barracuda_spam_firewall = { # The name of the log format log.format.format_label = "Barracuda Spam Firewall" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "(inbound/pass1|inbound/pass2|scan|outbound/smtp)\\[[0-9]+\\]: [0-9]+-[0-9]+-[0-9]+-[0-9]+:" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Accept collected entries after they're not used for 1000 lines log.format.collected_entry_lifespan = 1000 log.format.discard_expired_entries = false # Log fields log.fields = { category = "" operation = "" type = "" error_message = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # recipient spam_score = "" source_ip = "" source_hostname = "" account = "" message_id = "" subject = "" spam_blocking_expression = "" virus_blocking_expression = "" queued_messages_quarantined = "" queued_messages_spam_blocked = "" queued_messages_virus_blocked = "" queued_messages_tagged = "" delivered_messages_quarantined = "" delivered_messages_spam_blocked = "" delivered_messages_virus_blocked = "" delivered_messages_tagged = "" messages_quarantined = "" messages_spam_blocked = "" messages_virus_blocked = "" messages_tagged = "" messages_queued = "" messages_delivered = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '^([^[]*)\\\\[[0-9]+\\\\]: ([0-9-]*):([^:]*):(.*)$')) then ( v.key = $2; v.operation = $3; v.message = $4; while (starts_with(v.message, ' ')) v.message = substr(v.message, 1); set_collected_field(v.key, 'message_id', v.key); set_collected_field(v.key, 'category', $1); set_collected_field(v.key, 'date', get_collected_field('', 'date')); set_collected_field(v.key, 'time', get_collected_field('', 'time')); set_collected_field(v.key, 'logging_device', get_collected_field('', 'logging_device')); set_collected_field(v.key, 'syslog_priority', get_collected_field('', 'syslog_priority')); while (ends_with(v.message, ' ')) v.message = substr(v.message, 0, length(v.message) - 1); # Collect recipients into one long string, separated by "" (ascii code 127, which cannot be an an email address per RFC2822). if (v.operation eq 'to') then ( # Get the list fom the collected field v.recipients = get_collected_field(v.key, 'recipient'); if (v.recipients eq '(empty)') then v.recipients = ''; # Build up the list v.recipients .= v.message . ''; # Save the built list back in the collected field set_collected_field(v.key, 'recipient', v.recipients); ); # if to else if (v.operation eq 'from_email') then ( if (matches_regular_expression(v.message, '^([^)]*)\\\\(')) then set_collected_field(v.key, 'sender', $1); ); else if (v.operation eq 'error') then ( set_collected_field(v.key, 'error_message', v.message); ); else if (v.operation eq 'subject') then ( set_collected_field(v.key, 'subject', v.message); ); else if (v.operation eq 'spam_score') then ( if (matches_regular_expression(v.message, '^([0-9]+)\\\\.')) then v.message = $1; set_collected_field(v.key, 'spam_score', v.message); ); else if (v.operation eq 'spam_block') then ( set_collected_field(v.key, 'spam_blocking_expression', v.message); set_collected_field(v.key, 'messages_spam_blocked', 1); ); else if (v.operation eq 'virus_block') then ( set_collected_field(v.key, 'virus_blocking_expression', v.message); set_collected_field(v.key, 'messages_virus_blocked', 1); ); else if (v.operation eq 'pu_quarantine') then ( set_collected_field(v.key, 'messages_quarantined', 1); ); else if (v.operation eq 'tag') then ( set_collected_field(v.key, 'messages_tagged', 1); ); else if (v.operation eq 'connect') then ( if (matches_regular_expression(v.message, '^([^[]*)\\\\[([^]]*)\\\\]')) then ( set_collected_field(v.key, 'source_hostname', $1); set_collected_field(v.key, 'source_ip', $2); ); ); # Accept this message on a disconnect or message_delivered line else if ((v.operation eq 'disconnect') or (v.operation eq 'message_delivered')) then ( # Add an entry to the database for each recipient set_collected_field(v.key, 'messages_queued', 0); set_collected_field(v.key, 'messages_delivered', 1); set_collected_field(v.key, 'delivered_messages_quarantined', get_collected_field(v.key, 'messages_quarantined')); set_collected_field(v.key, 'delivered_messages_spam_blocked', get_collected_field(v.key, 'messages_spam_blocked')); set_collected_field(v.key, 'delivered_messages_virus_blocked', get_collected_field(v.key, 'messages_virus_blocked')); set_collected_field(v.key, 'delivered_messages_tagged', get_collected_field(v.key, 'messages_tagged')); set_collected_field(v.key, 'queued_messages_quarantined', 0); set_collected_field(v.key, 'queued_messages_spam_blocked', 0); set_collected_field(v.key, 'queued_messages_virus_blocked', 0); set_collected_field(v.key, 'queued_messages_tagged', 0); v.recipients = get_collected_field(v.key, 'recipient'); while (matches_regular_expression(v.recipients, '^([^]*)(.*)$')) ( set_collected_field(v.key, 'recipient', $1); accept_collected_entry(v.key, true); v.recipients = $2; ); # Add an entry to the database for the sender set_collected_field(v.key, 'messages_queued', 1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'queued_messages_quarantined', get_collected_field(v.key, 'messages_quarantined')); set_collected_field(v.key, 'queued_messages_spam_blocked', get_collected_field(v.key, 'messages_spam_blocked')); set_collected_field(v.key, 'queued_messages_virus_blocked', get_collected_field(v.key, 'messages_virus_blocked')); set_collected_field(v.key, 'queued_messages_tagged', get_collected_field(v.key, 'messages_tagged')); set_collected_field(v.key, 'delivered_messages_quarantined', 0); set_collected_field(v.key, 'delivered_messages_spam_blocked', 0); set_collected_field(v.key, 'delivered_messages_virus_blocked', 0); set_collected_field(v.key, 'delivered_messages_tagged', 0); set_collected_field(v.key, 'recipient', ''); accept_collected_entry(v.key, false); ); # if disconnect or message_delivered ); # if standard line layout # e.g., Jan 30 07:26:24 amspom1.mysite.com web: [11.130.10.53] DELIVER (some_guy@mysite.com - 1139203748-25302-158-0) queued as 9AA00134353AA else if (matches_regular_expression(v.syslog_message, '^([a-z]+): \\\\[([0-9.]+)\\\\] ([^ ]+) \\\\(([^ )]*)[ )]')) then ( set_collected_field('', 'category', $1); set_collected_field('', 'source_ip', $2); set_collected_field('', 'operation', $3); set_collected_field('', 'account', $4); accept_collected_entry('', false); ); ` # Database fields database.fields = { operation = "" type = "" error_message = "" category = "" sender = "" recipient = "" source_ip = "" source_hostname = "" message_id = "" subject = "" account = "" spam_score = "" spam_blocking_expression = "" virus_blocking_expression = "" } # database.fields database.numerical_fields = { messages_queued = "" messages_delivered = "" queued_messages_quarantined = "" queued_messages_spam_blocked = "" queued_messages_virus_blocked = "" queued_messages_tagged = "" delivered_messages_quarantined = "" delivered_messages_spam_blocked = "" delivered_messages_virus_blocked = "" delivered_messages_tagged = "" } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # This shows which numerical fields are related to which non-numerical fields. database_field_associations = { recipient = { messages_delivered = true delivered_messages_quarantined = true delivered_messages_spam_blocked = true delivered_messages_virus_blocked = true delivered_messages_tagged = true } } # database_field_associations # How the reports should be grouped in the report menu report_groups = { } # report_groups } # create_profile_wizard_options } # barracuda_spam_firewall