I am currently trying to wrap the syslog output of a Barracuda Email Security gateway into the Check Point.
While I have seen the LEA fields document of 2011 it seem to me I am missing rather a lot as far as email is concerned. But I might just be missing them.
It seems the "from" field works sometimes but not all lines are parsed correctly. The recipient is not yet seen.
I have the following data for which I am seeking the proper Check Point field name:
- Sender email address ("from" seems to work)
- Recipient email adress ("to" doesnt seem to work)
- Action (can I use anything beyond: "accept" | "drop" | "reject")
- Malware name if found (like: SFP.Malware.27291.RtfHeur)
- Spam score (signed float)
- Preferred Product Name for anti-spam.
Then I can's seem to find how I can wrap multiple fields into 1 other field.
Another issue is that I might have an issue with too greedy wildcards. The Eventia Log Parser Editor does not seem to understand .*? as valid.
I can share a few more details in a private message but I prefer not to send all information to the list as the samples contain live data.