AnsweredAssumed Answered

LEA field names for email

Question asked by Hugo van der Kooij on Aug 20, 2018
Latest reply on Aug 24, 2018 by Hugo van der Kooij



I am currently trying to wrap the syslog output of a Barracuda Email Security gateway into the Check Point.


While I have seen the LEA fields document of 2011 it seem to me I am missing rather a lot as far as email is concerned. But I might just be missing them.


It seems the "from" field works sometimes but not all lines are parsed correctly. The recipient is not yet seen.


I have the following data for which I am seeking the proper Check Point field name:

  1. Sender email address ("from" seems to work)
  2. Recipient email adress ("to" doesnt seem to work)
  3. Action (can I use anything beyond: "accept" | "drop" | "reject")
  4. Malware name if found (like: SFP.Malware.27291.RtfHeur)
  5. Description
  6. Spam score (signed float)
  7. Preferred Product Name for anti-spam.


Then I can's seem to find how I can wrap multiple fields into 1 other field.


Another issue is that I might have an issue with too greedy wildcards. The Eventia Log Parser Editor does not seem to understand .*? as valid.


 I can share a few more details in a private message but I prefer not to send all information to the list as the samples contain live data.