Hi All,
Here are some log entries from cisco ironport email security appliance:
Feb 21 10:16:55 212.167.24.57 Feb 21 10:16:55 mail_logs_to_splunk: Info: DCID 355912 close
Feb 21 10:16:54 212.167.24.57 Feb 21 10:16:54 mail_logs_to_splunk: Info: Message finished MID 2185496 done
Feb 21 10:16:54 212.167.24.57 Feb 21 10:16:54 mail_logs_to_splunk: Info: MID 2185496 RID [0] Response '2.6.0 <!&!AAAAAAAAAAAYAAAAAAAAAOB/hostK2zaNErnPVyPB9CJ3CgAAAEAAAAJ4C4lsTCIJPlZP1Zc4HuZEBAAAAAA==@21cnmanager.com> Queued mail for delivery'
Feb 21 10:16:54 212.167.24.57 Feb 21 10:16:54 mail_logs_to_splunk: Info: Message done DCID 355912 MID 2185496 to RID [0]
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:47 mail_logs_to_splunk: Info: Delivery start DCID 355912 MID 2185496 to RID [0]
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:47 mail_logs_to_splunk: Info: New SMTP DCID 355912 interface 212.167.XX.XX address 202.82.XX.XX port 25
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 queued for delivery
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 was too big (1946137/262144) for scanning by VOF
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 matched all recipients for per-recipient policy DEFAULT in the inbound table
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: Message finished MID 2185491 done
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: ICID 2070528 close
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 ICID 0 RID 0 To: <julie.hou@gmail.com>
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: LDAP: Mailhost query host2_ldap_production.routing MID 2185491 address julie.hou@gmail.com to mx.gmail.com
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: LDAP: Reroute query host2_ldap_production.routing MID 2185491 RID 0 address julie.hou@gmail.com to [('julie.hou@gmail.com', 'mx.gmail.com')]
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 ICID 0 From: <zhujin@21cnmanager.com>
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185491 rewritten to MID 2185496 by LDAP rewrite
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185491 ready 1946137 bytes from <zhujin@21cnmanager.com>
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: MID 2185491 Subject 'Greeting from Consulting'
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: MID 2185491 Message-ID '<!&!AAAAAAAAAAAYAAAAAAAAAOB/hostK2zaNErnPVyPB9CJ3CgAAAEAAAAJ4C4lsTCIJPlZP1Zc4HuZEBAAAAAA==@21cnmanager.com>'
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: MID 2185491 ICID 2070528 RID 0 To: <julie.hou@gmail.com>
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: MID 2185491 ICID 2070528 From: <zhujin@21cnmanager.com>
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: Start MID 2185491 ICID 2070528
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: ICID 2070528 ACCEPT SG host2_outgoing_whitelist match 172.16.10.2-3 SBRS rfc1918
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: New SMTP ICID 2070528 interface host2_Internal (172.16.10.4) address 172.16.10.3 reverse dns host unknown verified no
I think there are four key words for searching this logs: 2185496, 355912,2185491,2070528, but in nature I only know one key word to search, for example "MID 2185496", here, I want to define a search template that when I input the only one key word, e.g "MID 2185496", then it can print all reference log entries, how can I do it?
thanks.
... View more