Hi,
It is simple to export logs from Cloudmark Gateway to Splunk using Gateway's custom log command functionality within the workflow processor. To facilitate Splunk indexing, it's generally advisable to log all message events to a single log file that you will then direct Splunk to follow. It is also highly advisable to configure Gateway to generate log entries in Splunk's preferred key=value pair format.
For example, to build a log format suitable for message & recipient delivery tracking purposes, you could insert a "log custom file" command before each step in the SMTP protocol where you will be taking a definitive action for a connection or message (i.e. accepting the connection, rejecting the connection, accepting a recipient, etc.). If a particular Gateway policy step is reached you can configure the log event to log the exact SMTP response returned to the SMTP client or the message handling action taken.
Banner stage temp failure example:
rule 1 [FAILURE BANNER (SMTP code 421) and CLOSE session ]
IF
connection ip source simultaneous sessions [>] [$(_max_ips_allowed)]
THEN
log with level [NORMAL] in log file [splunk] message [host="$(_servername)" event="conn_reject" $(logconn) conn_id="$(_sid)" result_code="421" policy_reason="too_many_connections" result_text="Too many simultaneous sessions from your IP"]
wait seconds [10]
FAILURE connection banner and CLOSE session : SMTP code 421 - [Too many simultaneous sessions from your IP]
The above "log file custom" rule would generate the following log entry in /var/log/bizimp/splunk.log while tarpitting the SMTP client for 10 seconds and then responding with "421 Too many simultaneous sessions from your IP" at the SMTP protocol level:
20120103 09:28:23.846 core host="host1.example.com" event="conn_reject" src_host="server.badguy.com" src_ip="176.31.14.160" conn_id="H5UP1i0043TBr9c01" result_code="421" policy_reason="too_many_connections" result_text="Too many simultaneous sessions from your IP"
For more assistance, please contact Cloudmark Support at support@cloudmark.com
... View more