beta_mail_enable = { plugin_version = "1.1beta" # 30/03/2006 10:30 # added support for POP logs in this otherwise SMTP only plug-in, these are logged as "POP events" # The name of the log format log.format.format_label = "Mail Enable W3C Log Format (BETA)" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^#Software: (MailEnable W3C SMTP Server|MailEnable SMTP Server|MailEnable POP Server)" log.format.ignore_format_lines = "true" statistics.miscellaneous.entry_name = "messages" statistics.miscellaneous.visitor_name = "unique client IP" # The format of dates and times in this log log.format.date_format = "yyyy-mm-dd" log.format.time_format = "hh:mm:ss" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" event_type = "" client_ip.type = "host" server = "" server_ip = "" server_domain = "" domain = "" from = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } to = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } agent = "" account = "" messages_sent = "" messages_received = "" errors = "" bytes_sent = "" bytes_received = "" pop_events = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # parse the SMTP traffic logs if (matches_regular_expression(current_log_line(), '^([0-9-]+) ([0-9:]+) ([0-9.]+) ([^ ]+) ([^ ]*) ([^ ]*) ([0-9]*) ([A-Z]*) ([^ ]*) ([^ ]*) ([^ ]*) ([0-9]*) ([0-9]*) ([0-9]*)')) then ( v.key = $3; if (length($1) == 8) then v.date = '20' . $1; else v.date = $1; set_collected_field(v.key, 'date', v.date); set_collected_field(v.key, 'time', $2); set_collected_field(v.key, 'client_ip', $3); set_collected_field(v.key, 'server_domain', $5); set_collected_field(v.key, 'server_ip', $6); v.type = $8; v.message = $9; v.response = $10; v.server = $11; set_collected_field(v.key, 'server', v.server); # Handle HELO/EHLO if (matches_regular_expression(v.message, '^[HhEe][HhEe][Ll][Oo]$')) then ( set_collected_field(v.key, 'domain', v.message); ); # Handle MAIL FROM if (matches_regular_expression(v.message, '^[Mm][Aa][Ii][Ll].[Ff][Rr][Oo][Mm] *:<([^>]*)>(.*)$')) then ( set_collected_field(v.key, 'from', $1); v.remainder = $2; v.size = 0; if (matches_regular_expression(v.remainder, '[Ss][Ii][Zz][Ee]=([0-9]+)')) then ( v.size = $1; set_collected_field(v.key, 'bytes_sent', v.size); ); set_collected_field(v.key, 'event_type', 'received'); set_collected_field(v.key, 'messages_received', 1); set_collected_field(v.key, 'messages_sent', 0); set_collected_field(v.key, 'errors', 0); accept_collected_entry(v.key, true); # For RCPT TO Messages, we want to use the size as the number of bytes received. set_collected_field(v.key, 'bytes_sent', 0); set_collected_field(v.key, 'bytes_received', v.size); ); # MAIL FROM # Handle RCPT TO else if (matches_regular_expression(v.message, '^[Rr][Cc][Pp][Tt].[Tt][Oo] *:<([^>]+)>')) then ( set_collected_field(v.key, 'to', $1); if (matches_regular_expression(v.response, '^(2[0-9][0-9]).(.*)$')) then ( set_collected_field(v.key, 'response_code', $1); set_collected_field(v.key, 'response', $2); set_collected_field(v.key, 'messages_received', 0); set_collected_field(v.key, 'messages_sent', 1); set_collected_field(v.key, 'errors', 0); set_collected_field(v.key, 'event_type', 'sent'); accept_collected_entry(v.key, true); ) else if (matches_regular_expression(v.message, '^(4[0-9][0-9])')) then ( set_collected_field(v.key, 'response_code', $1); set_collected_field(v.key, 'response', $2); set_collected_field(v.key, 'messages_received', 0); set_collected_field(v.key, 'messages_sent', 0); set_collected_field(v.key, 'errors', 1); set_collected_field(v.key, 'event_type', 'error'); accept_collected_entry(v.key, true); ) ); # Handle DATA lines # else if (matches_regular_expression(v.message, '^[Dd][Aa][Tt][Aa]')) then ( # set_collected_field(v.key, 'messages_received', 0); # set_collected_field(v.key, 'messages_sent', 1); # set_collected_field(v.key, 'errors', 0); # set_collected_field(v.key, 'event_type', 'sent'); # accept_collected_entry(v.key, true); # ) # ) ) # collect_fields_using_regexp('^[0-9]+-[0-9]+-[0-9]+ [0-9]+:[0-9]+:[0-9]+ ()([^ ]+) ', '*KEY*,c_ip'); #if (matches_regular_expression(entire_line, '(FROM|From)')) then if (matches_regular_expression(current_log_line(), '^[0-9]+-[0-9]+-[0-9]+ [0-9]+:[0-9]+:[0-9]+ ()([^ ]+) ')) then rekey_collected_entry($1, $2); #collect_fields_using_regexp('^([0-9-]+) ([0-9:]+) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([0-9]*)', 'date,time,*KEY*,agent,account,s_ip,s_port'); #collect_fields_using_regexp('^[0-9-]+ [0-9:]+ ([^ ]+) [^ ]+ [^ ]* [^ ]* [0-9]+ (DATA|DATE) DATA [^ ]+ [^ ]+ ([0-9]+) ([0-9]+)', '*KEY*,dummy,sc_bytes,cs_bytes'); #collect_fields_using_regexp('^[0-9-]+ [0-9:]+ ([^ ]+) [^ ]+ [^ ]+ [0-9]+ [Mm][Aa][Ii][Ll] [Mm][Aa][Ii][Ll].[Ff][Rr][Oo][Mm]:\\\\+*<([^>]*)>', '*KEY*,from'); #collect_fields_using_regexp('^[0-9-]+ [0-9:]+ ([^ ]+) [^ ]+ [^ ]+ [0-9]+ [Rr][Cc][Pp][Tt] [Rr][Cc][Pp][Tt].[Tt][Oo]:\\\\+*<([^>]*)>', '*KEY*,to'); #accept_collected_entry_using_regexp('^[0-9-]+ [0-9:]+ ([^ ]*) [^ ]* [^ ]* [^ ]* [0-9]+ QUIT', false); # parse POP traffic else if (matches_regular_expression(current_log_line(), '^()([0-9-]+) ([0-9:]+) ([0-9.]+) ([^ ]+) ([^ ]*) ([0-9.]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) ([0-9]+) $')) then ( if (length($2) == 8) then v.date = '20' . $2; else v.date = $2; set_collected_field($1, 'date', v.date); set_collected_field($1, 'time', $3); set_collected_field($1, 'client_ip', $4); # set_collected_field($1, 'agent', $5); set_collected_field($1, 'server_domain', $6); set_collected_field($1, 'server_ip', $7); # set_collected_field($1, 'cs_method', $8); set_collected_field($1, 'server', $9); set_collected_field($1, 'bytes_sent', $10); set_collected_field($1, 'bytes_received', $11); # set_collected_field($1, 'time_taken', $12); set_collected_field($1, 'pop_events', 1); accept_collected_entry($1, false); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" event_type = "" client_ip = "" location = "" server = "" server_ip = "" server_domain = "" domain = "" from = "" to = "" } # database.fields database.numerical_fields = { messages_sent = { label = "$lang_stats.field_labels.messages_sent" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_sent messages_received = { label = "$lang_stats.field_labels.messages_received" default = true requires_log_field = false type = "int" display_format_type = "integer" } # messages_received errors = { label = "$lang_stats.field_labels.errors" default = true requires_log_field = false type = "int" display_format_type = "integer" } # errors pop_events = { label = "$lang_stats.field_labels.pop_events" default = true entries_field = false } bytes_sent = { label = "$lang_stats.field_labels.bytes_sent" default = false log_field = "bytes_sent" requires_log_field = true type = "float" display_format_type = "bandwidth" } # bytes_sent bytes_received = { label = "$lang_stats.field_labels.bytes_received" default = false log_field = "bytes_received" requires_log_field = true type = "float" display_format_type = "bandwidth" } # bytes_received unique_client_ips = { label = "$lang_stats.field_labels.unique_client_ips" default = false requires_log_field = true log_field = "client_ip" type = "unique" display_format_type = "integer" } # unique_client_ips } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" event_type = "" client_ip = "" location = "" server = "" server_ip = "" server_domain = "" domain = "" from = "" to = "" } # report_groups } # create_profile_wizard_options } # beta_mail_enable