# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. argosoft_mail_server = { plugin_version = "2.2.3" info.1.manufacturer = "ArGo Software Design" info.1.device = "Mail Server" info.1.version.1 = "" # 2006-09-15 - 2.0.1beta - KBB - added support for additional format # 2007-09-11 - 2.0.1 - KBB - renumbered per new beta policy and # changed file name from beta_argosoft_mail_server.cfg # 2008-11-10 - 2.2 - MSG - added a parsing filter for POP3 lines, and changed autodetect lines to 100 # 2010-10-04 - 2.2.1 - MSG - Edited info lines. # 2012-08-28 - 2.2.2 - GMF - Added support for variant /pub/logs/Examples/argosoft_mail_server [ThreadID:1275749] # 2012-08-29 - 2.2.3 - GMF - Added parsing of POP3 variant lines # The name of the log format log.format.format_label = "Argosoft Mail Server Log Format" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" log.format.autodetect_lines = "100" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "^[0-9]+[-/][0-9]+[-/][0-9][0-9][0-9][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9][APM ]* - Requested (SMTP|POP3) connection from [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+") or # [SMTP 015168 00-26-12 00:00:01] Received SMTP Connection from 192.168.1.150 matches_regular_expression(volatile.log_data_line, "^[[]SMTP [0-9]+ [0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9][]]") ` # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" event_type = "" sender = { # type = "hierarchical" # hierarchy_dividers = "@" # left_to_right = false # leading_divider = false } # sender recipient = { # type = "hierarchical" # hierarchy_dividers = "@" # left_to_right = false # leading_divider = false } # recipient server_domain = "" source_ip.type = "host" rejection_reason = "" error_message = "" size = "" spam_messages = "" messages_delivered = "" messages_processed = "" spam_messages_processed = "" spam_messages_delivered = "" bytes_delivered = "" bytes_processed = "" connections_rejected = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.message = ""; v.date = ''; v.time = ''; v.key = ''; # Get the date/time from the filename if (matches_regular_expression(current_log_pathname(), '([0-9][0-9])([0-9][0-9])([0-9][0-9])[.]log')) then v.date = normalize_date('20' . $1 . '-' . $2 . '-' . $3, 'auto'); if (matches_regular_expression(current_log_line(), '^([0-9/-]+) ([0-9:APM ]+) - (.*)$')) then ( v.date = $1; v.time = $2; v.message = $3; ); # [SMTP 015168 00-26-12 00:00:01] EHLO remoteweb1 else if (matches_regular_expression(current_log_line(), '^[[][A-Z0-9]+ ([0-9]+) [0-9][0-9]-[0-9][0-9]-[0-9][0-9] ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])[]] (.*)$')) then ( v.key = $1; v.time = $2; v.message = $3; ); if (v.message ne '') then ( # Parse "Requested SMTP connection" lines if (matches_regular_expression(v.message, '^Requested SMTP connection from ([0-9.]+) \\\\[([^]]*)\\\\], ID=([0-9]+)')) then ( v.key = $3; set_collected_field(v.key, 'source_ip', $1); set_collected_field(v.key, 'source_hostname', $2); ); # Received SMTP Connection from 192.168.1.150 else if (matches_regular_expression(v.message, '^Received SMTP [Cc]onnection from ([^ ]+)')) then ( set_collected_field(v.key, 'source_ip', $1); ); # At the end of the SMTP message, add entries for sender and all recipients # Use connection end instead of "END SMTP" because some formats don't have "END SMTP" ##else if (matches_regular_expression(v.message, '^END SMTP')) then ( # SMTP connection with 99.99.99.99 [99.99.99.99] ended. ID=145 else if (matches_regular_expression(v.message, '^SMTP connection with [0-9.]+ \\\\[[^]]*\\\\] ended. ID=([0-9]+)') or # [SMTP 015168 00-26-12 00:00:02] SMTP Connection with 192.168.1.150 ended matches_regular_expression(v.message, '^SMTP [Cc]onnection with [0-9.]+ ended')) then ( if (matches_regular_expression(v.message, '^SMTP connection with [0-9.]+ \\\\[[^]]*\\\\] ended. ID=([0-9]+)')) then ( v.key = $1; ); v.original_event_type = get_collected_field(v.key, 'event_type'); # Add an entry to the database for each recipient if (v.original_event_type eq '(empty)') then set_collected_field(v.key, 'event_type', 'message delivered'); set_collected_field(v.key, 'messages_processed', 0); set_collected_field(v.key, 'messages_delivered', 1); set_collected_field(v.key, 'bytes_processed', 0); set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'spam_messages_processed', 0); set_collected_field(v.key, 'spam_messages_delivered', get_collected_field(v.key, 'spam_messages')); # set_collected_field(v.key, 'connections_rejected', 0); v.recipients = get_collected_field(v.key, 'recipient'); while (matches_regular_expression(v.recipients, '^([^]*)(.*)$')) ( set_collected_field(v.key, 'recipient', $1); accept_collected_entry(v.key, true); v.recipients = $2; ); # Add an entry to the database for the sender if (v.original_event_type eq '(empty)') then # if (v.original_event_type ne 'rejected') then set_collected_field(v.key, 'event_type', 'message processed'); set_collected_field(v.key, 'messages_processed', 1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'bytes_processed', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'spam_messages_processed', get_collected_field(v.key, 'spam_messages')); set_collected_field(v.key, 'spam_messages_delivered', 0); # set_collected_field(v.key, 'connections_rejected', 0); set_collected_field(v.key, 'recipient', ''); accept_collected_entry(v.key, false); ); # END SMTP # Parse "Requested POP3 connection" lines if (matches_regular_expression(v.message, '^Requested POP3 connection from ([0-9.]+) \\\\[([^]]*)\\\\], ID=([0-9]+)')) then ( v.key = $3; set_collected_field(v.key, 'source_ip', $1); set_collected_field(v.key, 'source_hostname', $2); ); else if (matches_regular_expression(v.message, '^Received POP3 [Cc]onnection from ([^ ]+)')) then ( set_collected_field(v.key, 'source_ip', $1); ); # At the end of the POP3 message, add entries for sender and all recipients # Use connection end instead of "END SMTP" because some formats don't have "END POP3" ##else if (matches_regular_expression(v.message, '^END POP3')) then ( # POP3 connection with 99.99.99.99 [99.99.99.99] ended. ID=145 else if (matches_regular_expression(v.message, '^POP3 connection with [0-9.]+ \\\\[[^]]*\\\\] ended. ID=([0-9]+)') or # [SMTP 015168 00-26-12 00:00:02] SMTP Connection with 192.168.1.150 ended matches_regular_expression(v.message, '^POP3 [Cc]onnection with [0-9.]+ ended')) then ( if (matches_regular_expression(v.message, '^POP3 connection with [0-9.]+ \\\\[[^]]*\\\\] ended. ID=([0-9]+)')) then ( v.key = $1; ); v.original_event_type = get_collected_field(v.key, 'event_type'); # Add an entry to the database for each recipient if (v.original_event_type eq '(empty)') then set_collected_field(v.key, 'event_type', 'message delivered'); set_collected_field(v.key, 'messages_processed', 0); set_collected_field(v.key, 'messages_delivered', 1); set_collected_field(v.key, 'bytes_processed', 0); set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'spam_messages_processed', 0); set_collected_field(v.key, 'spam_messages_delivered', get_collected_field(v.key, 'spam_messages')); # set_collected_field(v.key, 'connections_rejected', 0); v.recipients = get_collected_field(v.key, 'recipient'); while (matches_regular_expression(v.recipients, '^([^]*)(.*)$')) ( set_collected_field(v.key, 'recipient', $1); accept_collected_entry(v.key, true); v.recipients = $2; ); # Add an entry to the database for the sender if (v.original_event_type eq '(empty)') then # if (v.original_event_type ne 'rejected') then set_collected_field(v.key, 'event_type', 'message processed'); set_collected_field(v.key, 'messages_processed', 1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'bytes_processed', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'spam_messages_processed', get_collected_field(v.key, 'spam_messages')); set_collected_field(v.key, 'spam_messages_delivered', 0); # set_collected_field(v.key, 'connections_rejected', 0); set_collected_field(v.key, 'recipient', ''); accept_collected_entry(v.key, false); ); # END POP3 # Handle keyed lines else ( # Extract the key if (matches_regular_expression(v.message, '^[({] *([0-9]+)[)}] (.*)$')) then ( v.key = $1; v.message = $2; ); # Set the date/time set_collected_field(v.key, 'date', v.date); set_collected_field(v.key, 'time', v.time); # Parse HELO/EHLO lines if (matches_regular_expression(v.message, '^([Hh][Ee][Ll][Oo]|[Ee][Hh][Ll][Oo]) (.*)$')) then set_collected_field(v.key, 'server_domain', $2); # Parse MAIL FROM lines else if (matches_regular_expression(v.message, '^[Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm]:(.*)$')) then ( v.sender = $1; if (matches_regular_expression(v.sender, '^ *([^ ]*)$')) then v.sender = $1; if (matches_regular_expression(v.sender, '^(.*) [Ss][Ii][Zz][Ee]=([0-9]*)')) then ( set_collected_field(v.key, 'size', $2); v.sender = $1; ); if (matches_regular_expression(v.sender, '<([^>]*)>')) then v.sender = $1; set_collected_field(v.key, 'sender', v.sender); ); # mail from # Parse RCPT TO lines else if (matches_regular_expression(v.message, '^[Rr][Cc][Pp][Tt] [Tt][Oo]:(.*)$')) then ( v.recipient = $1; if (matches_regular_expression(v.recipient, '^ *([^ ]*)$')) then v.recipient = $1; if (matches_regular_expression(v.recipient, '<([^>]*)>')) then v.recipient = $1; # set_collected_field(v.key, 'recipient', v.recipient); # Get the list fom the collected field v.recipients = get_collected_field(v.key, 'recipient'); if (v.recipients eq '(empty)') then v.recipients = ''; # Build up the list v.recipients .= v.recipient . ''; # Save the built list back in the collected field set_collected_field(v.key, 'recipient', v.recipients); ); # RCPT TO # Parse Connection Rejected lines else if (matches_regular_expression(v.message, '^5[0-9]+ Connection from (.*) rejected')) then ( set_collected_field(v.key, 'rejection_reason', v.message); # Add a "message delivered" event set_collected_field(v.key, 'event_type', 'rejected connection'); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'messages_processed', 0); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'bytes_processed', 0); set_collected_field(v.key, 'connections_rejected', 1); # accept_collected_entry(v.key, false); ); # rejected # Parse Connection Rejected lines else if (matches_regular_expression(v.message, '^Error: (.*)$')) then ( set_collected_field(v.key, 'rejection_reason', v.message); # Add a "message delivered" event set_collected_field(v.key, 'event_type', 'error'); set_collected_field(v.key, 'error_message', $1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'messages_processed', 0); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'bytes_processed', 0); set_collected_field(v.key, 'connections_rejected', 0); set_collected_field(v.key, 'errors', 1); # accept_collected_entry(v.key, false); ); # rejected # e.g. Rejected by DNS based Spam Database: Rejected by spamhaus.org else if (matches_regular_expression(v.message, '^Rejected by DNS based Spam Database: Rejected by ')) then ( set_collected_field(v.key, 'event_type', 'rejected spam'); set_collected_field(v.key, 'rejection_reason', v.message); set_collected_field(v.key, 'spam_messages', 1); ); # rejected ## # At the end of the SMTP message, add entries for sender and all recipients ## else if (matches_regular_expression(v.message, '^END SMTP')) then ( ## ## v.original_event_type = get_collected_field(v.key, 'event_type'); ## ## # Add an entry to the database for each recipient ## if (v.original_event_type eq '(empty)') then ## set_collected_field(v.key, 'event_type', 'message delivered'); ## set_collected_field(v.key, 'messages_processed', 0); ## set_collected_field(v.key, 'messages_delivered', 1); ## set_collected_field(v.key, 'bytes_processed', 0); ## set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'size')); ## set_collected_field(v.key, 'spam_messages_processed', 0); ## set_collected_field(v.key, 'spam_messages_delivered', get_collected_field(v.key, 'spam_messages')); ### set_collected_field(v.key, 'connections_rejected', 0); ## v.recipients = get_collected_field(v.key, 'recipient'); ## while (matches_regular_expression(v.recipients, '^([^]*)(.*)$')) ( ## set_collected_field(v.key, 'recipient', $1); ## accept_collected_entry(v.key, true); ## v.recipients = $2; ## ); ## ## # Add an entry to the database for the sender ## if (v.original_event_type eq '(empty)') then ### if (v.original_event_type ne 'rejected') then ## set_collected_field(v.key, 'event_type', 'message processed'); ## set_collected_field(v.key, 'messages_processed', 1); ## set_collected_field(v.key, 'messages_delivered', 0); ## set_collected_field(v.key, 'bytes_processed', get_collected_field(v.key, 'size')); ## set_collected_field(v.key, 'bytes_delivered', 0); ## set_collected_field(v.key, 'spam_messages_processed', get_collected_field(v.key, 'spam_messages')); ## set_collected_field(v.key, 'spam_messages_delivered', 0); ### set_collected_field(v.key, 'connections_rejected', 0); ## set_collected_field(v.key, 'recipient', ''); ## accept_collected_entry(v.key, false); ## ## ); # END SMTP ); # if keyed line ); # if header matches ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" event_type = "" sender = "" recipient = "" server_domain = "" source_ip = "" location = "" rejection_reason = "" error_message = "" } # database.fields database.numerical_fields = { messages_delivered.default = true messages_processed.default = true connections_rejected = "" bytes_delivered = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } bytes_processed = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } spam_messages_processed = "" spam_messages_delivered = "" errors = "" } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'messages = 1;' } # mark_entry } # log.filters } # argosoft_mail_server