beta_communigate_pro = { # The name of the log format log.format.format_label = "Communigate Pro Log Format (BETA)" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\.[0-9][0-9] [0-9]* [A-Z0-9]*-[0-9]" # The format of dates and times in this log log.format.time_format = "hh:mm:ss" log.format.date_format = "yyyy-mm-dd" # Extract the date from the filename log.format.global_date_filename_regular_expression = "([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" source_host = "" pop_account = "" # source_address = "" # local_account = "" operation = "" protocol = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # recipient subject = "" messages_sent = "" bytes_sent = "" pop_logins = "" pop_messages_retrieved = "" pop_messages_deleted = "" pop_bytes_retrieved = "" } # log.fields log.filter_initialization = `v.previous_pipe_key = '';` # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\\\.[0-9][0-9] [0-9]* (.*)$')) then ( v.time = $1; v.message = $2; # if (matches_regular_expression(v.message, '^(ENQUEUER|QUEUE)-*[0-9]*\\\\(\\\\[([0-9]*)\\\\]\\\\) from <([^>]*)>, ([0-9]*) bytes ')) then ( # v.key = $2; # set_collected_field(v.key, 'operation', $1); # set_collected_field(v.key, 'source_address', $3); # set_collected_field(v.key, 'bytes_sent', $4); # ); if (matches_regular_expression(v.message, '^(QUEUE)\\\\(\\\\[([0-9]*)\\\\]\\\\) (.*)$')) then ( v.key = $2; set_collected_field(v.key, 'operation', $1); v.remainder = $3; if (matches_regular_expression(v.remainder, '^from <([^>]*)>, ([0-9]*) bytes ')) then ( # set_collected_field(v.key, 'source_address', $1); set_collected_field(v.key, 'sender', $1); set_collected_field(v.key, 'bytes_sent', $2); ); else if (matches_regular_expression(v.remainder, '^header: (.*)$')) then ( v.header = $1; if (matches_regular_expression(v.header, '^From: (.*)$')) then ( v.sender = $1; if (matches_regular_expression(v.sender, '<([^>]*)>')) then set_collected_field(v.key, 'sender', $1); set_collected_field(v.key, 'sender', v.sender); ); else if (matches_regular_expression(v.header, '^To: (.*)$')) then ( set_collected_field(v.key, 'recipient', $1); ); else if (matches_regular_expression(v.header, '^Subject: (.*)$')) then ( set_collected_field(v.key, 'subject', $1); ); ); ); # if QUEUE # Handle DEQUEUER lines else if (matches_regular_expression(v.message, '^(DEQUEUER) \\\\[([0-9]+)\\\\] (.*)$')) then ( # else if (matches_regular_expression(v.message, '^(DEQUEUER) *\\\\(*\\\\[*([0-9]*)\\\\]*\\\\)* (.*)$')) then ( v.key = $2; set_collected_field(v.key, 'operation', $1); v.remainder = $3; # if (matches_regular_expression(v.remainder, '^LOCAL\\\\((.*)\\\\) delivered$')) then ( # set_collected_field(v.key, 'local_account', $1); # ); # else if (matches_regular_expression(v.remainder, '^SMTP\\\\(.*\\\\)(.*) relayed$')) then ( # set_collected_field(v.key, 'local_account', $1); # ); ); # if DEQUEUER # Handle POP lines else if (matches_regular_expression(v.message, '^(POP)-([0-9]*)(.*)$')) then ( v.key = $2; v.remainder = $3; set_collected_field(v.key, 'protocol', $1); # Handle connect lines if (matches_regular_expression(v.remainder, '^[^ ]* \\'(.*)\\' connected from \\\\[([^:]*):')) then ( set_collected_field(v.key, 'pop_account', $1); set_collected_field(v.key, 'source_host', $2); set_collected_field(v.key, 'pop_logins', 1); ); # Handle disconnected lines else if (matches_regular_expression(v.remainder, '^[^ ]* \\'(.*)\\' disconnected \\\\(\\\\[([^:]*):')) then ( set_collected_field(v.key, 'pop_account', $1); set_collected_field(v.key, 'source_host', $2); set_collected_field(v.key, 'time', v.time); accept_collected_entry(v.key, false); ); # Handle message retrievals else if (matches_regular_expression(v.remainder, '^\\\\(\\\\[[^]]*\\\\]\\\\) [0-9]+ \\\\{[0-9]+\\\\} retrieved, ([0-9]*) bytes')) then ( set_collected_field(v.key, 'pop_messages_retrieved', get_collected_field(v.key, 'pop_messages_retrieved') + 1); set_collected_field(v.key, 'pop_bytes_retrieved', get_collected_field(v.key, 'pop_bytes_retrieved') + $1); ); # Handle message deletions else if (matches_regular_expression(v.remainder, '^\\\\(\\\\[[^]]*\\\\]\\\\) deleting ([0-9]+) message')) then ( set_collected_field(v.key, 'pop_messages_deleted', get_collected_field(v.key, 'pop_messages_deleted') + $1); ); # Handle other end lines # if (contains(v.remainder, 'proxy connection closed') or # contains(v.remainder, 'polling account') or # contains(v.remainder, 'retrieved')) then # accept_collected_entry(v.key, false); ); # POP # Handle RPOP else if (matches_regular_expression(v.message, '^(RPOP)-([0-9]*)\\\\((.*)\\\\) polling account (.*) for ')) then ( v.key = $2; set_collected_field(v.key, 'protocol', $1); set_collected_field(v.key, 'source_host', $3); set_collected_field(v.key, 'pop_account', $4); ); # RPOP # If SMTPI else if (matches_regular_expression(v.message, '^SMTPI-([0-9]*)\\\\([^)]*\\\\) (.*)$')) then ( v.key = $1; v.remainder = $2; # Handle MAIL FROM if (matches_regular_expression(v.remainder, '^cmd: [Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm]:(.*)$')) then ( v.sender = $1; if (matches_regular_expression(v.sender, '^(.*) [Ss][Ii][Zz][Ee]=([0-9]+)$')) then ( v.sender = $1; set_collected_field(v.key, 'bytes_sent', $2); ); if (matches_regular_expression(v.sender, '<([^>]*)>')) then set_collected_field(v.key, 'sender', $1); else set_collected_field(v.key, 'sender', v.sender); ); # MAIL FROM # Handle RCPT TO else if (matches_regular_expression(v.remainder, '^cmd: [Rr][Cc][Pp][Tt] [Tt][Oo]:(.*)$')) then ( v.recipient = $1; if (matches_regular_expression(v.recipient, '<([^>]*)>')) then set_collected_field(v.key, 'recipient', $1); else set_collected_field(v.key, 'recipient', v.recipient); ); # RCPT TO # Handle rekey else if (matches_regular_expression(v.remainder, '^\\\\[([^]]*)\\\\] received[^,]*, ([0-9]*) bytes')) then ( set_collected_field(v.key, 'bytes_received', $1); rekey_collected_entry(v.key, $1); ); # ); # if SMTPI # Handle first line of PIPE; remember previous key else if (matches_regular_expression(v.message, '^PIPE processing ([0-9]+)')) then ( v.previous_pipe_key = $1; ); # Handle second line of PIPE; rekey else if (matches_regular_expression(v.message, '^PIPE \\\\[([0-9]+)\\\\] received, ([0-9]+) bytes')) then ( rekey_collected_entry(v.previous_pipe_key, $1); ); # Accept on delivered/relayed lines else if (matches_regular_expression(v.message, '^QUEUE.*\\\\[([0-9]*)\\\\].*(delivered|relayed)')) then ( v.key = $1; set_collected_field(v.key, 'time', v.time); accept_collected_entry(v.key, false); ); # Accept on ACCOUNT delivery lines else if (matches_regular_expression(v.message, '^ACCOUNT\\\\([^)]*\\\\) \\\\[([0-9]*)\\\\] delivered')) then ( v.key = $1; set_collected_field(v.key, 'time', v.time); set_collected_field(v.key, 'messages_sent', 1); accept_collected_entry(v.key, false); ); ); # if matches headers ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" source_host = "" # source_address = "" protocol = "" operation = "" # local_account = "" sender = "" recipient = "" subject = "" pop_account = "" } # database.fields # Log Filters log.filters = { # This filter sets size = msgsize if size is zero 1 = { label = "1" comment = "" value = "if (protocol eq 'POP') then '' else protocol = 'SMTP';" } # 1 } # log.filters database.numerical_fields = { messages_sent = { default = true entries_field = true } # message_sent bytes_sent = { type = "float" display_format_type = "bandwidth" } # bytes_sent pop_logins = "" pop_messages_retrieved = "" pop_messages_deleted = "" pop_bytes_retrieved = { type = "float" display_format_type = "bandwidth" } } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true # This shows which numerical fields are related to which non-numerical fields. database_field_associations = { pop_account = { pop_logins = true pop_messages_retrieved = true pop_messages_deleted = true pop_bytes_retrieved = true } # source_address = { # messages_sent = true # bytes_sent = true # } # local_account = { # messages_received = true # bytes_received = true # } operation = { messages_sent = true bytes_sent = true } protocol = { messages_sent = true bytes_sent = true } sender = { messages_sent = true bytes_sent = true } recipient = { messages_sent = true bytes_sent = true } subject = { messages_sent = true bytes_sent = true } } # database_field_associations # How the reports should be grouped in the report menu report_groups = { date_time_group = "" day_of_week = true hour_of_day = true source_host = true # source_address = true protocol = true operation = true # local_account = true sender = true recipient = true subject = true pop_account = true } # report_groups } # create_profile_wizard_options } # beta_communigate_pro