# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. kasperskylabs_mailserver = { plugin_version = "1.0.1" # 2007-09-11 - 1.0 - KBB - added version number and changed file name from # beta_kasperskylabs_mailserver.cfg # 2011-03-28 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Kaspersky Labs" info.1.device = "Mail Server" info.1.version.1 = "" # The name of the log format log.format.format_label = "Kaspersky Log Format" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "^\\[[0-9/]+ [^]+]+\\] \\[[0-9]+\\] [0-9a-zA-Z]+ (<--|-->|===) from=") or matches_regular_expression(volatile.log_data_line, "^\\[[0-9/]+ [^]+]+\\] \\[[0-9]+\\] Scan (result|progress|started):") ` # Dates are dd/mm/yy log.format.date_format = "dd/mm/yy" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # recipient check_result = "" message_result = "" virus_name = "" group = "" messages_received = "" messages_delivered = "" # aveserver fields pathname = "" source = "" modification_time = "" mime_type = "" result = "" scan_events = "" } # log.fields # Log Parsing Filters log.filter_initialization = ` v.recipients_info = ''; node recipients_info = 'v.recipients_info'; node recipients_for_key; node recipient_node; ` log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^\\[([0-9/]+) ([^]+]+)\\] \\[[0-9]+\\] \\[([0-9]+)\\] (.*)$') or matches_regular_expression(current_log_line(), '^\\[([0-9/]+) ([0-9:]+) [^]]+\\] \\[([0-9]+)\\] (.*)$')) then ( v.key = $3; set_collected_field(v.key, 'date', $1); set_collected_field(v.key, 'time', $2); v.message = $4; if (matches_regular_expression(v.message, '^[A-Za-z0-9]+ [=<>-]+ (.*)$')) then ( v.message = $1; if (matches_regular_expression(v.message, '^group=<([^>]*)>, from=<([^>]*)>,to=<([^>]*)>,check result=<([^>]*)>$')) then ( v.group = $1; v.sender = $2; v.recipient = $3; v.check_result = $4; if (matches_regular_expression(v.sender, '^<(.*)>$')) then v.sender = $1; set_collected_field(v.key, 'sender', v.sender); if (matches_regular_expression(v.recipient, '^<(.*)>$')) then v.recipient = $1; # Save the recipient in the recipients list for this key recipients_for_key = subnode_by_name(recipients_info, v.key); v.recipient_node_name = replace_all(v.recipient, '.', '__DOT__'); recipient_node = subnode_by_name(recipients_for_key, v.recipient_node_name); set_subnode_value(recipient_node, 'recipient', v.recipient); set_subnode_value(recipient_node, 'group', v.group); set_subnode_value(recipient_node, 'check_result', v.check_result); ); # if group/to/check_result line else if (matches_regular_expression(v.message, '^message_id=<[^>]+>*, detected=<([^>]*)>')) then ( set_collected_field(v.key, 'virus_name', $1); ); else if (matches_regular_expression(v.message, '^to=<([^>]*)>,status=<([^>]*)>')) then ( v.recipient = $1; v.status = $2; recipients_for_key = subnode_by_name(recipients_info, v.key); v.recipient_node_name = replace_all(v.recipient, '.', '__DOT__'); recipient_node = subnode_by_name(recipients_for_key, v.recipient_node_name); set_subnode_value(recipient_node, 'recipient', v.recipient); set_subnode_value(recipient_node, 'status', v.status); ); # if to/status line ); # if second key line else if (matches_regular_expression(v.message, '^Delivery successful.')) then ( recipients_for_key = subnode_by_name(recipients_info, v.key); v.virus_name = get_collected_field(v.key, 'virus_name'); set_collected_field(v.key, 'virus_name', ''); foreach recipient_node recipients_for_key ( set_collected_field(v.key, 'recipient', node_value(subnode_by_name(recipient_node, 'recipient'))); set_collected_field(v.key, 'status', node_value(subnode_by_name(recipient_node, 'status'))); set_collected_field(v.key, 'group', node_value(subnode_by_name(recipient_node, 'group'))); set_collected_field(v.key, 'check_result', node_value(subnode_by_name(recipient_node, 'check_result'))); set_collected_field(v.key, 'messages_received', 0); set_collected_field(v.key, 'messages_delivered', 1); accept_collected_entry(v.key, true); ); # for each receipient set_collected_field(v.key, 'recipient', ''); set_collected_field(v.key, 'virus_name', v.virus_name); set_collected_field(v.key, 'messages_received', 1); set_collected_field(v.key, 'messages_delivered', 0); accept_collected_entry(v.key, false); ) # If delivery successful # Handle aveserver "Scan progress" lines else if (matches_regular_expression(v.message, '^Scan progress: ([^]]+)\\\\[From ([^]]+)\\\\]\\\\[Date ([^]]*)\\\\]/([^ ]+) (.*)$')) then ( set_collected_field(v.key, 'scan_events', 1); set_collected_field(v.key, 'pathname', $1); set_collected_field(v.key, 'source', $2); set_collected_field(v.key, 'modification_time', $3); set_collected_field(v.key, 'mime_type', $4); set_collected_field(v.key, 'result', $5); accept_collected_entry(v.key, false); ); ); # if header matches ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" sender = "" recipient = "" check_result = "" message_result = "" virus_name = "" group = "" # aveserver fields pathname = "" source = "" mime_type = "" result = "" } # database.fields database.numerical_fields = { messages_received = { label = "$lang_stats.field_labels.messages_received" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_received messages_delivered = { label = "$lang_stats.field_labels.messages_delivered" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_delivered scan_events = { label = "$lang_stats.field_labels.scan_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # scan_events } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true # This shows which numerical fields are related to which non-numerical fields. database_field_associations = { sender = { messages_received = true messages_delivered = true } recipient = { messages_received = true messages_delivered = true } check_result = { messages_received = true messages_delivered = true } message_result = { messages_received = true messages_delivered = true } virus_name = { messages_received = true messages_delivered = true } group = { messages_received = true messages_delivered = true } pathname.scan_events = true source.scan_events = true mime_type.scan_events = true result.scan_events = true } # database_field_associations # How the reports should be grouped in the report menu report_groups = { date_time_group = "" sender = true recipient = true check_result = true message_result = true virus_name = true group = true pathname = true source = true mime_type = true result = true } # report_groups } # create_profile_wizard_options } # kasperskylabs_mailserver