# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. mail2000 = { plugin_version = "1.0" # 2010-06-02 - 1.0 - Benson - Initial creation. # 2011-06-21 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Openfind" info.1.device = "Mail2000" info.1.version = "" # The name of this format log.format.format_label = "Openfind Mail2000 Log Format" log.miscellaneous.log_data_type = "server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression # Openfind Mail2000 have four log files: # login.log for webmail. # pop3d.log for pop3. # smtpd.log for smtpd, not used. # mailerd.log for integrated mail log. log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, '^\\[[0-9/]+ [0-9:]+\\] \\[[^ ]+\\] [a-z]+ [0-9.]+') or matches_regular_expression(volatile.log_data_line, '^\\[[0-9/]+ [0-9:]+\\] \\[[0-9.]+:[0-9]+\\] [^ ]+') or matches_regular_expression(volatile.log_data_line, '^\\[[0-9/]+ [0-9:]+\\] \\[[0-9]+-[^ ]+\\] [^ ]+') ` # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" log.format.autodetect_lines = 100 # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" type = "" operation = "" user = "" rip = "" pid = "" status = "" sender = "" recipient = "" subject = "" message = "" size = "" events = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.line = current_log_line(); ## Process for date/time if (matches_regular_expression(v.line, '^\\\\[([0-9]+/[0-9]+/[0-9]+) ([0-9:]+)\\\\](.*)$')) then ( type = "test"; set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); v.message = $3; ## login.log -- [LOGIN] m2k_noc 192.168.15.20 if (matches_regular_expression(v.message, '^ \\\\[([^ ]+)\\\\] ([^ ]+) ([0-9.]+)$')) then ( set_collected_field('', 'message', v.message); set_collected_field('', 'type', "web"); set_collected_field('', 'operation', 'WEB_' . $1); set_collected_field('', 'user', $2); set_collected_field('', 'rip', $3); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ## pop3d.log -- [192.168.16.14:30831] User wendy signing off(5C1F0R0D0.12s). ## [192.168.17.102:30256] User sara signing on. ## [192.168.17.77:30264] Connection initialized. ## [192.168.16.14:30282] Error command (AUTH ). ## [192.168.16.14:30282] User wendy login failed. ## [192.168.16.14:30282] Close connection (dead?) ## [192.168.16.14:30282] Connection closed(3C2F0R-1D0.0s). else if (matches_regular_expression(v.message, '\\\\[([0-9.]+):[0-9]+\\\\] (.*)$')) then ( set_collected_field('', 'type', "pop3d"); set_collected_field('', 'rip', $1); v.message = $2; set_collected_field('', 'message', v.message); if (matches_regular_expression(v.message, 'User ([^ ]+) (signing) (on|off)(.*)$')) then ( set_collected_field('', 'user', $1); set_collected_field('', 'operation', 'pop3 ' . $2 . ' '. $3); ); else if (matches_regular_expression(v.message, 'User ([^ ]+) (login) (failed).')) then ( set_collected_field('', 'user', $1); set_collected_field('', 'operation', 'pop3 ' . $2 . ' ' . $3); ); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ## mailerd.log -- [3619-4BFE974B.00055FA4] Mail.RL -> (Mail Subject/22118)[OK](@/00/DQ5TV57CPC) ## [3619-25358] Mail.LL -> (Calendar System Log [27/May/2010] (mail.foo.com.tw)/1241)[FAIL User unknown] ## [3619-4BFE995D.00083254] Buggy -- run/4BFE995D.00083254 from ## [3619-2010_05_27_daily_report.html] Mail.LL -> (Mail2000 Daily Log [2010/5/27] (mail.foo.com.tw)/33968)[FAIL User unknown] else if (matches_regular_expression(v.message, '\\\\[[0-9]+-([^]]+)\\\\] ([^ ]+) (.*)$')) then ( set_collected_field('', 'type', "mailerd"); set_collected_field('', 'pid', $1); set_collected_field('', 'operation', $2); v.message = $3; if (matches_regular_expression(v.message, '<([^>]*)> -> <([^>]*)> [(]([^/]*)/([0-9]+)[)]\\\\[([^]]+)\\\\](.*)$')) then ( set_collected_field('', 'sender', $1); set_collected_field('', 'recipient', $2); set_collected_field('', 'subject', $3); set_collected_field('', 'size', $4); set_collected_field('', 'status', $5); v.message = $6; if (matches_regular_expression(v.message, '[(]AUTH:([^/]+)/(.*)$')) then ( set_collected_field('', 'user', $1); set_collected_field('', 'message', $2); ); else set_collected_field('', 'message', v.message); ); else if (matches_regular_expression(v.message, '-- (.*)$')) then ( set_collected_field('', 'message', $1); ); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ); ` # Database fields database.fields = { date_time = "" hour_of_day = "" day_of_week = "" type = "" operation = "" user = "" rip = "" pid = "" status = "" operation = "" sender = "" recipient = "" subject = { sql_field_length = 512 } message = { sql_field_length = 256 } size = "" events = "" } # database.fields # Database numerical fields database.numerical_fields = { size = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } # size events = { default = true requires_log_field = false entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # mail2000