Capture Settings, Email

Top  Previous  Next

Capture Settings are set-up separately for each capture channel.  Once these settings have been specified, OK or Apply should be clicked.  This tab specifies how captured data may be emailed, and how email itself can be captured.

 

cm5-1set-email

 

 

Email Capture Log on Rotation

This option allows capture logs to be automatically emailed when closed and rotated.  There are options to 'Email as Body' where the log will be copied into  the body of the message, or 'Email as Attachment' where the capture file will be attached to a short body.  On the Files tab, 'Archive/Email Capture Log on Stop Capture' causes the log to be emailed even if the rotation time has not yet arrived when ComCap is stopped.  For email to function, at least one SMTP Server must be specified in Common Settings, Email.

 

Note that emails are placed in a queue,  as detailed in Common Settings, Email.  There is a maximum size of 10 Mbytes for the capture log to be emailed, although some email servers may not accept email of that size. The current state of any emails sitting in the mail queue may be checked in Show Mail Queue window from where they may be deleted if necessary if not sent.

 

Email Subject, From Address

The Email Subject should be specified, then the From Address with a descriptive name in double quotes, followed by the actual email address in angle quotes, ie "Works PC19" <pc19@magsys.co.uk>.

 

To Addresses

One or more addresses may be specified to which the log will be sent, each address should be on a separate line, with a descriptive name in double quotes, followed by the actual email address in angle quotes, ie "ComCap" <comcap@magsys.co.uk>.

 

Titles Added to Email Body

Each email created has up to four title lines added in the body, above the log, to provide identification.  Which of these four titles is added depends on four tick boxes: Title and Date, From PC Name, Capture Name and Log File Name.  Unticking  a box removes that title.

 

SMTP Email Server

ComCap can capture alert emails sent by internet aware appliances, such as firewalls, security monitors, power distribution units, uninterruptible power supplies, remote sensors, transponders, etc. The emails may be written to a SQL database or used to trigger alerts. An Email Server channel must first be set-up in Common Settings, Network with a single local address, usually with port 25 or 587. Internet appliances that will send email to ComCap should have their SMPT Mail Server changed to this local IP address, or set-up DNS for this address.

 

Email Account Names Accepted by Server

Specified a list of email addresses for which the server will accept email, these don't need real domains so info@comcap.private is acceptable, or *@comcap.private would allow email from any address with that domain, ie xxx@comcap.private.  Email sent to addresses not on this list will be rejected by the server and not captured.

 

Remote IP Addresses Accepted

Specified a list of IP addresses from which email will be accepted, if left blank email will be accepted from any IP addresses.

 

Server Requires Authentication

Specifies the email server should only accept email if first authenticated with a single login name and password.  Authentication methods supported are AUTH PLAIN, LOGIN, CRAM-MD5 and CRAM-SHA1.

 

Save as Variable Named Columns

Accepted emails can be captured as multiple lines of plain text, or by ticking this box as a single record.  Each line of the email is formatted similarly to Subject="ComCap email testing" so ComCap Data Format parsing can separate the headers to be added to a SQL database.  Three extra headers are always added, X-Envelope-From, X-Envelope-To and X-Originating-IP all from the SMTP envelope, in case the normal To: or From: headers are inadequate, and Date is converted to ISO format.  The entire body becomes Body='xxx' with line endings replaced by \n.  Unfortunately ComCap can not currently process CRLF in a record, it breaks too many things, but \n can translated back to CRLF in a SQL stored procedure if necessary.

 

Show All Headers

Ticking this option' will capture all the email headers, otherwise only From, To, Subject and Date are kept.

 

Strip All Attachments

MIME encoded emails are automatically decoded, but only text-plain and text-html sections processed.  This option causes all but the main body to be ignored.

 

Ignore Email Body

Ticking this option only saves the email headers and might be sufficient where the subject contains the alert information.

 

One Log File Per Email

Ticking this option' causes capture log rotation for each new email provided the file name format is suitable.

 

Save Raw Email as EML File

Ticking this option causes each complete email to be saved separately to the capture file but in the same folder, with a unique file name, where it could be processed by another application.

 

Relay Raw Email

Ticking this option causes the complete email to be forwarded to one or more email addresses specified as 'To Addresses' (same as emailing logs).

 

Remove Body Line Endings

If ticked, line ending in the email body are replaced by spaces instead of \n, although this may seriously mess up formatting.

 

SQL Email Capture

Since email formats vary so wildly, conceptually saving them with ComCap can cause many issues.  Hopefully the 'Variable Named Columns' format and other options described are a good start, but ComCap users are welcome to offer feedback on alternatives from the real life emails generated by various appliances.

 

To demonstrate saving emails to a SQL database, a new Microsoft SQL Server table capture_email has been added to 'newdb-mssql.sql' and matching stored procedures to 'storedproc-mssql.sql'.

 

The maximum email size that is accepted is 32,000 characters, and SQL will usually only handle a field 8,000 characters long so that is really the maximum body size.