', $1); else if (matches_regular_expression(v.smtpd_message, '^550-Connection dropped because your IP is a confirmed spam source')) then ( set_collected_field(v.key, 'connections_dropped_confirmed_spam', 1); set_collected_field(v.key, 'date', get_collected_field('', 'date')); set_collected_field(v.key, 'time', get_collected_field('', 'time')); accept_collected_entry(v.key, false); ); else if (matches_regular_expression(v.smtpd_message, '^421-Connection dropped because your IP is a suspected spam source')) then ( set_collected_field(v.key, 'connections_dropped_suspected_spam', 1); set_collected_field(v.key, 'date', get_collected_field('', 'date')); set_collected_field(v.key, 'time', get_collected_field('', 'time')); accept_collected_entry(v.key, false); ); ); ); # SMTPD else if (v.protocol eq 'POP3D') then ( if (matches_regular_expression(v.message, '(logon) success for ([^ ]*) ([^ ]*) from ([0-9.]*)')) then ( set_collected_field(v.key, 'operation', $1); set_collected_field(v.key, 'user', $2); set_collected_field(v.key, 'server_domain', $3); set_collected_field(v.key, 'source_ip', $4); set_collected_field(v.key, 'pop_logins', 1); accept_collected_entry(v.key, false); ); ); if (matches_regular_expression(v.message, '^[lrg]deliver ') or matches_regular_expression(v.message, '^forwarded ')) then ( set_collected_field(v.key, 'date', get_collected_field('', 'date')); set_collected_field(v.key, 'time', get_collected_field('', 'time')); set_collected_field(v.key, 'messages_delivered', 1); set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'bytes')); accept_collected_entry(v.key, false); ); else if (matches_regular_expression(v.message, '^forwarded ')) then ( set_collected_field(v.key, 'date', get_collected_field('', 'date')); set_collected_field(v.key, 'time', get_collected_field('', 'time')); set_collected_field(v.key, 'messages_forwarded', 1); set_collected_field(v.key, 'bytes_forwarded', get_collected_field(v.key, 'bytes')); accept_collected_entry(v.key, false); ); ); ` } # log.parsing_filters # Database fields database.fields = { source_ip = "" location = "" server_domain = "" operation = "" sender = "" recipient = "" user = "" protocol = "" relay_host = "" relay_ip = "" error_message = "" } # database.fields database.numerical_fields = { messages_forwarded = { default = true } messages_delivered = { default = true } errors = { default = true } bytes_forwarded = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_forwarded bytes_delivered = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_delivered connections_dropped_suspected_spam = "" connections_dropped_confirmed_spam = "" } # database.numerical_fields log.filters = { # mark_entry = { # label = '$lang_admin.log_filters.mark_entry_label' # comment = '$lang_admin.log_filters.mark_entry_comment' # value = 'messages = 1;' # } # mark_entry } # log.filters create_profile_wizard_options = { host_tracking = true # This shows which numerical fields are related to which non-numerical fields. database_field_associations = { error_message = { errors = true } } # database_field_associations # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_ip = true server_domain = true operation = true sender = true recipient = true user = true protocol = true } # report_groups } # create_profile_wizard_options not_supported = { visitors = true sessions = true pageviews = true } # not_supported } # imail