PostFix Mail Transfer Agent sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
PostFix Mail Transfer Agent sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows that an email is sent successfully.
<22>Mar 5 13:09:45 postfix.mailtransferagent.test postfix/smtpd[7609]: B83C6210AB: client=unknown[192.168.0.14] message-id=<27914646.772901551755385716.JavaMail.root@testsrv1> from=<user4@exampledomain.test>, size=564564, nrcpt=1 (queue active) to=<user01@host.example.test>, relay=apc.olc.protection.server.test[192.168.126.33]:25, delay=3.4, delays=0.03/0/0.62/2.7, dsn=2.6.0, status=sent (250 2.6.0 <27914646.772901551755385716.JavaMail.root@testsrv1> [InternalId=19877108654932, Hostname=SERVER.PROD.EXAMPLE.TEST] 570417 bytes in 2.113, 263.513 KB/sec Queued mail for delivery -> 250 2.1.5) removed| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | B83C6210AB |
| Number of Recipients (custom property) | 1 |
| Username | user4@+exampledomain.test |
| Originating Host (custom property) | exampledomain.test |
| Originating User (custom property | user4@+exampledomain.test |
| Recipient Host (custom property) | host.example.test |
| Recipient User (custom property) | user01@+host.example.test |
| Source IP | 192.168.0.14 |
| Destination Port | 192.168.126.33 |
| Destination Port | 25 |
Sample 2: The following sample event message shows that an email is received.
<22>Jun 19 15:41:12 postfix.mailtransferagent.test postfix/qmgr[12345]: FFFFFFF: from=<User.Name@domain1.test>, size=3806, nrcpt=1 (queue active)| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | qmgr |
| Username | User.Name@domain1.test |
| Message Size (custom property) | 3806 |
| MessageID (custom property) | FFFFFFF |
Tip:
Use the IBM® QRadar® Custom Properties for Postfix to closely monitor your Custom Properties for Postfix deployment. The Postfix custom event properties expand your QRadar searches and reports by normalizing specific event data from a log source. If the IBM QRadar Custom Properties for Postfix content pack is not installed on your system, download it from the IBM X-Force Exchange website (https://exchange.xforce.ibmcloud.com/hub).