Skip to content

Proofpoint Protection Server

Key facts

  • Requires vendor product by source configuration
  • Legacy BSD Format default port 514
  • NOTE: This filter will simply parse the syslog message itself, and will not perform the (required) re-assembly of related messages to create meaningful final output. This will require follow-on processing in Splunk.
Ref Link
Splunk Add-on
Product Manual


sourcetype notes
pps_mail_log This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS.

Sourcetype and Index Configuration

key sourcetype index notes
proofpoint_pps_filter pps_filter_log email none
proofpoint_pps_sendmail pps_mail_log email none

Parser Configuration

#File name provided is a suggestion it must be globally unique

application app-vps-test-proofpoint_pps[sc4s-vps] {
 filter { 
        host("pps-*" type(glob))
    parser {