Splunk Search

Proofpoint sending logs with missing information, there anything that I can change or edit?

daniaabujuma
Explorer

Hi all, I have an issue with the logs I am receiving from Proofpoint. The issue is that I am receiving logs with either (from) or (to) field, but they are never associated together. This is due to the fact that every time an email is sent or received, it goes to quarantine in Proofpoint to be scanned, and is then sent to the recipient. This is an issue for me because I can't see the sender and receiver for each email.

I have reached out to Proofpoint but they said there's nothing we can do. I am receiving the logs through syslog, is there anything that I can change or edit to receive the logs with both fields?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Proofpoint logs are indeed quite annoying to work with since informations about a single mail can be scatterred across many different events.

But (and your Proofpoint admin should have told you that) there are two fields - sid and qid - which can be used to correlate those events.

So the logs are not missing this piece of info (unless you're not ingesting everything), it's just a matter of searching properly.

ITWhisperer
SplunkTrust
SplunkTrust

If Proofpoint does not or are unwilling to meet your requirements, find an alternative solution provider?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

However strongly I might agree with your point of view, typically the log export format is not at the top of criteria list for choosing an email gateway 😉

0 Karma

daniaabujuma
Explorer

Hi @ITWhisperer ,

Unfortunately, that is not an option for me. All I can do is look for a walkaround or a way edit syslog configuration settings to receive logs in the appropriate form, do you have any recommendation?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...