Document toolboxDocument toolbox

mail.proofpoint

The tags beginning with mail.proofpoint identify log events generated by Proofpoint products. 

Tag structure

The full tag must have three levels. The first two are fixed as mail.proofpoint. The third level identifies the event type. The fourth tag level (subtype) is only used by the main.proofpoint.pod and main.proofpoint.tapsiem_v2 tables, and can have one of the values in the table:

technology

brand

type

subtype

technology

brand

type

subtype

mail

proofpoint

  • pod

  • events

  • isolation

  • maillog

  • message

  • tapsiem_v2

  • clicksblocked

  • clickspermitted

  • messagesblocked

  • messagesdelivered

  • sendmail

  • stdout

  • trap

  • trap_incident

-

Therefore, the valid tags include:

  • mail.proofpoint.pod.events

  • mail.proofpoint.pod.isolation

  • mail.proofpoint.pod.maillog

  • mail.proofpoint.pod.message

  • mail.proofpoint.sendmail

  • mail.proofpoint.stdout

  • mail.proofpoint.trap

  • mail.proofpoint.trap_incident

  • mail.proofpoint.tapsiem_v2 

  • mail.proofpoint.tapsiem_v2.clicksblocked

  • mail.proofpoint.tapsiem_v2.clickspermitted

  • mail.proofpoint.tapsiem_v2.messagesblocked

  • mail.proofpoint.tapsiem_v2.messagesdelivered

For more information, read more about Devo tags.

Devo Relay rules

Rule 1 - Proofpoint Trap

  • Source port → 14001

  • Source data → (\[PTRAuditData [^\]]+\].*)$

  • Target tag → mail.proofpoint.trap

  • Target message → \\D1

  • Select both Stop processing and Sent without syslog tag

Rule 2 - Proofpoint stdout

  • Source port → 13009

  • Source tag → filter_instance1

  • Target tag → mail.proofpoint.stdout

  • Select Stop processing

Rule 3 - Proofpoint sendmail

  • Source port → 13009

  • Target tag → mail.proofpoint.sendmail

  • Select Stop processing