beta_iron_port = { # The name of the log format log.format.format_label = "IronPort Log Format (BETA)" log.miscellaneous.log_data_type = "mail" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "Info: Version: [^ ]+ SN: [0-9A-Z-]+$") or matches_regular_expression(volatile.log_data_line, "Info: Bounced: .*From:.*To:") or matches_regular_expression(volatile.log_data_line, "Info: Begin Logfile") ` # The format of dates and times in this log # log.format.date_format = "mmm dd hh:mm:ss yyyy" # log.format.time_format = "mmm dd hh:mm:ss yyyy" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" log.format.collected_entry_lifespan = 0 # Log fields log.fields = { date = "" time = "" from = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # from to = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # to sbrs_value = "" message_id = "" subject = "" brightmail_result = "" antivirus_result = "" bytes_transferred = "" interface = "" interface_host = "" address = "" reverse_dns_host = "" response = "" action = "" mid = "" icid = "" rid = "" reason = "" response = "" warning_message = "" messages_queued = "" messages_delivered = "" messages_delayed = "" messages_bounced = "" } # log.fields # Declare filter variables log.filter_initialization = ` v.mid_to_icid = ''; v.mid_to_recipients = ''; node recipients; string recipient; ` # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^[A-Za-z]* ([A-Za-z]* *[0-9]* [0-9:]* [0-9]*) (.*)$')) then ( v.date = normalize_date($1, "mmm dd hh:mm:ss yyyy"); v.time = normalize_time($1, "mmm dd hh:mm:ss yyyy"); v.message = $2; # Handle Info lines if (matches_regular_expression(v.message, '^Info: (.*)$')) then ( v.message = $1; if (matches_regular_expression(v.message, '^New SMTP ICID ([0-9]+) interface ([^ ]+) \\\\(([^)]*)\\\\) address ([^ ]*) reverse dns host ([^ ]*) ')) then ( v.icid = $1; set_collected_field(v.icid, 'date', v.date); set_collected_field(v.icid, 'time', v.time); set_collected_field(v.icid, 'interface', $2); set_collected_field(v.icid, 'interface_host', $3); set_collected_field(v.icid, 'address', $4); set_collected_field(v.icid, 'reverse_dns_host', $5); ) else if (matches_regular_expression(v.message, '^New SMTP ICID ([0-9]+) interface ([^ ]+) address ([^ ]*)')) then ( v.icid = $1; set_collected_field(v.icid, 'date', v.date); set_collected_field(v.icid, 'time', v.time); set_collected_field(v.icid, 'interface', $2); set_collected_field(v.icid, 'address', $3); ) else if (matches_regular_expression(v.message, '^New SMTP DCID ([0-9]+) interface ([^ ]+) address ([^ ]+) port [0-9]+')) then ( v.dcid = $1; set_collected_field(v.dcid, 'date', v.date); set_collected_field(v.dcid, 'time', v.time); set_collected_field(v.dcid, 'interface', $2); set_collected_field(v.dcid, 'address', $3); ) # Parse SBRS lines else if (matches_regular_expression(v.message, '^ICID ([0-9]+) SBRS (.*)$')) then set_collected_field($1, 'sbrs', $2); # Get MID->ICID converter else if (matches_regular_expression(v.message, '^Start MID ([0-9]+) ICID ([0-9]+)$')) then ( v.mid = $1; v.icid = $2; # Remember the MID->ICID conversion set_subnode_value('v.mid_to_icid', v.mid, v.icid); # Copy fields from the ICID to the MID set_collected_field(v.mid, 'date', get_collected_field(v.icid, 'date')); set_collected_field(v.mid, 'time', get_collected_field(v.icid, 'time')); set_collected_field(v.mid, 'interface', get_collected_field(v.icid, 'interface')); set_collected_field(v.mid, 'interface_host', get_collected_field(v.icid, 'interface_host')); set_collected_field(v.mid, 'address', get_collected_field(v.icid, 'address')); set_collected_field(v.mid, 'reverse_dns_host', get_collected_field(v.icid, 'reverse_dns_host')); ) # If Start MID # Handle Delivery start DCID lines else if (matches_regular_expression(v.message, '^Delivery start DCID ([0-9]+) MID ([0-9]+) ')) then ( v.dcid = $1; v.mid = $2; set_collected_field(v.mid, 'date', get_collected_field(v.dcid, 'date')); set_collected_field(v.mid, 'time', get_collected_field(v.dcid, 'time')); set_collected_field(v.mid, 'interface', get_collected_field(v.dcid, 'interface')); set_collected_field(v.mid, 'address', get_collected_field(v.dcid, 'address')); ) else if (matches_regular_expression(v.message, '^MID ([0-9]+) (.*)$')) then ( v.mid = $1; # if (subnode_exists('v.mid_to_icid', v.mid)) then ( # v.icid = node_value(subnode_by_name('v.mid_to_icid', v.mid)); v.message = $2; # Discard RID information if (matches_regular_expression(v.message, '^RID \\\\[[^]]+\\\\] (.*)$')) then v.message = $1; if (matches_regular_expression(v.message, '^ICID [0-9]+ From: (.*)$')) then ( v.from = $1; if (matches_regular_expression(v.from, '^<([^>]+)>$')) then v.from = $1; set_collected_field(v.mid, 'from', $1); ) else if (matches_regular_expression(v.message, '^ICID [0-9]+ RID ([0-9]+) To: (.*)$')) then ( v.rid = $1; v.to = $2; if (matches_regular_expression(v.to, '^<([^>]+)>$')) then v.to = $1; # Remember this recipient for this MID in v.mid_to_recipients set_subnode_value(subnode_by_name('v.mid_to_recipients', v.mid), v.rid, v.to); # debug_message("Set node 'v.mid_to_recipients." . v.mid . "." . v.rid . " to " . v.to . "\\n"); # set_collected_field(v.icid, 'to', $1); ) else if (matches_regular_expression(v.message, '^Message-ID \\'([^\\']*)\\'')) then set_collected_field(v.mid, 'message_id', $1); else if (matches_regular_expression(v.message, '^Subject \\'([^\\']*)\\'')) then set_collected_field(v.mid, 'subject', $1); # Mark it queued when we see a 'ready N bytes' line, because queued lines only occur in recent versions of the format, # and these lines appear in all versions. else if (matches_regular_expression(v.message, '^ready ([0-9]+) bytes')) then ( set_collected_field(v.mid, 'bytes_transferred', $1); v.icid = ''; if (subnode_exists('v.mid_to_icid', v.mid)) then v.icid = node_value(subnode_by_name('v.mid_to_icid', $1)); # Add database entry for sender set_collected_field(v.mid, 'date', v.date); set_collected_field(v.mid, 'time', v.time); set_collected_field(v.mid, 'messages_queued', 1); set_collected_field(v.mid, 'messages_delivered', 0); set_collected_field(v.mid, 'messages_bounced', 0); set_collected_field(v.mid, 'messages_delayed', 0); set_collected_field(v.mid, 'reason', ''); set_collected_field(v.mid, 'response', ''); set_collected_field(v.mid, 'to', ''); set_collected_field(v.mid, 'action', 'sent'); set_collected_field(v.mid, 'icid', v.icid); set_collected_field(v.mid, 'mid', v.mid); set_collected_field(v.mid, 'rid', ''); accept_collected_entry(v.mid, true); ) # If "ready N bytes" else if (matches_regular_expression(v.message, "^Response '([^ ]+)")) then set_collected_field(v.mid, 'response', $1); # else if (matches_regular_expression(v.message, "^Response '(..........)")) then # set_collected_field(v.mid, 'response', $1); else if (matches_regular_expression(v.message, '^Brightmail (.*)$')) then set_collected_field(v.mid, 'brightmail_result', $1); else if (matches_regular_expression(v.message, '^antivirus (.*)$')) then set_collected_field(v.mid, 'antivirus_result', $1); # ) # if known MID # Not using queued lines anymore; see "ready" above. # # Handle 'queued for delivery' lines # else if (matches_regular_expression(v.message, '^queued for delivery')) then ( # v.icid = ''; # if (subnode_exists('v.mid_to_icid', v.mid)) then # v.icid = node_value(subnode_by_name('v.mid_to_icid', $1)); # # # Add database entry for sender # set_collected_field(v.mid, 'date', v.date); # set_collected_field(v.mid, 'time', v.time); # set_collected_field(v.mid, 'messages_queued', 1); # set_collected_field(v.mid, 'messages_delivered', 0); # set_collected_field(v.mid, 'messages_bounced', 0); # set_collected_field(v.mid, 'messages_delayed', 0); # set_collected_field(v.mid, 'reason', ''); # set_collected_field(v.mid, 'response', ''); # set_collected_field(v.mid, 'to', ''); # set_collected_field(v.mid, 'action', 'sent'); # set_collected_field(v.mid, 'icid', v.icid); # set_collected_field(v.mid, 'mid', v.mid); # set_collected_field(v.mid, 'rid', ''); # accept_collected_entry(v.mid, true); # # ) # If queued for delivery ) # if MID # Accept on "Message done DCID 8943260 MID 5621 to RID [0] []" lines else if (matches_regular_expression(v.message, '^Message done DCID ([0-9]+) MID ([0-9]+) to [RID ]*\\\\[([0-9]+)\\\\]')) then ( v.dcid = $1; v.mid = $2; v.rid = $3; # Get the ICID from the MID v.icid = ''; if (subnode_exists('v.mid_to_icid', v.mid)) then v.icid = node_value(subnode_by_name('v.mid_to_icid', v.mid)); # Get the recipient from the MID and RID. recipient = ''; if (subnode_exists('v.mid_to_recipients', v.mid)) then ( recipients = subnode_by_name('v.mid_to_recipients', v.mid); if (subnode_exists(recipients, v.rid)) then ( recipient = node_value(subnode_by_name(recipients, v.rid)); ) ); # Accept the received entry set_collected_field(v.mid, 'date', v.date); set_collected_field(v.mid, 'time', v.time); set_collected_field(v.mid, 'to', recipient); set_collected_field(v.mid, 'messages_queued', 0); set_collected_field(v.mid, 'messages_delivered', 1); set_collected_field(v.mid, 'messages_bounced', 0); set_collected_field(v.mid, 'messages_delayed', 0); set_collected_field(v.mid, 'reason', ''); set_collected_field(v.mid, 'response', ''); set_collected_field(v.mid, 'action', 'delivered'); set_collected_field(v.mid, 'icid', v.icid); set_collected_field(v.mid, 'mid', v.mid); set_collected_field(v.mid, 'rid', v.rid); accept_collected_entry(v.mid, true); ) # if Message Done # Handle "Message finished MID 5621 done" # We now handle this in "queued for delivery" lines # Accept a corrupt entry here to clear this MID out of memory else if (matches_regular_expression(v.message, '^Message finished MID ([0-9]+) done')) then ( v.mid = $1; set_collected_field(v.mid, 'date', '{corrupt}'); set_collected_field(v.mid, 'time', '{corrupt}'); accept_collected_entry(v.mid, false); # accept_collected_entry(v.mid, true); ) # v.icid = ''; # if (subnode_exists('v.mid_to_icid', v.mid)) then # v.icid = node_value(subnode_by_name('v.mid_to_icid', $1)); # # # Add database entry for sender # set_collected_field(v.mid, 'date', v.date); # set_collected_field(v.mid, 'time', v.time); # set_collected_field(v.mid, 'messages_queued', 1); # set_collected_field(v.mid, 'messages_delivered', 0); # set_collected_field(v.mid, 'messages_bounced', 0); # set_collected_field(v.mid, 'messages_delayed', 0); # set_collected_field(v.mid, 'reason', ''); # set_collected_field(v.mid, 'response', ''); # set_collected_field(v.mid, 'to', ''); # set_collected_field(v.mid, 'action', 'sent'); # set_collected_field(v.mid, 'icid', v.icid); # set_collected_field(v.mid, 'mid', v.mid); # set_collected_field(v.mid, 'rid', ''); # accept_collected_entry(v.mid, false); # # ) # If Message finishe # Handle Bounced or Delayed lines, # e.g., Tue Sep 27 12:16:42 2005 Info: Bounced: DCID 8943502 MID 5615 From: To: RID 419 - 5.1.0 - Unknown address error ('550', ['5.7.1 SPF check failed: 63.36.202.241 is not authorized to send in the name of "somewhere.com".']) Headers: ['^*PARTS: 1', '^FNAME: Sue', '^LNAME: Smith', '^SID: 84403', '^CODE: law4:0wpq2:pvdh3:KHQ--HHkjGMWSLLLhd7Jp', '^VIEW: hj2uqtpwqz:p11wap2:k1ppff3:radmrrvxv1', '^IPADDR: 121.205.186.14', '^WCMID: 31654', '^*TO: bob@school.edu'] else if (matches_regular_expression(v.message, '^(Bounced|Delayed): (.*)$')) then ( v.bounced_or_delayed = $1; v.message = $2; v.mid = ''; v.icid = ''; v.rid = ''; # Discard M:N information from the front if (matches_regular_expression(v.message, '^[0-9]+:[0-9]+ (.*)$')) then ( v.message = $1; ); if (matches_regular_expression(v.message, '^DCID:* ([0-9]+) (.*)$')) then ( v.message = $2; ); if (matches_regular_expression(v.message, '^MID ([0-9]+) (.*)$')) then ( v.mid = $1; v.message = $2; ); if (matches_regular_expression(v.message, '^Message ([0-9]+) to ([0-9]+) - (.*)$')) then ( v.mid = $1; v.rid = $2; v.message = $3; ); if (matches_regular_expression(v.message, '^From:<([^>]+)> (.*)$')) then ( set_collected_field(v.mid, 'from', $1); v.message = $2; ); if (matches_regular_expression(v.message, '^To:<([^>]+)> (.*)$')) then ( set_collected_field(v.mid, 'to', $1); v.message = $2; ); # Extract RID after To: if (matches_regular_expression(v.message, '^RID ([0-9]+) - (.*)$')) then ( v.rid = $1; v.message = $2; ); # Strip off the headers if (contains(v.message, ' Headers:')) then ( v.headers_index = index(v.message, ' Headers:'); v.message = substr(v.message, 0, v.headers_index); ); if (matches_regular_expression(v.message, '^to RID ([0-9]+) - (.*)$')) then ( v.rid = $1; v.message = $2; ); # Make sure we don't carry over previous reasons set_collected_field(v.mid, 'reason', ''); set_collected_field(v.mid, 'response', ''); # Extract the response message from new format lines by looking for the quote following the [. This can be a " or a '; # Find the closing one to get the message. if (matches_regular_expression(v.message, "^([0-9a-z.]+ - [^(]+) \\\\('([0-9]+)', \\\\[(.*)$")) then ( set_collected_field(v.mid, 'reason', $1); v.response_code = $2; v.message = $3; v.response_quote = substr(v.message, 0, 1); v.message = substr(v.message, 1); v.end_index_response = index(v.message, v.response_quote); v.response = ''; if (v.end_index_response != -1) then v.response = substr(v.message, 0, v.end_index_response); set_collected_field(v.mid, 'response', v.response_code . ': ' . v.response); ); # Extract the reason/response from old-format lines if (matches_regular_expression(v.message, '^Reason: "([^"]+)" Response: "([^"]+)"')) then ( set_collected_field(v.mid, 'reason', $1); set_collected_field(v.mid, 'response', $2); ); # Look up ICID from MID if we don't have it if ((v.icid eq '') and (v.mid ne '') and subnode_exists('v.mid_to_icid', v.mid)) then ( v.icid = node_value(subnode_by_name('v.mid_to_icid', v.mid)); ); # Get the recipient from the MID and RID recipient = ''; if (subnode_exists('v.mid_to_recipients', v.mid)) then ( recipients = subnode_by_name('v.mid_to_recipients', v.mid); if (subnode_exists(recipients, v.rid)) then ( recipient = node_value(subnode_by_name(recipients, v.rid)); set_collected_field(v.mid, 'to', recipient); ) # if valid RID ); # if valid ICID # Accept entry set_collected_field(v.mid, 'date', v.date); set_collected_field(v.mid, 'time', v.time); set_collected_field(v.mid, 'messages_queued', 0); set_collected_field(v.mid, 'messages_delivered', 0); set_collected_field(v.mid, 'brightmail_result', ''); set_collected_field(v.mid, 'antivirus_result', ''); if (v.bounced_or_delayed eq 'Bounced') then ( set_collected_field(v.mid, 'action', 'bounced'); set_collected_field(v.mid, 'messages_bounced', 1); set_collected_field(v.mid, 'messages_delayed', 0); ) else ( set_collected_field(v.mid, 'action', 'delayed'); set_collected_field(v.mid, 'messages_bounced', 0); set_collected_field(v.mid, 'messages_delayed', 1); ); set_collected_field(v.mid, 'icid', v.icid); set_collected_field(v.mid, 'mid', v.mid); set_collected_field(v.mid, 'rid', v.rid); accept_collected_entry(v.mid, true); ) # if Bounced ) # if Info # Handle "Message aborted" lines else if (matches_regular_expression(v.message, '^Message aborted MID ([0-9]+)$')) then ( v.mid = $1; v.icid = ''; if (subnode_exists('v.mid_to_icid', v.mid)) then v.icid = node_value(subnode_by_name('v.mid_to_icid', v.mid)); set_collected_field(v.mid, 'date', v.date); set_collected_field(v.mid, 'time', v.time); set_collected_field(v.mid, 'action', 'aborted'); set_collected_field(v.mid, 'messages_queued', 0); set_collected_field(v.mid, 'messages_delivered', 0); set_collected_field(v.mid, 'messages_bounced', '0'); set_collected_field(v.mid, 'messages_delayed', 0); set_collected_field(v.mid, 'reason', ''); set_collected_field(v.mid, 'response', ''); set_collected_field(v.mid, 'messages_aborted', '1'); set_collected_field(v.mid, 'icid', v.icid); set_collected_field(v.mid, 'mid', v.mid); accept_collected_entry(v.mid, true); ) # If aborted # Handle Warning: lines else if (matches_regular_expression(v.message, '^Warning: (.*)$')) then ( set_collected_field('', 'date', v.date); set_collected_field('', 'time', v.time); set_collected_field('', 'action', 'warning'); set_collected_field('', 'warnings', '1'); set_collected_field('', 'warning_message', $1); accept_collected_entry('', false); ) ) # If matches date/time format ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" from = "" to = "" sbrs_value = "" message_id = "" subject = "" brightmail_result = "" antivirus_result = "" interface = "" interface_host = "" address = "" reverse_dns_host = "" response = "" action = "" reason = "" response = "" icid = "" mid = "" rid = "" warning_message = "" } # database.fields database.numerical_fields = { messages_delivered = { label = "$lang_stats.field_labels.messages_delivered" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_delivered messages_queued = { label = "$lang_stats.field_labels.messages_queued" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_queued messages_aborted = { label = "$lang_stats.field_labels.messages_aborted" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_aborted messages_bounced = { label = "$lang_stats.field_labels.messages_bounced" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_bounced messages_delayed = { label = "$lang_stats.field_labels.messages_delayed" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_delayed bytes_transferred = { label = "$lang_stats.field_labels.bytes_transferred" default = false requires_log_field = true log_field = "bytes_transferred" type = "float" display_format_type = "bandwidth" } # bytes_transferred warnings = { label = "$lang_stats.field_labels.warnings" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # warnings } # database.numerical_fields log.filters = { } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" day_of_week = true hour_of_day = true from = true to = true sbrs_value = true message_id = true subject = true brightmail_result = true antivirus_result = true interface = true interface_host = true address = true reverse_dns_host = true response = true action = true reason = true response = true warning_message = true icid = true mid = true rid = true } # report_groups } # create_profile_wizard_options } # beta_iron_port