I am currently ingesting Proofpoint mail/ filter/ security, etc logs into our Rapid7 SIEM. I found though that I am unable to do a simple log search for say messages from & to a user as proofpoint/ sendmail breaks the whole process into individual lines. I was planning on using logstash to ingest these, grok them and then export as json. I wanted to check that this is possible with logstash. Is there a grok template availble for proofpoint logs so that I can ingest and group the messages together by SMTP ID and what is the best method to output these as JSON so that I can then ingest them into R7?
I will set up a test config and try ths out but any insight you guy can provide would be really helpful.