Splunk Search

Cloudmark Gateway

nhads18
New Member

Im sorry I am a little newbie with splunk,
I would like to ask how to get cloudmark MTA logs to splunk?

Tags (2)
0 Karma

nhads18
New Member

Hi K,

Great it works i can now send logs to splunk now my problem is searching,
can you help me get this in thing work? I need a search string for it 😄

Inbound Latency (smtpin & smtpout) in one graph

Outbound Latency (smtpin & smtpout) in one graph

Thank you in advance 😄

regards

Nhads,

0 Karma

ksandiego
New Member

Hi,

It is simple to export logs from Cloudmark Gateway to Splunk using Gateway's custom log command functionality within the workflow processor. To facilitate Splunk indexing, it's generally advisable to log all message events to a single log file that you will then direct Splunk to follow. It is also highly advisable to configure Gateway to generate log entries in Splunk's preferred key=value pair format.

For example, to build a log format suitable for message & recipient delivery tracking purposes, you could insert a "log custom file" command before each step in the SMTP protocol where you will be taking a definitive action for a connection or message (i.e. accepting the connection, rejecting the connection, accepting a recipient, etc.). If a particular Gateway policy step is reached you can configure the log event to log the exact SMTP response returned to the SMTP client or the message handling action taken.

Banner stage temp failure example:

rule 1  [FAILURE BANNER (SMTP code 421) and CLOSE session ]

IF
connection ip source simultaneous sessions [>] [$(_max_ips_allowed)]
THEN
log with level [NORMAL] in log file [splunk] message [host="$(_servername)" event="conn_reject" $(logconn) conn_id="$(_sid)" result_code="421" policy_reason="too_many_connections" result_text="Too many simultaneous sessions from your IP"]
wait seconds [10]
FAILURE connection banner and CLOSE session : SMTP code 421 - [Too many simultaneous sessions from your IP]

The above "log file custom" rule would generate the following log entry in /var/log/bizimp/splunk.log while tarpitting the SMTP client for 10 seconds and then responding with "421 Too many simultaneous sessions from your IP" at the SMTP protocol level:

20120103 09:28:23.846 core host="host1.example.com" event="conn_reject" src_host="server.badguy.com" src_ip="176.31.14.160" conn_id="H5UP1i0043TBr9c01" result_code="421" policy_reason="too_many_connections" result_text="Too many simultaneous sessions from your IP"

For more assistance, please contact Cloudmark Support at support@cloudmark.com

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!