mail.proofpoint
The tags beginning with mail.proofpoint identify log events generated by Proofpoint products.Â
Tag structure
The full tag must have three levels. The first two are fixed as mail.proofpoint. The third level identifies the event type and must be one of tapsiem_v2, sendmail, tapsiem_syslog, stdout, tapsiem, or trap.
The fourth tag level (subtype) is only used by the main.proofpoint.tapsiem_v2 table, and can have one of the values in the table:
technology | brand | type | subtype |
---|---|---|---|
proofpoint |
|
|
Therefore, the valid tags include:
mail.proofpoint.tapsiem_v2Â
mail.proofpoint.sendmail
mail.proofpoint.stdout
mail.proofpoint.trap
mail.proofpoint.tapsiem_v2.clicksblocked
mail.proofpoint.tapsiem_v2.clickspermitted
mail.proofpoint.tapsiem_v2.messagesblocked
mail.proofpoint.tapsiem_v2.messagesdelivered
For more information, read more about Devo tags.
Devo Relay rules
Rule 1 - Proofpoint Trap
Source port → 14001
Source data → (\[PTRAuditData [^\]]+\].*)$
Target tag → mail.proofpoint.trap
Target message → \\D1
Select both Stop processing and Sent without syslog tag
Rule 2 - Proofpoint stdout
Source port → 13009
Source tag → filter_instance1
Target tag → mail.proofpoint.stdout
Select Stop processing
Rule 3 - Proofpoint sendmail
Source port → 13009
Target tag → mail.proofpoint.sendmail
Select Stop processing