Hello,
My problem is that I have ironports mail logs splitted like this :
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:14 2015 Info: New SMTP ICID 123456789 interface Data 1 (1.2.3.4) address 10.10.10.10 reverse dns host blabla.mail.com verified yes
Jun 8 13:51:21my_server: Mon Jun 8 13:46:14 2015 Info: ICID 123456789 ACCEPT SG UNKNOWNLIST match sbrs[-1.5:7.0] SBRS 5.6
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:14 2015 Info: Start MID 987654321 ICID 123456789
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:14 2015 Info: MID 987654321 ICID 351684134 From: <test_name@mail.fr>
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:14 2015 Info: MID 987654321 ICID 351684134 RID 0 To: <test_name2@mail.fr>
Jun 8 13:51:21my_server: Mon Jun 8 13:46:15 2015 Info: MID 987654321 Message-ID '<id@mail.fr>'
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:15 2015 Info: MID 251913918 Subject 'test_subject'
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:15 2015 Info: MID 987654321 ready 18615 bytes from <test_name@mail.fr>
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:15 2015 Info: MID 987654321 rewritten to MID 987654322 by LDAP rewrite
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:15 2015 Info: MID 987654322 ICID 0 From: <test_name@mail.fr>
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:15 2015 Info: MID 987654322 ICID 0 RID 0 To: <test_name2@mail.fr>
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:15 2015 Info: MID 987654322 attachment 'image001.jpg'
Jun 8 13:51:21 my_server: Mon Jun 8 13:46:15 2015 Info: MID 987654322 attachment 'image001.jpg'
And I want to create an aggregate events that is able to join a log that links IP address to preliminary MID and then can handle field MID going multi-value in a single event that shows the mapping of preliminary MID to final MID and includes all the later events that have only the final MID
The goal is for example extract IP address which send an email with a picture in attachment.
I tryed some transactions to join ICID, MID like :
index=test_ironport sourcetype=cisco:esa:textmail (ACCEPT OR address OR attachment_type=doc OR MID OR vendor_action=mid_rewritten) | eval courant_mid=if(isnotnull(prev_internal_message_id), prev_internal_message_id, internal_message_id)| transaction icid courant_mid
OR
index=test_ironport sourcetype=cisco:esa:textmail (ACCEPT OR address OR attachment_type=doc OR MID OR vendor_type=mid_rewritten) | transaction icid internal_message_id prev_internal_message_id
The issue in my case is the changing MID that complicate the joint of linked events
I wonder if I have to keep using transaction or do I have to change the method and use lookup
May be someone is aware of an App which can correlate Ironport email events at the indexing ?
Thank you,
Pierre
... View more