beta_argosoft_mail_server = { plugin_version = "2.0beta" # The name of the log format log.format.format_label = "Argosoft Mail Server Log Format (BETA)" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9]+[-/][0-9]+[-/][0-9][0-9][0-9][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9][APM ]* - Requested SMTP connection from [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" event_type = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # recipient server_domain = "" source_ip.type = "host" rejection_reason = "" error_message = "" size = "" spam_messages = "" messages_delivered = "" messages_queued = "" spam_messages_queued = "" spam_messages_delivered = "" bytes_delivered = "" bytes_queued = "" connections_rejected = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^([0-9/-]+) ([0-9:APM ]+) - (.*)$')) then ( v.date = $1; v.time = $2; v.message = $3; v.key = ''; # Parse "Requested SMTP connection" lines if (matches_regular_expression(v.message, '^Requested SMTP connection from ([0-9.]+) \\\\[([^]]*)\\\\], ID=([0-9]+)')) then ( v.key = $3; set_collected_field(v.key, 'source_ip', $1); set_collected_field(v.key, 'source_hostname', $2); ); # Handle keyed lines else ( # Extract the key if (matches_regular_expression(v.message, '^[({] *([0-9]+)[)}] (.*)$')) then ( v.key = $1; v.message = $2; ); # Set the date/time set_collected_field(v.key, 'date', v.date); set_collected_field(v.key, 'time', v.time); # Parse HELO/EHLO lines if (matches_regular_expression(v.message, '^([Hh][Ee][Ll][Oo]|[Ee][Hh][Ll][Oo]) (.*)$')) then set_collected_field(v.key, 'server_domain', $2); # Parse MAIL FROM lines else if (matches_regular_expression(v.message, '^[Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm]:(.*)$')) then ( v.sender = $1; if (matches_regular_expression(v.sender, '^ *([^ ]*)$')) then v.sender = $1; if (matches_regular_expression(v.sender, '^(.*) [Ss][Ii][Zz][Ee]=([0-9]*)')) then ( set_collected_field(v.key, 'size', $2); v.sender = $1; ); if (matches_regular_expression(v.sender, '<([^>]*)>')) then v.sender = $1; set_collected_field(v.key, 'sender', v.sender); ); # mail from # Parse RCPT TO lines else if (matches_regular_expression(v.message, '^[Rr][Cc][Pp][Tt] [Tt][Oo]:(.*)$')) then ( v.recipient = $1; if (matches_regular_expression(v.recipient, '^ *([^ ]*)$')) then v.recipient = $1; if (matches_regular_expression(v.recipient, '<([^>]*)>')) then v.recipient = $1; # set_collected_field(v.key, 'recipient', v.recipient); # Get the list fom the collected field v.recipients = get_collected_field(v.key, 'recipient'); if (v.recipients eq '(empty)') then v.recipients = ''; # Build up the list v.recipients .= v.recipient . ''; # Save the built list back in the collected field set_collected_field(v.key, 'recipient', v.recipients); ); # RCPT TO # Parse Connection Rejected lines else if (matches_regular_expression(v.message, '^5[0-9]+ Connection from (.*) rejected')) then ( set_collected_field(v.key, 'rejection_reason', v.message); # Add a "message delivered" event set_collected_field(v.key, 'event_type', 'rejected connection'); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'messages_queued', 0); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'bytes_queued', 0); set_collected_field(v.key, 'connections_rejected', 1); # accept_collected_entry(v.key, false); ); # rejected # Parse Connection Rejected lines else if (matches_regular_expression(v.message, '^Error: (.*)$')) then ( set_collected_field(v.key, 'rejection_reason', v.message); # Add a "message delivered" event set_collected_field(v.key, 'event_type', 'error'); set_collected_field(v.key, 'error_message', $1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'messages_queued', 0); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'bytes_queued', 0); set_collected_field(v.key, 'connections_rejected', 0); set_collected_field(v.key, 'errors', 1); # accept_collected_entry(v.key, false); ); # rejected # e.g. Rejected by DNS based Spam Database: Rejected by spamhaus.org else if (matches_regular_expression(v.message, '^Rejected by DNS based Spam Database: Rejected by ')) then ( set_collected_field(v.key, 'event_type', 'rejected spam'); set_collected_field(v.key, 'rejection_reason', v.message); set_collected_field(v.key, 'spam_messages', 1); ); # rejected # At the end of the SMTP message, add entries for sender and all recipients else if (matches_regular_expression(v.message, '^END SMTP')) then ( v.original_event_type = get_collected_field(v.key, 'event_type'); # Add an entry to the database for each recipient if (v.original_event_type eq '(empty)') then set_collected_field(v.key, 'event_type', 'message delivered'); set_collected_field(v.key, 'messages_queued', 0); set_collected_field(v.key, 'messages_delivered', 1); set_collected_field(v.key, 'bytes_queued', 0); set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'spam_messages_queued', 0); set_collected_field(v.key, 'spam_messages_delivered', get_collected_field(v.key, 'spam_messages')); # set_collected_field(v.key, 'connections_rejected', 0); v.recipients = get_collected_field(v.key, 'recipient'); while (matches_regular_expression(v.recipients, '^([^]*)(.*)$')) ( set_collected_field(v.key, 'recipient', $1); accept_collected_entry(v.key, true); v.recipients = $2; ); # Add an entry to the database for the sender if (v.original_event_type eq '(empty)') then # if (v.original_event_type ne 'rejected') then set_collected_field(v.key, 'event_type', 'message queued'); set_collected_field(v.key, 'messages_queued', 1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'bytes_queued', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'spam_messages_queued', get_collected_field(v.key, 'spam_messages')); set_collected_field(v.key, 'spam_messages_delivered', 0); # set_collected_field(v.key, 'connections_rejected', 0); set_collected_field(v.key, 'recipient', ''); accept_collected_entry(v.key, false); ); # END SMTP ); # if keyed line ); # if header matches ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" event_type = "" sender = "" recipient = "" server_domain = "" source_ip = "" location = "" rejection_reason = "" error_message = "" } # database.fields database.numerical_fields = { messages_delivered.default = true messages_queued.default = true connections_rejected = "" bytes_delivered = { type = "float" display_format_type = "bandwidth" } bytes_queued = { type = "float" display_format_type = "bandwidth" } spam_messages_queued = "" spam_messages_delivered = "" errors = "" } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'messages = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # beta_argosoft_mail_server