sender_ip missing into logs

slicciardola · ‎10-15-2019

Hi all,

i've got the "sender_ip" line into mail tracking logs via web interface, but i cannot find this line into mail_logs, how to spot this?

Thanks

Ken Stieers · ‎10-15-2019

When you find a message you're looking for you will see a MID(message ID). Find all of the lines for that MID. The earliest should mention an ICID (incoming connection ID). Find the lines for icid, that will have the ip info.

slicciardola · ‎10-15-2019

Thanks,

but i would like to spot this specific line you see into the screenshot attached

the "sender_ip: xx.xx.xx.xx" i neet to extract in some way

marc.luescherFRE · ‎10-15-2019

create a message filter like

CLILogSplunkFieldsv9: if recv-listener == "InboundInterface" {
log-entry("DEBUG REMOTEI=$RemoteIP REMOTEH=$remotehost REMOTER=$Reputation ");
}

the you will be able to search the mail logs for REMOTEH and REMOTER of every MID.

slicciardola · ‎10-15-2019

Hi,

added the filter but no line added into mail_logs, i've changed the inbound interface listener name according to mine.

Thanks

Ken Stieers · ‎10-15-2019

Your other option is to upgrade to 13 and turn on the "Consolidated Event Log", a new a single line per email log intended for SEIM ingestion.

slicciardola · ‎10-16-2019

cannot upgrade now, i would solve with my version