# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. lyris_mail_shield = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2011-06-20 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Lyris" info.1.device = "MailShield" info.1.version.1 = "" # The name of the log format log.format.format_label = "Lyris MailShield Log Format" log.miscellaneous.log_data_type = "mail_smtp" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = " \\[[0-9]+\\.[0-9]+\\.[0-9]+ [0-9]+:[0-9]+:[0-9]+\\] \\([0-9]*\\)" statistics.miscellaneous.entry_name = "messages" # The format of dates and times in this log log.format.date_format = "yyyy/mm/dd" log.format.time_format = "hh:mm:ss" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type type_code = { label = "$lang_stats.field_labels.type_code" type = "flat" index = 0 subindex = 0 } # type_code reason = { label = "$lang_stats.field_labels.reason" type = "flat" index = 0 subindex = 0 } # reason dummy = { label = "dummy" type = "flat" index = 0 subindex = 0 } # dummy from = { label = "$lang_stats.field_labels.from" type = "flat" index = 0 subindex = 0 } # from to = { label = "$lang_stats.field_labels.to" type = "flat" index = 0 subindex = 0 } # to relay = { label = "$lang_stats.field_labels.relay" type = "flat" index = 0 subindex = 0 } # relay state = { label = "$lang_stats.field_labels.state" type = "flat" index = 0 subindex = 0 } # state hostname = { label = "$lang_stats.field_labels.hostname" type = "host" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # hostname domain = { label = "$lang_stats.field_labels.domain" type = "flat" index = 0 subindex = 0 } # domain subject = { label = "$lang_stats.field_labels.subject" type = "flat" index = 0 subindex = 0 } # subject source_ip = { label = "$lang_stats.field_labels.source_ip" type = "flat" index = 0 subindex = 0 } # source_ip rcpt_to = { label = "$lang_stats.field_labels.rcpt_to" type = "flat" index = 0 subindex = 0 } # rcpt_to helo_text = { label = "$lang_stats.field_labels.helo_text" type = "flat" index = 0 subindex = 0 } # helo_text banned_domain = { label = "$lang_stats.field_labels.banned_domain" type = "flat" index = 0 subindex = 0 } # banned_domain banned_ip = { label = "$lang_stats.field_labels.banned_ip" type = "flat" index = 0 subindex = 0 } # banned_ip banned_helo = { label = "$lang_stats.field_labels.banned_helo" type = "flat" index = 0 subindex = 0 } # banned_helo invalid_helo = { label = "$lang_stats.field_labels.invalid_helo" type = "flat" index = 0 subindex = 0 } # invalid_helo banned_rcpt_to = { label = "$lang_stats.field_labels.banned_rcpt_to" type = "flat" index = 0 subindex = 0 } # banned_rcpt_to relay_denied_recipient = { label = "$lang_stats.field_labels.relay_denied_recipient" type = "flat" index = 0 subindex = 0 } # relay_denied_recipient banned_subject = { label = "$lang_stats.field_labels.banned_subject" type = "flat" index = 0 subindex = 0 } # banned_subject banned_text = { label = "$lang_stats.field_labels.banned_text" type = "flat" index = 0 subindex = 0 } # banned_text banned_body_from = { label = "$lang_stats.field_labels.banned_body_from" type = "flat" index = 0 subindex = 0 } # banned_body_from invalid_body_to = { label = "$lang_stats.field_labels.invalid_body_to" type = "flat" index = 0 subindex = 0 } # invalid_body_to banned_received = { label = "$lang_stats.field_labels.banned_received" type = "flat" index = 0 subindex = 0 } # banned_received over_max_recipient = { label = "$lang_stats.field_labels.over_max_recipient" type = "flat" index = 0 subindex = 0 } # over_max_recipient banned_x_mailer = { label = "$lang_stats.field_labels.banned_x_mailer" type = "flat" index = 0 subindex = 0 } # banned_x_mailer forged_message_id = { label = "$lang_stats.field_labels.forged_message_id" type = "flat" index = 0 subindex = 0 } # forged_message_id } # log.fields # # Log Parsing Filters log.parsing_filters = { # Parse date line 1 = { label = "1" comment = "" value = "collect_fields_using_regexp('()([a-z]) \\\\[([0-9]+\\\\.[0-9]+\\\\.[0-9]+) ([0-9]+:[0-9]+:[0-9]+)\\\\] \\\\([0-9]*\\\\) (.*)$', '*KEY*,type_code,date,time')" } # 1 # Parse accepted email lines 2 = { label = "2" comment = "" value = "collect_fields_using_regexp('()(s) \\\\[([0-9]+\\\\.[0-9]+\\\\.[0-9]+) ([0-9]+:[0-9]+:[0-9]+)\\\\] \\\\([0-9]*\\\\) (RELAY_SUCCESS) - from <([^>]*)> to <([^>]*)> by ([^ ]*) ', '*KEY*,type_code,date,time,type,from,to,relay')" } # 2 # Parse rejected email lines 3 = { label = "3" comment = "" value = "collect_fields_using_regexp('()(r) \\\\[([0-9]+\\\\.[0-9]+\\\\.[0-9]+) ([0-9]+:[0-9]+:[0-9]+)\\\\] \\\\([0-9]*\\\\) (Unwanted email) ', '*KEY*,type_code,date,time,type')" } # 3 # Parse 'Reason' line 4 = { label = "4" comment = "" value = "collect_fields_using_regexp('() Reason: *([^:/]*)(:|/)', '*KEY*,reason,dummy')" } # 4 # Parse 'State' line 5 = { label = "5" comment = "" value = "collect_fields_using_regexp('() State: *(.*)$', '*KEY*,state')" } # 5 # Parse 'Subject' line 6 = { label = "6" comment = "" value = "collect_fields_using_regexp('() Subject: *(.*)$', '*KEY*,subject')" } # 6 # Parse 'SMTP session refused' lines 7 = { label = "7" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (SMTP session refused because your host is listed on SBL|SMTP session refused because your host is listed on ORDB|SMTP session refused because your host tested positive on RBL\\\\+)', '*KEY*,reason')" } # 7 # Parse 'Banned SMTP host domain' lines 8 = { label = "8" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Banned SMTP host domain name): ([^ ]*) / matched ([^ ]*)', '*KEY*,reason,domain,banned_domain')" } # 8 # Parse 'Banned SMTP host TCP/IP address' lines 9 = { label = "9" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Banned SMTP host TCP/IP address): ([^ ]*) / matched', '*KEY*,reason,banned_ip')" } # 9 # Parse 'Banned Subject' lines 10 = { label = "10" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Banned Subject): text was found: \\'([^\\']*)\\'', '*KEY*,reason,banned_subject')" } # 10 # Parse 'Banned text' lines 11 = { label = "11" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Banned text appeared in header or body): \\'([^\\']*)\\'', '*KEY*,reason,banned_text')" } # 11 # Parse 'Banned text' lines 12 = { label = "12" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Banned text appeared in [^:]*): \\'([^\\']*)\\'', '*KEY*,reason,banned_text')" } # 12 # Parse 'MAIL FROM ... is banned' lines 13 = { label = "13" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (MAIL FROM) of \\'[^\\']*\\' is banned / matches (.*)$', '*KEY*,reason,banned_mail_from')" } # 13 # Parse 'MAIL FROM is not allowed to be empty' lines 14 = { label = "14" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (MAIL FROM is not allowed to be empty)', '*KEY*,reason')" } # 14 # Parse 'Recipient is on banned RCPT TO list' lines 15 = { label = "15" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Recipient is on banned RCPT TO list) / matched (.*)$', '*KEY*,reason,banned_rcpt_to')" } # 15 # Parse 'Body From is not allowed' lines 16 = { label = "16" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Body From): of \\'[^\\']*\\' is not allowed / matched (.*)$', '*KEY*,reason,banned_body_from')" } # 16 # Parse 'Forged Message-Id' lines 17 = { label = "17" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Forged Message-Id): header text was detected: \\'([^\\']*)\\'', '*KEY*,reason,forged_message-id')" } # 17 # Parse 'Body To is not valid' lines 18 = { label = "18" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Body To): of <([^>]*)> is not valid', '*KEY*,reason,invalid_body_to')" } # 18 # Parse 'Banned Received' lines 19 = { label = "19" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Banned Received): text was found: \\'([^\\']*)\\'', '*KEY*,reason,banned_received')" } # 19 # Parse 'Banned X-Mailer' lines 20 = { label = "20" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Banned X-Mailer): text was found: \\'([^\\']*)\\'', '*KEY*,reason,banned_x-mailer')" } # 20 # Parse 'Maximum recipient count exceeded' lines 21 = { label = "21" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Maximum recipient count) of [0-9]* exceeded, counted ([0-9]+) recipients', '*KEY*,reason,over-max_recipient')" } # 21 # Parse 'Maximum body size exceeded' lines 22 = { label = "22" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Maximum body size|Maximum body line count)', '*KEY*,reason')" } # 22 # Parse 'Relay request denied' lines 23 = { label = "23" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (Relay request denied), and ([^ ]*) is not a local domain name', '*KEY*,reason,relay_denied_recipient')" } # 23 # Parse 'HELO text banned' lines 24 = { label = "24" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (HELO text) of \\'([^\\']*)\\' is banned / matched (.*)', '*KEY*,reason,helo_text,banned_helo')" } # 24 # Parse 'HELO: text is not value' lines 25 = { label = "25" comment = "" value = "collect_fields_using_regexp('() Reason: *550 (HELO: text) of \\'([^\\']*)\\' is not valid', '*KEY*,reason,invalid_helo')" } # 25 # Parse 'TCP/IP' line 26 = { label = "26" comment = "" value = "collect_fields_using_regexp('() TCP/IP: *([^[]*)\\\\[([0-9.]*)\\\\]$', '*KEY*,hostname,source_ip')" } # 26 # Parse 'MAIL FROM' line 27 = { label = "27" comment = "" value = "collect_fields_using_regexp('() MAIL FROM: *(.*)$', '*KEY*,from')" } # 27 # Parse 'RCPT TO' line 28 = { label = "28" comment = "" value = "collect_fields_using_regexp('() RCPT TO: *(.*)$', '*KEY*,to')" } # 28 # Accept on a blank line 29 = { label = "29" comment = "" value = "accept_collected_entry_using_regexp('^()$', false)" } # 29 } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day type_code = { label = "$lang_stats.field_labels.type_code" log_field = "type_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # type_code from = { label = "$lang_stats.field_labels.from" log_field = "from" type = "string" suppress_top = 0 suppress_bottom = 2 } # from to = { label = "$lang_stats.field_labels.to" log_field = "to" type = "string" suppress_top = 0 suppress_bottom = 2 } # to relay = { label = "$lang_stats.field_labels.relay" log_field = "relay" type = "string" suppress_top = 0 suppress_bottom = 2 } # relay reason = { label = "$lang_stats.field_labels.reason" log_field = "reason" type = "string" suppress_top = 0 suppress_bottom = 2 } # reason state = { label = "$lang_stats.field_labels.state" log_field = "state" type = "string" suppress_top = 0 suppress_bottom = 2 } # state subject = { label = "$lang_stats.field_labels.subject" log_field = "subject" type = "string" suppress_top = 0 suppress_bottom = 2 } # subject hostname = { label = "$lang_stats.field_labels.hostname" log_field = "hostname" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hostname" } # hostname domain_description = { label = "$lang_stats.field_labels.domain_description" log_field = "domain_description" type = "string" suppress_top = 0 suppress_bottom = 2 } # domain_description domain = { label = "$lang_stats.field_labels.domain" log_field = "domain" type = "string" suppress_top = 0 suppress_bottom = 2 } # domain source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_ip helo_text = { label = "$lang_stats.field_labels.helo_text" log_field = "helo_text" type = "string" suppress_top = 0 suppress_bottom = 2 } # helo_text banned_domain = { label = "$lang_stats.field_labels.banned_domain" log_field = "banned_domain" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_domain banned_ip = { label = "$lang_stats.field_labels.banned_ip" log_field = "banned_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_ip banned_helo = { label = "$lang_stats.field_labels.banned_helo" log_field = "banned_helo" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_helo invalid_helo = { label = "$lang_stats.field_labels.invalid_helo" log_field = "invalid_helo" type = "string" suppress_top = 0 suppress_bottom = 2 } # invalid_helo banned_rcpt_to = { label = "$lang_stats.field_labels.banned_rcpt_to" log_field = "banned_rcpt_to" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_rcpt_to relay_denied_recipient = { label = "$lang_stats.field_labels.relay_denied_recipient" log_field = "relay_denied_recipient" type = "string" suppress_top = 0 suppress_bottom = 2 } # relay_denied_recipient banned_subject = { label = "$lang_stats.field_labels.banned_subject" log_field = "banned_subject" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_subject banned_text = { label = "$lang_stats.field_labels.banned_text" log_field = "banned_text" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_text banned_body_from = { label = "$lang_stats.field_labels.banned_body_from" log_field = "banned_body_from" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_body_from invalid_body_to = { label = "$lang_stats.field_labels.invalid_body_to" log_field = "invalid_body_to" type = "string" suppress_top = 0 suppress_bottom = 2 } # invalid_body_to banned_received = { label = "$lang_stats.field_labels.banned_received" log_field = "banned_received" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_received over_max_recipient = { label = "$lang_stats.field_labels.over_max_recipient" log_field = "over_max_recipient" type = "string" suppress_top = 0 suppress_bottom = 2 } # over_max_recipient banned_x_mailer = { label = "$lang_stats.field_labels.banned_x_mailer" log_field = "banned_x_mailer" type = "string" suppress_top = 0 suppress_bottom = 2 } # banned_x_mailer forged_message_id = { label = "$lang_stats.field_labels.forged_message_id" log_field = "forged_message_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # forged_message_id } # database.fields database.numerical_fields = { messages = { label = "$lang_stats.field_labels.messages" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'messages = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" type_code = true from = true to = true relay = true reason = true state = true subject = true hostname = true domain_description = true domain = true source_ip = true helo_text = true banned_domain = true banned_ip = true banned_helo = true invalid_helo = true banned_rcpt_to = true relay_denied_recipient = true banned_subject = true banned_text = true banned_body_from = true invalid_body_to = true banned_received = true over_max_recipient = true banned_x_mailer = true forged_message_id = true } # report_groups } # create_profile_wizard_options not_supported = { sessions = true visitors = true pageviews = true bandwidth = true } # not_supported } # lyris_mail_shield