We have a requirement that when using Ironport DLP feature, when a DLP violation is detected, we want to encrypt the email using PXE If TLS is not available. But we want to send our sender a notification that the email was sent out using PXE (only), out of the box, Ironport cannot send a notification when only using PXE, so we are trying Splunk.
If anyone can help me out here, I would most appreciated it. From the Ironport log, we see the first MID was generated along with the sender, recipient, and subject, however, once Ironport detected DLP violation and couldn't send using TLS, it uses PXE encryption, that creates a new MID based off the first MID. I have a search that will pick up the sender, recipient and date/time, but unable to pickup the Subject.
May 12 16:42:31 10.88.2.126 May 12 16:42:31 syslog_mail: Info: MID 27186129 Subject 'DLP123'
May 12 16:42:32 10.88.2.126 May 12 16:42:32 syslog_mail: Info: MID 27186129 DLP violation
May 12 16:42:32 10.88.2.126 May 12 16:42:32 syslog_mail: Info: MID 27186129 queued for delivery
May 12 16:42:33 10.88.2.126 May 12 16:42:33 syslog_mail: Info: Message finished MID 27186129 done
May 12 16:42:33 10.88.2.126 May 12 16:42:33 syslog_mail: Info: MID 27186131 was generated based on MID 27186129 by PXE encryption filter 'Encryption_and_Notify'
May 12 16:42:33 10.88.2.126 May 12 16:42:33 syslog_mail: Info: MID 27186131 ICID 0 From:
May 12 16:42:33 10.88.2.126 May 12 16:42:33 syslog_mail: Info: MID 27186131 ICID 0 RID 0 To:
May 12 16:42:33 10.88.2.126 May 12 16:42:33 syslog_mail: Info: MID 27186131 queued for delivery
However, this would need to be a 2 part search:
1. Find any log with a PXE encryption.
2. Find all logs pertaining to the first MID value specified in the Log.
Any help would be really appreciated it.
thanks
Wrick
↧