mail.proofpoint
- Juan Tomás Alonso Nieto (Deactivated)
The tags beginning with mail.proofpoint identify log events generated by Proofpoint products.Â
Tag structure
The full tag must have three levels. The first two are fixed as mail.proofpoint. The third level identifies the event type. The fourth tag level (subtype) is only used by the main.proofpoint.pod and main.proofpoint.tapsiem_v2 tables, and can have one of the values in the table:
technology | brand | type | subtype |
|---|---|---|---|
proofpoint |
|
| |
|
| ||
| - |
Therefore, the valid tags include:
mail.proofpoint.pod.events
mail.proofpoint.pod.isolation
mail.proofpoint.pod.maillog
mail.proofpoint.pod.message
mail.proofpoint.sendmail
mail.proofpoint.stdout
mail.proofpoint.trap
mail.proofpoint.trap_incident
mail.proofpoint.tapsiem_v2Â
mail.proofpoint.tapsiem_v2.clicksblocked
mail.proofpoint.tapsiem_v2.clickspermitted
mail.proofpoint.tapsiem_v2.messagesblocked
mail.proofpoint.tapsiem_v2.messagesdelivered
For more information, read more about Devo tags.
Devo Relay rules
Rule 1 - Proofpoint Trap
Source port → 14001
Source data → (\[PTRAuditData [^\]]+\].*)$
Target tag → mail.proofpoint.trap
Target message → \\D1
Select both Stop processing and Sent without syslog tag
Rule 2 - Proofpoint stdout
Source port → 13009
Source tag → filter_instance1
Target tag → mail.proofpoint.stdout
Select Stop processing
Rule 3 - Proofpoint sendmail
Source port → 13009
Target tag → mail.proofpoint.sendmail
Select Stop processing