Dear all,
I am currently struggling on extracting field for Symantec Mail Security for SMTP.
The Sample Log looks like as follow (in single log entry):
20110329,7,1=1,11=<IP for Origin Mail Server>,21=<rcpt email address 1>\, <rcpt email address 1>\, <rcpt email address 1>\, <rcpt email address 1>\, <rcpt email address 1>,23=756702,52=M2011032900000716831,22=<Subject>,20=<sender email address 1>,120=36315,2=5
So it seems that in one log entry, recipient emails are consolidated. It is different with Barracuda and Exchange where it every mail transaction separated in one log entry. SO it is quite clear cut to do field extract.
Please advise how can I do the field extract based on this kind of log.
Thank you so much for all your help
Regards
marendra
Here are a couple of possibilities, depending on what the rest of your data looks like...
Assuming the possibility of other multi-value fields, then you can extract the full recipient list into an intermediate field. Once you have that, split it into the individual recipients.
transforms.conf:
[mailsec-recipient-list]
# Match starting with option 21, and keep
# going until we hit another option or the end
REGEX = ,21=(.*?)(,\d+=)|$
FORMAT = recipient_list::$1
[mailsec-recipient]
# Split each recipient out from the full list
SOURCE_KEY = recipient_list
MV_ADD = True
REGEX = ([^,\\]+)
FORMAT = recipient::$1
In props.conf:
[mailsec]
# Order matters; make sure that the full list
# gets extracted first...
REPORT-0-mailsec = mailsec-recipient-list
REPORT-1-mailsec = mailsec-recipient
If this is the only multi-value field, and there are no other cases where you have a comma followed by a space, then you can just look for option 21 or a space after the comma:
transforms.conf:
[mailsec-recipient]
REGEX = ,(\s+|(21=))([^,]+)
FORMAT = recipient::$3
MV_ADD = True
props.conf:
[mailsec]
REPORT-mailsec = mailsec-recipient
Hi southeringtonp
Fantastic, it works... Thank you very much.
Here are a couple of possibilities, depending on what the rest of your data looks like...
Assuming the possibility of other multi-value fields, then you can extract the full recipient list into an intermediate field. Once you have that, split it into the individual recipients.
transforms.conf:
[mailsec-recipient-list]
# Match starting with option 21, and keep
# going until we hit another option or the end
REGEX = ,21=(.*?)(,\d+=)|$
FORMAT = recipient_list::$1
[mailsec-recipient]
# Split each recipient out from the full list
SOURCE_KEY = recipient_list
MV_ADD = True
REGEX = ([^,\\]+)
FORMAT = recipient::$1
In props.conf:
[mailsec]
# Order matters; make sure that the full list
# gets extracted first...
REPORT-0-mailsec = mailsec-recipient-list
REPORT-1-mailsec = mailsec-recipient
If this is the only multi-value field, and there are no other cases where you have a comma followed by a space, then you can just look for option 21 or a space after the comma:
transforms.conf:
[mailsec-recipient]
REGEX = ,(\s+|(21=))([^,]+)
FORMAT = recipient::$3
MV_ADD = True
props.conf:
[mailsec]
REPORT-mailsec = mailsec-recipient