Kaspersky Next XDR Expert
1.2

Contents

Configuring receipt of Postfix events

You can configure the receipt of Postfix events in KUMA. Integration is only possible when sending events via syslog using the TCP protocol. The resources described in this article are available for KUMA 3.0 and newer versions.

Configuring event receiving consists of the following steps:

  1. Configuring Postfix to send events.
  2. Creating a KUMA collector for receiving Postfix events.
  3. Verifying receipt of Postfix events in the KUMA collector

    You can verify that the Postfix event source server is correctly configured in the Searching for related events section of the KUMA Console.

The Postfix system generates events in two formats:

  • Multi-line events containing information about messages (with a unique ID). These events have the following form:

    <syslog PRI> time host process_name: ID: information from base event 1

    <syslog PRI> time host process_name: id: info from base event 2

  • Single-line events containing information about errors (without an ID). These events have the following form:

    <syslog PRI> time host process_name: severity: basic information for parsing

A set of KUMA resources is used to process Postfix events; this set of resources must be applied when creating a collector:

  • Normalizer
  • Aggregation rule
  • Filters for destinations

The collector aggregates multi-line base events based on event ID, normalizes them, and sends the aggregated event to the storage and the correlator.

The aggregated event has the following form:

Service information from the aggregation rule: ID: information from base event 1, information from base event 2, information from base event n

After aggregation, the received event is sent to the same collector where the aggregated event is normalized.

Processing algorithm for Postfix events

The following algorithm was implemented to process Postfix events:

  1. Initial normalization

    At this stage, initial normalization is performed for base events received via syslog that begin with the "<" character. The events are brought to a format suitable for subsequent aggregation: the first character is extracted from the event and put into the FlexString1 field, the identifier is put into the ExternalID field, and the host name is put into the DeviceHostName field. Basic normalization is performed in the main normalizer.

  2. Checking for aggregation

    The event is examined to see if it is aggregated or not. As a result, non-aggregated events (the first character is not "{" and the ID is not empty) have an aggregation rule applied, and then aggregated events are sent for re-normalization.

  3. Applying the aggregation rule

    At this stage, the aggregation rule is applied to the events, the base events are collated and take the following form:

    Service information from the aggregation rule: ID: information from base event 1, information from base event 2, information from base event n

  4. After aggregation, the collated event is sent back to the same collector to subject the aggregated event to normalization.

    To close the event processing loop, you must specify the same collector as the destination. In the diagram, the destination is named "Loop" to draw attention to the event processing loop. You can give an arbitrary name to your destination.

  5. Normalization of the aggregated event

    Normalization of the aggregated event that begins with a "{" character is performed in the following extra normalizers: Aggregated events, Aggregated events. Message KV parser, Aggregated events. Message regex 1, Aggregated events. Message regex 2.

  6. Sending to storage and the correlator

    Aggregated and normalized events are sent to storage and the correlator.

The following figure shows the flow chart of Postfix event processing.

postfix_events_processing

In this section

Configuring Postfix to send events

Configuring a KUMA collector for receiving and processing Postfix events
Page top
[Topic 287428]

Configuring Postfix to send events

By default, audit events of the Postfix system are output to /var/log/maillog or /var/log/mail.

To send events to KUMA:

  1. Create a backup copy of the /etc/rsyslog.conf file.
  2. Open the /etc/rsyslog.conf file for editing.
  3. Add the following line to the end of the /etc/rsyslog.conf file:

    mail.* @@<IP address of the KUMA collector>:<port of the KUMA collector>

  4. Save the /etc/rsyslog.conf file.
  5. Restart the rsyslog service:

    sudo systemctl restart rsyslog

Page top
[Topic 287429]

Configuring a KUMA collector for receiving and processing Postfix events

To configure a KUMA collector for receiving Postfix events:

  1. Import the [OOTB] Postfix package from the KUMA repository. The package is available for KUMA 3.0 and newer versions.
  2. Create a new collector, and in the Collector Installation Wizard, configure the following:
    1. At the Transport step, in the Type field, select the tcp type, and in the URL field, specify the FQDN or IP address and port of the collector.
    2. At the Event parsing step, click Add event parsing, and in the displayed Basic event parsing window, in the Normalizer drop-down list, select the [OOTB] Postfix syslog normalizer.
    3. At the Event aggregation step, click Add aggregation rule, and in the displayed Event aggregation window, in the Aggregation rule drop-down list, select [OOTB] Postfix. Aggregation rule.
    4. At the Routing step, click Add and in the displayed Create destination window, create three destination points one by one—the same collector with the name "Loop", a storage, and a correlator.
      1. Create a destination named "Loop" with the following parameters.
        • On the Basic settings tab, in the Type drop-down list, select the tcp transport type; in the URL field, specify the FQDN or IP address and port of the collector that you specified before at step 2.1 of these instructions.
        • On the Advanced settings tab, in the Filter drop-down list, select the Postfix. Filter for event aggregation filter.

          This configuration is necessary to send the aggregated event to the same collector for subsequent normalization.

      2. Create a correlator destination:
      3. On the Basic settings tab, in the Type drop-down list, select correlator and fill in the URL field.
      4. On the Advanced settings tab, in the Filter drop-down list, select the Postfix. Aggregated events to storage and correlator filter.
      5. Create a storage destination:
      • On the Basic settings tab, in the Type drop-down list, select storage and fill in the URL field.
      • On the Advanced settings tab, in the Filter drop-down list, select the Postfix. Aggregated events to storage and correlator filter.

        This configuration is necessary to send the aggregated normalized event to storage and the correlator.

  3. Click the Create button.

    The collector service is created with the settings specified in the KUMA Console. The command for installing the service on the server is displayed.

  4. Copy the collector installation command and run it on the relevant server.

The collector is configured to receive and process Postfix events.

Page top
[Topic 287430]