Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
koolishami
Staff
Staff

Created on ‎01-22-2025 10:03 PM Edited on ‎01-22-2025 11:47 PM By Staff

Article Id 370569

Technical Tip: How to Customize FortiMailParser to Parse Deferred Email Logs Event Attribute

Description

This article describes how to Customize FortiMailParser to Parse Deferred Email Logs Event Attribute.

As of FortiSIEM v7.3.0, there is no predefined event type to filter or sort logs for deferred email messages from FortiMail. 

 

By default, the parser processes logs containing the substring stat=Deferred: as the event type FortiMail-Event-SMTP-Related. Other SMTP-related event types can be checked by navigating to ADMIN -> Device Support -> Event Types in FortiSIEM.
Scope FortiSIEM v7.x+
Solution

Understanding the Default Parser:

The default FortiMailParser, located under ADMIN -> Device Support -> Parsers, processes SMTP logs as shown in the example below:

 

<when test="$subtype = 'smtp'">
   <!-- Event SMTP logs -->
      <switch>
(truncated)
      <default>
         <setEventAttribute attr="eventType">FortiMail-Event-SMTP Related</setEventAttribute>
      </default>
      </switch>
</when>

 

An example of a deferred email log:

 

<110>date=2021-01-17 time=14:42:35.156 device_id=FEVMXXXXXXXXXXXX log_id=0003024041 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id="XXXXXXXXXXXX-XXXXXXXXXXXX" msg="to=<user1@domain>,<user2@domain>, delay=00:32:51(tries=4), xdelay=00:00:30, mailer=esmtp, pri=903502, relay=domain.com. [W.X.Y.Z], dsn=A.B.C, stat=Deferred: Connection timed out with domain"

 

Steps to Parse Deferred Email Logs:

  • Create a New Event Type:
    1. Navigate to ADMIN -> Device Support -> Event Types -> New.
    2. Fill in the fields as follows:
      • Event Type: FortiMail-Event-SMTP-Deferred-Email.
      • Device Type: Fortinet FortiMail.
      • Event Type Group: Info.
      • Severity: 1-LOW.
      • Event Name (Optional): Deferred email event.

 

  • Disable and Clone the Default Parser:
    1. Go to ADMIN -> Device Support -> Parsers and search for FortiMailParser.
    2. Disable the default parser.
    3. Select the disabled parser and select Clone to create a custom version.

 

  • Modify the Parser XML:
    1. In the cloned parser, locate the <switch> block that processes SMTP logs.
    2. Add a new <case> statement above the <default> block to specifically handle deferred email logs:

 

<case>
  <!-- stat=Deferred: -->
      <collectFieldsByRegex src="$usrMsg">
         <regex>
            <![CDATA[stat=Deferred:]]>
         </regex>
      </collectFieldsByRegex>
      <setEventAttribute attr="eventType">FortiMail-Event-SMTP-Deferred-Email</setEventAttribute>
</case>

 

  • Enable and Test the Custom Parser:
    1. After modifying the parser, select Validate -> Reformat -> Test.
    2. In the Test dialog box, delete one of the default logs in the Event box.
    3. Test the parser using a log like the provided example.
    4. Confirm that the parser successfully categorizes the log under the new event type FortiMail-Event-SMTP-Deferred-Email.
    5. Save the custom (cloned) parser and enable it if it is disabled by default.

 

Conclusion:

Customizing the FortiMailParser enables FortiSIEM to process and classify deferred email logs effectively. Following these steps, ensures proper handling and filtering of these logs for better visibility and operations.
230
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.