# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. tfs_mailreport_extended = { plugin_version = "1.0.1" # 2006-06-30 - 1.0beta - GMF - initial implementation # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy # 2011-07-20 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Microsoft" info.1.device = "TFS MailReport Extended" info.1.version.1 = "" # sessions, hits, bandwidth, pageviews, and visitors. # The name of the log format log.format.format_label = "TFS MailReport Extended Log Format" log.miscellaneous.log_data_type = "mail" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^<[0-9]+,[IO],[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9],[0-9][0-9]:[0-9][0-9],[^,]+,[^,]+,[0-9]+,[^,]*,[^,]*,.*>$" log.format.autodetect_lines = "2" # All log field parsing will be done using the parsing filters # log.format.parse_only_with_filters = "true" # Log fields log.fields = { message_id = "" direction = "" date = "" time = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # recipient size = "" hostname = "" host_ip_address = "" # Dynamic part - message subject = "" message_signature = "" message_encryption = "" virus = "" policy = "" # Message - sub type Attachment attachment_name = "" attachment_size = "" attachment_signature = "" attachment_encryption = "" # Message - sub type Virus response virus_result = "" virus_action = "" # Message - sub type Policies policy_name = "" policy_result = "" policy_action = "" # Dynamic part - Connection connecting_ip_address = "" # Connection - sub type SMTP Server rbl_domain = "" rbl_response = "" connection_action = "" # Connection - sub type SMTP Sender connection_status = "" connection_result = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.current_log_line = replace_all(current_log_line(), '\\\\,', '%2c'); if (matches_regular_expression(v.current_log_line, '<([0-9]+),([IO]),([0-9-]+),([0-9:]+),([^,]+),([^,]+),([0-9]+),([^,]*),([^,]*),(.*)>$')) then ( message_id = $1; direction = $2; date = $3; time = $4; sender = $5; recipient = $6; size = $7; hostname = $8; host_ip_address = $9; v.remainder = $10; while (v.remainder ne "") ( if (matches_regular_expression(v.remainder, '^M,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(.*)$')) then ( subject = $1; message_signature = $2; message_encryption = $3; virus = $4; policy = $5; v.remainder = $6; ); else if (matches_regular_expression(v.remainder, '^A,([^,]*),([^,]*),([^,]*),([^,]*),(.*)$')) then ( attachment_name = $1; attachment_size = $2; attachment_signature = $3; attachment_encryption = $4; v.remainder = $5; ); else if (matches_regular_expression(v.remainder, '^V,([^,]*),([^,]*),([^,]*),(.*)$')) then ( attachment_name = $1; virus_result = $2; virus_action = $3; v.remainder = $4; ); else if (matches_regular_expression(v.remainder, '^P,([^,]*),([^,]*),([^,]*),(.*)$')) then ( policy_name = $1; policy_result = $2; policy_action = $3; v.remainder = $4; ); else if (matches_regular_expression(v.remainder, '^C,([^,]*),(.*)$')) then ( connecting_ip_address = $1; v.remainder = $2; ); else if (matches_regular_expression(v.remainder, '^R,([^,]*),([^,]*),([^,]*),(.*)$')) then ( rbl_domain = $1; rbl_response = $2; connection_action = $3; v.remainder = $4; ); else if (matches_regular_expression(v.remainder, '^S,([^,]*),([^,]*),([^,]*),(.*)$')) then ( connection_status = $1; connection_result = $2; v.remainder = $3; ); else ( error("Invalid or unsupported TFS Extended section in log data: " . v.remainder); ); ); # while remainder ); ` # Database fields database.fields = { date_time = "" hour_of_day = "" day_of_week = "" message_id = "" direction = "" sender = "" recipient = "" hostname = "" host_ip_address = "" # Dynamic part - message subject = "" message_signature = "" message_encryption = "" virus = "" policy = "" # Message - sub type Attachment attachment_name = "" attachment_size = "" attachment_signature = "" attachment_encryption = "" # Message - sub type Virus response virus_result = "" virus_action = "" # Message - sub type Policies policy_name = "" policy_result = "" policy_action = "" # Dynamic part - Connection connecting_ip_address = "" # Connection - sub type SMTP Server rbl_domain = "" rbl_response = "" connection_action = "" # Connection - sub type SMTP Sender connection_status = "" connection_result = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events size = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } # size attachment_size = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } # size } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" sender = "" recipient = "" attachments_group = { attachment_name = "" attachment_signature = "" attachment_encryption = "" } source_group = { connection_ip_address = "" } server_group = { hostname = "" host_ip_address = "" } viruses_group = { virus = "" virus_result = "" virus_action = "" } policies_group = { policy = "" policy_name = "" policy_result = "" policy_action = "" } connections_group = { connecting_ip_address = "" rbl_domain = "" rbl_response = "" connection_action = "" connection_status = "" connection_result = "" } messages_group = { message_signature = "" message_encryption = "" message_id = "" } other_group = { direction = "" subject = "" } } # report_groups } # create_profile_wizard_options } # tfs_mailreport_extended