How to search all reference log entries?

Question

Hi All,

Here are some log entries from cisco ironport email security appliance:

Feb 21 10:16:55 212.167.24.57 Feb 21 10:16:55 mail_logs_to_splunk: Info: DCID 355912 close
Feb 21 10:16:54 212.167.24.57 Feb 21 10:16:54 mail_logs_to_splunk: Info: Message finished MID 2185496 done
Feb 21 10:16:54 212.167.24.57 Feb 21 10:16:54 mail_logs_to_splunk: Info: MID 2185496 RID [0] Response '2.6.0 <!&!AAAAAAAAAAAYAAAAAAAAAOB/hostK2zaNErnPVyPB9CJ3CgAAAEAAAAJ4C4lsTCIJPlZP1Zc4HuZEBAAAAAA==@21cnmanager.com> Queued mail for delivery'
Feb 21 10:16:54 212.167.24.57 Feb 21 10:16:54 mail_logs_to_splunk: Info: Message done DCID 355912 MID 2185496 to RID [0] 
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:47 mail_logs_to_splunk: Info: Delivery start DCID 355912 MID 2185496 to RID [0]
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:47 mail_logs_to_splunk: Info: New SMTP DCID 355912 interface 212.167.XX.XX address 202.82.XX.XX port 25
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 queued for delivery
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 was too big (1946137/262144) for scanning by VOF
Feb 21 10:16:47 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 matched all recipients for per-recipient policy DEFAULT in the inbound table
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: Message finished MID 2185491 done
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: ICID 2070528 close
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 ICID 0 RID 0 To: <julie.hou@gmail.com>
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: LDAP: Mailhost query host2_ldap_production.routing MID 2185491 address julie.hou@gmail.com to mx.gmail.com
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: LDAP: Reroute query host2_ldap_production.routing MID 2185491 RID 0 address julie.hou@gmail.com to [('julie.hou@gmail.com', 'mx.gmail.com')]
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185496 ICID 0 From: <zhujin@21cnmanager.com>
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185491 rewritten to MID 2185496 by LDAP rewrite
Feb 21 10:16:46 212.167.24.57 Feb 21 10:16:46 mail_logs_to_splunk: Info: MID 2185491 ready 1946137 bytes from <zhujin@21cnmanager.com>
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: MID 2185491 Subject 'Greeting from Consulting'
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: MID 2185491 Message-ID '<!&!AAAAAAAAAAAYAAAAAAAAAOB/hostK2zaNErnPVyPB9CJ3CgAAAEAAAAJ4C4lsTCIJPlZP1Zc4HuZEBAAAAAA==@21cnmanager.com>'
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: MID 2185491 ICID 2070528 RID 0 To: <julie.hou@gmail.com>
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: MID 2185491 ICID 2070528 From: <zhujin@21cnmanager.com>
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: Start MID 2185491 ICID 2070528
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: ICID 2070528 ACCEPT SG host2_outgoing_whitelist match 172.16.10.2-3 SBRS rfc1918
Feb 21 10:16:45 212.167.24.57 Feb 21 10:16:45 mail_logs_to_splunk: Info: New SMTP ICID 2070528 interface host2_Internal (172.16.10.4) address 172.16.10.3 reverse dns host unknown verified no

I think there are four key words for searching this logs: 2185496, 355912,2185491,2070528, but in nature I only know one key word to search, for example "MID 2185496", here, I want to define a search template that when I input the only one key word, e.g "MID 2185496", then it can print all reference log entries, how can I do it?

thanks.

Answer 1

Are you saying that when you specify "MID 2185496" as your search string, you only want to receive the events that have 2185496 as the MID? If so, you can accomplish this a couple of ways:

1: The best method would be to download the Cisco for Ironport E-mail add-on which will do the field extractions for you:

http://splunkbase.splunk.com/apps/All/4.x/app:Cisco+IronPort+E-mail+Security+Add+On

This will allow you to restrict your search to the specific fields within the events. For instance, you could search for messages of MID 2185496, like this:

mid=2185496 | head 100

Adding that app will also allow you to install the Cisco Security Suite which will give you a nice set of pre-defined reports, dashboards, and saved searches:

http://splunkbase.splunk.com/apps/All/4.x/App/app:Splunk+for+Cisco+Security

2: The other option is to do the field extraction yourself. The easiest way to do this is with the Interactive Field Extractor (IFX). Here's a link to the docs on IFX:

http://www.splunk.com/base/Documentation/4.1.7/User/InteractiveFieldExtractionExample

Answer 2

Refer to the above log entry "Start MID 2185491 ICID 2070528", I know that the log entries include "2070528" are relate to "MID 2185491", and log entry "MID 2185491 rewritten to MID 2185496 by LDAP rewrite", it means all log entries include "2185496" also relate to "MID 2185491". And the log entry "Delivery start DCID 355912 MID 2185496 to RID [0]", it means that all log entries include "355912" also relate to the "MID 2185491".

So, I want to search "mid=2185491", then it can print out all log entries which include 2070528, 2185496, 355912 and 2185491.

Thanks.

How to search all reference log entries?

Follow this question

Splunk Resources

Related questions