Document toolboxDocument toolbox

mail.proofpoint

The tags beginning with mail.proofpoint identify log events generated by Proofpoint products. 

Tag structure

The full tag must have three levels. The first two are fixed as mail.proofpoint. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Proofpoint Email Protection

mail.proofpoint.pod

mail.proofpoint.pod

mail.proofpoint.pod.events

mail.proofpoint.pod.events

mail.proofpoint.pod.isolation

mail.proofpoint.pod.isolation

mail.proofpoint.pod.maillog

mail.proofpoint.pod.maillog

mail.proofpoint.pod.message

mail.proofpoint.pod.message

mail.proofpoint.sendmail

mail.proofpoint.sendmail

mail.proofpoint.stdout

mail.proofpoint.stdout

mail.proofpoint.tapsiem

mail.proofpoint.tapsiem

mail.proofpoint.tapsiem_syslog

mail.proofpoint.tapsiem_syslog

mail.proofpoint.tapsiem_v2

mail.proofpoint.tapsiem_v2

mail.proofpoint.tapsiem_v2.clicksblocked

mail.proofpoint.tapsiem_v2.clicksblocked

mail.proofpoint.tapsiem_v2.clickspermitted

mail.proofpoint.tapsiem_v2.clickspermitted

mail.proofpoint.tapsiem_v2.messagesblocked

mail.proofpoint.tapsiem_v2.messagesblocked

mail.proofpoint.tapsiem_v2.messagesdelivered

mail.proofpoint.tapsiem_v2.messagesdelivered

mail.proofpoint.tap_campaigns.events

mail.proofpoint.tap_campaigns.events

mail.proofpoint.tap_people.top_clicks

mail.proofpoint.tap_people.top_clicks

mail.proofpoint.tap_people.vap

mail.proofpoint.tap_people.vap

mail.proofpoint.tap_threats.events

mail.proofpoint.tap_threats.events

mail.proofpoint.trap

mail.proofpoint.trap

mail.proofpoint.trap_incident

mail.proofpoint.trap_incident

For more information, read more about Devo tags.

How is the data sent to Devo?

Use the following relay rules to send your data to Devo properly:

Rule 1 - Proofpoint Trap

  • Source port → Required one

  • Source data → (\[PTRAuditData [^\]]+\].*)$

  • Target tag → mail.proofpoint.trap

  • Target message → \\D1

  • Select both Stop processing and Sent without syslog tag

Rule 2 - Proofpoint stdout

  • Source port → Required one

  • Source tag → filter_instance1

  • Target tag → mail.proofpoint.stdout

  • Select Stop processing

Rule 3 - Proofpoint sendmail

  • Source port → Required one

  • Target tag → mail.proofpoint.sendmail

  • Select Stop processing

Table structure

These are the fields displayed in these tables: