# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. kasperskylabs_mailserver_linux = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2011-03-28 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Kaspersky Labs" info.1.device = "Mail Server for Linux" info.1.version.1 = "" # The name of the log format log.format.format_label = "Kaspersky Labs for Mail Servers (linux) Log Format" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^\\[[0-9/]+ [^]+]+\\] \\[[0-9]+\\] \\[[0-9]+\\] [A-Za-z0-9]+ [=<>-]+" # The format of dates and times in this log log.format.date_format = "dd/mm/yy" log.format.time_format = "hh:mm:ss" # Entries are called messages statistics.miscellaneous.entry_name = "messages" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time from = { label = "$lang_stats.field_labels.from" type = "flat" index = 0 subindex = 0 } # from to = { label = "$lang_stats.field_labels.to" type = "flat" index = 0 subindex = 0 } # to check_result = { label = "$lang_stats.field_labels.check_result" type = "flat" index = 0 subindex = 0 } # check_result message_result = { label = "$lang_stats.field_labels.message_result" type = "flat" index = 0 subindex = 0 } # message_result virus_name = { label = "$lang_stats.field_labels.virus_name" type = "flat" index = 0 subindex = 0 } # virus_name group = { label = "$lang_stats.field_labels.group" type = "flat" index = 0 subindex = 0 } # group } # log.fields # Log Parsing Filters log.parsing_filters = { # Parse out the date, time, key, virus 2 = { label = "Parse out the date, time, key, virus" comment = "This parsing filter reads the date, time, KEY and from fields out of the log data" value = "collect_fields_using_regexp('^\\[([0-9/]+) ([^]+]+)\\] \\[[0-9]+\\] \\[[0-9]+\\] ([A-Za-z0-9]+) [=<>-]+ message_id=<[^>]+>*, detected=<([^>]*)>', 'date,time,*KEY*,virus_name')" } # 2 # Parse out the date, time, key, to from and check result 4 = { label = "Parse out the date, time, key, to from and check result" comment = "This parsing filter reads the date, time, KEY group from to and check result fields out of the log data" value = "collect_fields_using_regexp('^\\[([0-9/]+) ([^]+]+)\\] \\[[0-9]+\\] \\[[0-9]+\\] ([A-Za-z0-9]+) [=<>-]+ group=<([^>]*)>, from=<([^>]*)>,to=<([^>]*)>,check result=<([^>]*)>$', 'date,time,*KEY*,group,from,to,check_result')" } # 4 # Parse out the date, time, key, to from and check result 6 = { label = "Parse out the date, time, key, to from and check result" comment = "This parsing filter reads the date, time, KEY group from to and check result fields out of the log data" value = "collect_fields_using_regexp('^\\[([0-9/]+) ([^]+]+)\\] \\[[0-9]+\\] \\[[0-9]+\\] ([A-Za-z0-9]+) [=<>-]+ group=<([^>]*)>, from=<([^>]*)>,to=<([^>]*)>,check result=<([^>]*)>$', 'date,time,*KEY*,group,from,to,check_result')" } # 6 # collect 'send' message result 8 = { label = "message result" comment = "message result" value = "collect_fields_using_regexp('^\\[[0-9/]+ [^]+]+\\] \\[[0-9]+\\] \\[[0-9]+\\] ([A-Za-z0-9]+) [=<>-]+ to=<[^>]*>,status=<(send)>$', '*KEY*,message_result')" } # 8 # collect 'drop' message result 9 = { label = "message result" comment = "message result" value = "collect_fields_using_regexp('^\\[[0-9/]+ [^]+]+\\] \\[[0-9]+\\] \\[[0-9]+\\] ([A-Za-z0-9]+) [=<>-]+ to=<[^>]*>,status=<(drop)>$', '*KEY*,message_result')" } # 9 # Accept on 'send' message 10 = { label = "Accept collect log line" comment = "The parsing filter accepts the current log line" value = "accept_collected_entry_using_regexp('^\\[[0-9/]+ [^]+]+\\] \\[[0-9]+\\] \\[[0-9]+\\] ([A-Za-z0-9]+) [=<>-]+ to=<[^>]*>,status=$', false)" } # 10 # Accept on 'drop' message 12 = { label = "Accept collect log line" comment = "The parsing filter accepts the current log line" value = "accept_collected_entry_using_regexp('^\\[[0-9/]+ [^]+]+\\] \\[[0-9]+\\] \\[[0-9]+\\] ([A-Za-z0-9]+) [=<>-]+ to=<[^>]*>,status=$', false)" } # 12 } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day from = { label = "$lang_stats.field_labels.from" log_field = "from" type = "string" suppress_top = 0 suppress_bottom = 2 } # from to = { label = "$lang_stats.field_labels.to" log_field = "to" type = "string" suppress_top = 0 suppress_bottom = 2 } # to check_result = { label = "$lang_stats.field_labels.check_result" log_field = "check_result" type = "string" suppress_top = 0 suppress_bottom = 2 } # check_result message_result = { label = "$lang_stats.field_labels.message_result" log_field = "message_result" type = "string" suppress_top = 0 suppress_bottom = 2 } # message_result virus_name = { label = "$lang_stats.field_labels.virus_name" log_field = "virus_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # virus_name group = { label = "$lang_stats.field_labels.group" log_field = "group" type = "string" suppress_top = 0 suppress_bottom = 2 } # group } # database.fields database.numerical_fields = { messages = { label = "$lang_stats.field_labels.messages" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'messages = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" from = true to = true check_result = true message_result = true virus_name = true group = true } # report_groups } # create_profile_wizard_options not_supported = { individualhosts = true sessions = true visitors = true pageviews = true } # not_supported } # kasperskylabs_mailserver_linux