# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. email_gateway_showevents_export = { plugin_version = "1.0" # 2012-07-25 - 1.0 - anonymous - Initial Creation # Anonymous creator states: # # The Log format that it analyzed was a full export from the # binary log. # # Data was exported using the "showevents" command without any # filters. # # Showevents.sh -s cfile=scevents.ini -s ifile="The binary log file name" -d head > "Text log name" # # This should have all the log data, from the initial connections, # virus scanning, spam analysis, to delivery. info.1.manufacturer = "McAfee" info.1.device = "Email Gateway (showevents export)" info.1.version.1 = "6.7.2" info.1.manufacturer = "IronMail" info.1.device = "IronMail (showevents export)" info.1.version.1 = "6.7.2" # The name of the log format log.format.format_label = "McAfee Email Gateway (IronMail) (showevents export)" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression #00:00:00 PST inetgw [local4-notice]: # log.format.autodetect_regular_expression = "^[0-9][0-9]:[0-9][0-9]:[0-9][0-9] [A-Z]+ [^ ]+ \\[[^]]+\\]: " log.format.autodetect_regular_expression = "^[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]:[0-9][0-9]:[0-9][0-9]:[0-9][0-9]" # To accept the lines that have not been accepted explicitly log.format.collected_entry_lifespan = 10000 log.format.discard_expired_entries = false # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time subject = "" key = "" client_ip = "" message_id = "" direction = "" relay_ip = "" to = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } from = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } messages_blocked_ts = "" virus_action_drop = "" virus_action_unknown = "" virus_action_quarantine = "" virus_action_quarantine_single = "" size = "" sent = "" connection = "" DSN_subject = "" spam_action_subj_rewrite = "" spam_action_quarantine = "" spam_action_log = "" policy_quarantine = "" } # log.fields # # Log Parsing Filters log.parsing_filters.parse = ` #if (matches_regular_expression(current_log_line(), '^([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]):([0-9][0-9]:[0-9][0-9]:[0-9][0-9])(.*)$')) then ( if (matches_regular_expression(current_log_line(), '^([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]):([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\\\|([0-9]{14})\\\\|[0-9]*\\\\|(.*)$')) then ( v.key = $3; set_collected_field(v.key, 'time', $2); set_collected_field(v.key, 'key', $3); set_collected_field(v.key, 'date', normalize_date($1, 'yyyymmdd')); v.message = $4; if (matches_regular_expression(v.message, '^Relay ----> -\\\\|<([0|1]).*$')) then ( set_collected_field(v.key, 'direction', $1); set_collected_field(v.key, 'connection', 1); ); if (matches_regular_expression(v.message, '^BATV .* -\\\\|([0-9.]*)\\\\|')) then ( set_collected_field(v.key, 'client_ip', $1); ); if (matches_regular_expression(v.message, '^Received -\\\\|<([-.a-z0-9_]*@[a-z0-9.]*):.*')) then ( set_collected_field(v.key, 'to', $1); ); if (matches_regular_expression(v.message, '^QUEU COMMAND RECEIVED -\\\\|<<([-._a-z0-9]*@[-_.a-z0-9]*)>:.*')) then ( set_collected_field(v.key, 'from', $1); ); if (matches_regular_expression(v.message, '^QUEU COMMAND RECEIVED -\\\\|<<([-._a-z0-9_]*@[-_.a-z0-9]*)> size=([0-9]+):.*')) then ( set_collected_field(v.key, 'from', $1); set_collected_field(v.key, 'size', $2); ); if (matches_regular_expression(v.message, '^Fingerprinting message .*:(.*):([0-9]{5,9}).*$')) then ( set_collected_field(v.key, 'subject', $1); set_collected_field(v.key, 'message_id', $2); ); if (matches_regular_expression(v.message, '^Spam Message. Message not queued.*$')) then ( set_collected_field(v.key, 'messages_blocked_ts', 1); accept_collected_entry(v.key, false); ); # if (matches_regular_expression(v.message, '^Processing completed.*')) then ( # accept_collected_entry(v.key, true); # ); if (matches_regular_expression(v.message, '^Created new Message ID and File -\\\\|<([0-9]{5,9}):.*$')) then ( v.mid = $1; set_collected_field(v.mid, 'message_id', $1); set_collected_field(v.mid, 'time', get_collected_field(v.key, 'time')); set_collected_field(v.mid, 'date', get_collected_field(v.key, 'date')); set_collected_field(v.mid, 'subject', get_collected_field(v.key, 'subject')); set_collected_field(v.mid, 'direction', get_collected_field(v.key, 'direction')); set_collected_field(v.mid, 'client_ip', get_collected_field(v.key, 'client_ip')); set_collected_field(v.mid, 'to', get_collected_field(v.key, 'to')); set_collected_field(v.mid, 'from', get_collected_field(v.key, 'from')); set_collected_field(v.mid, 'size', get_collected_field(v.key, 'size')); set_collected_field(v.mid, 'key', get_collected_field(v.key, 'key')); set_collected_field(v.mid, 'connection', get_collected_field(v.key, 'connection')); # Set connection back to 0 so that a single connection with multiple receipients is counted only once. set_collected_field(v.key, 'connection', 0); ); ); if (matches_regular_expression(current_log_line(), '^([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]):([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\\\|([0-9]{5,9})\\\\|[0-9]*\\\\|(.*)$')) then ( v.mid = $3; set_collected_field(v.mid, 'time', $2); set_collected_field(v.mid, 'message_id', $3); set_collected_field(v.mid, 'date', normalize_date($1, 'yyyymmdd')); v.message = $4; if (matches_regular_expression(v.message, '^Message data -\\\\|.+USRTO.: \\\\[.(.*).\\\\], .USRFRM.: \\\\[.(.*).\\\\], .DOMTO.: \\\\[.*\\\\], .SUBJ.: .(.*)., .*$')) then ( # if (matches_regular_expression(v.message, "^Message data -\\\\|{'USRTO': \\\\['(.*)'\\\\], 'USRFRM': \\\\['(.*)'\\\\], 'DOMTO': [^,], 'SUBJ': '(.*)', .*$")) then set_collected_field(v.mid, 'to', $1); set_collected_field(v.mid, 'from', $2); set_collected_field(v.mid, 'subject', $3); ); if (matches_regular_expression(v.message, '^-\\\\|LOG_STAT\\\\|AVQ\\\\|[0-9]{5,9}\\\\|([0-9])\\\\|([0-9])\\\\|([0-9])\\\\|([0-9])\\\\|')) then ( if ($1 ne '0') then ( set_collected_field(v.mid, 'virus_action_drop', 1); set_collected_field(v.mid, 'DSN_subject', 'DSN-Drop'); ); if ($2 ne '0') then ( set_collected_field(v.mid, 'virus_action_unknown', 1); ); if ($3 ne '0') then ( set_collected_field(v.mid, 'virus_action_quarantine', 1); set_collected_field(v.mid, 'DSN_subject', 'DSN-Quarantine'); set_collected_field(v.mid, 'reroute-flag', 'reroute'); ); if ($4 ne '0') then ( set_collected_field(v.mid, 'virus_action_quarantine_single', 1); set_collected_field(v.mid, 'reroute-flag', 'reroute'); ); ); ## spam if (matches_regular_expression(v.message, '^-\\\\|LOG_STAT\\\\|SPAMQ\\\\|[0-9]{5,9}\\\\|[A-Z]+\\\\|([_A-Z]+)\\\\|.*$')) then ( if ($1 eq 'SUBJ_REWRITE') then ( set_collected_field(v.mid, 'spam_action_subj_rewrite', 1); ); if ($1 eq 'LOG_ONLY') then ( set_collected_field(v.mid, 'spam_action_log', 1); ); if ($1 eq 'REMOTE_QUARANTINE') then ( set_collected_field(v.mid, 'spam_action_quarantine', 1); set_collected_field(v.mid, 'reroute-flag', 'reroute'); if (get_collected_field(v.mid, 'policy_quarantine') == 1) then ( set_collected_field(v.mid, 'policy_quarantine', 0); ); ); ); ## header Check Can't find a uniquie Line, so setting a flag if it is re-routed via earlier process if (matches_regular_expression(v.message, '^Re-routed to EUQ server for quarantine.*$')) then ( if (get_collected_field(v.mid, 'reroute-flag') ne 'reroute') then ( set_collected_field(v.mid, 'policy_quarantine', 1); ); ); if (matches_regular_expression(v.message, '^Created new Message ID and File -\\\\|<([0-9]{5,9}):.*$')) then ( v.newid = $1; set_collected_field(v.newid, 'key', v.mid); set_collected_field(v.newid, 'subject', get_collected_field(v.mid, 'DSN_subject')); ); if (matches_regular_expression(v.message, '^Connecting to -\\\\|<[.0-9]+:([.0-9]+):[0-9]+>\\\\|')) then ( set_collected_field(v.mid, 'relay_ip', $1); ); if (matches_regular_expression(v.message, '^-\\\\|Sending: MAIL FROM:<(.*)> size=([0-9]*)\\\\|')) then ( set_collected_field(v.mid, 'from', $1); set_collected_field(v.mid, 'size', $2); ); if (matches_regular_expression(v.message, '^-\\\\|Sending: RCPT TO:<(.*)>\\\\|')) then ( set_collected_field(v.mid, 'to', $1); ); if (matches_regular_expression(v.message, '^-\\\\|Sending: QUIT .*')) then ( set_collected_field(v.mid, 'sent', 1); ); if (matches_regular_expression(v.message, '^Finished processing msgid .*$')) then ( accept_collected_entry(v.mid, false); ); # To accept enty when it is Quarantied or Drop via the virus checker - "processing completed" did not work as it appears in all case. # if (matches_regular_expression(v.message, '^Processing completed for Message ID : .*$')) then ( # accept_collected_entry(v.mid, true); # ); # # trial check on "singleNotification: Stop as that appears to only happen when it hits a virus # # if (matches_regular_expression(v.message, '^singleNotification: Stop.*$')) then ( # accept_collected_entry(v.mid, false); # ); ); ` # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day subject = "" key = "" client_ip = "" message_id = "" direction = "" relay_ip = "" to = { itemnums_hash_function = "rand_sum" } from = { itemnums_hash_function = "rand_sum" } } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events messages_blocked_ts = "" virus_action_drop = "" virus_action_unknown = "" virus_action_quarantine = "" virus_action_quarantine_single = "" spam_action_subj_rewrite = "" spam_action_quarantine = "" spam_action_log = "" policy_quarantine = "" sent = "" connection = "" size = { label = "$lang_stats.field_labels.size" default = false requires_log_field = true log_field = "size" type = "int" integer_bits = 64 display_format_type = "bandwidth" } #size } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" to = "" } # report_groups } # create_profile_wizard_options not_supported = { } # not_supported } # email_gateway_showevents_export