Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor

LEA field names for email

Hi,

I am currently trying to wrap the syslog output of a Barracuda Email Security gateway into the Check Point.

While I have seen the LEA fields document of 2011 it seem to me I am missing rather a lot as far as email is concerned. But I might just be missing them.

It seems the "from" field works sometimes but not all lines are parsed correctly. The recipient is not yet seen.

I have the following data for which I am seeking the proper Check Point field name:

  1. Sender email address ("from" seems to work)
  2. Recipient email adress ("to" doesnt seem to work)
  3. Action (can I use anything beyond: "accept" | "drop" | "reject")
  4. Malware name if found (like: SFP.Malware.27291.RtfHeur)
  5. Description
  6. Spam score (signed float)
  7. Preferred Product Name for anti-spam.

Then I can's seem to find how I can wrap multiple fields into 1 other field.

Another issue is that I might have an issue with too greedy wildcards. The Eventia Log Parser Editor does not seem to understand .*? as valid.

 

 I can share a few more details in a private message but I prefer not to send all information to the list as the samples contain live data.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
2 Replies
PhoneBoy
Admin
Admin

Here’s a more current version of the LEA fields doc…

LEA Fields

0 Kudos
Hugo_vd_Kooij
Advisor

It seems I can get some details into the Check point logs and databases but it looks like it is still more or less interpretated as firewall logging. Even when I have the sending log entry I translanted a succesful send response code to the action field with the value of send. but it is instead listed as Drop in the logs.

And it seems it fails to parse some events in real life which were understood just fine in the Eventia Log Parsing Editor.

Which seems to indicate there is still a gap between documentation and what seems to happen. It seems I must do some hacking.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events