Proofpoint Protection Server
Key facts
- Requires vendor product by source configuration
- Legacy BSD Format default port 514
- NOTE: This filter will simply parse the syslog message itself, and will not perform the (required) re-assembly of related
messages to create meaningful final output. This will require follow-on processing in Splunk.
Links
Sourcetypes
| sourcetype |
notes |
| pps_filter_log |
|
| pps_mail_log |
This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. |
Sourcetype and Index Configuration
| key |
sourcetype |
index |
notes |
| proofpoint_pps_filter |
pps_filter_log |
email |
none |
| proofpoint_pps_sendmail |
pps_mail_log |
email |
none |
Parser Configuration
#/opt/sc4s/local/config/app-parsers/app-vps-proofpoint_pps.conf
#File name provided is a suggestion it must be globally unique
application app-vps-test-proofpoint_pps[sc4s-vps] {
filter {
host("pps-*" type(glob))
};
parser {
p_set_netsource_fields(
vendor('proofpoint')
product('pps')
);
};
};