Document toolboxDocument toolbox

mail.proofpoint

The tags beginning with mail.proofpoint identify log events generated by Proofpoint products. 

Tag structure

The full tag must have three levels. The first two are fixed as mail.proofpoint. The third level identifies the event type and must be one of tapsiem_v2, sendmail, tapsiem_syslog, stdout, tapsiem, or trap.

The fourth tag level (subtype) is only used by the main.proofpoint.tapsiem_v2 table, and can have one of the values in the table:

technology

brand

type

subtype

technology

brand

type

subtype

mail

proofpoint

  • tapsiem_v2

  • sendmail

  • stdout

  • trap

  • clicksblocked

  • clickspermitted

  • messagesblocked

  • messagesdelivered

Therefore, the valid tags include:

  • mail.proofpoint.tapsiem_v2 

  • mail.proofpoint.sendmail

  • mail.proofpoint.stdout

  • mail.proofpoint.trap

  • mail.proofpoint.tapsiem_v2.clicksblocked

  • mail.proofpoint.tapsiem_v2.clickspermitted

  • mail.proofpoint.tapsiem_v2.messagesblocked

  • mail.proofpoint.tapsiem_v2.messagesdelivered

For more information, read more about Devo tags.

Devo Relay rules

Rule 1 - Proofpoint Trap

  • Source port → 14001

  • Source data → (\[PTRAuditData [^\]]+\].*)$

  • Target tag → mail.proofpoint.trap

  • Target message → \\D1

  • Select both Stop processing and Sent without syslog tag

Rule 2 - Proofpoint stdout

  • Source port → 13009

  • Source tag → filter_instance1

  • Target tag → mail.proofpoint.stdout

  • Select Stop processing

Rule 3 - Proofpoint sendmail

  • Source port → 13009

  • Target tag → mail.proofpoint.sendmail

  • Select Stop processing