AnsweredAssumed Answered

LEA field names for email

Question asked by Hugo van der Kooij on Aug 20, 2018
Latest reply on Aug 24, 2018 by Hugo van der Kooij

Hi,

 

I am currently trying to wrap the syslog output of a Barracuda Email Security gateway into the Check Point.

 

While I have seen the LEA fields document of 2011 it seem to me I am missing rather a lot as far as email is concerned. But I might just be missing them.

 

It seems the "from" field works sometimes but not all lines are parsed correctly. The recipient is not yet seen.

 

I have the following data for which I am seeking the proper Check Point field name:

  1. Sender email address ("from" seems to work)
  2. Recipient email adress ("to" doesnt seem to work)
  3. Action (can I use anything beyond: "accept" | "drop" | "reject")
  4. Malware name if found (like: SFP.Malware.27291.RtfHeur)
  5. Description
  6. Spam score (signed float)
  7. Preferred Product Name for anti-spam.

 

Then I can's seem to find how I can wrap multiple fields into 1 other field.

 

Another issue is that I might have an issue with too greedy wildcards. The Eventia Log Parser Editor does not seem to understand .*? as valid.

 

 I can share a few more details in a private message but I prefer not to send all information to the list as the samples contain live data.

Outcomes