What level of information are you getting from your logs?
I thought I'd be able to get a lot more information than I'm currently getting, I suspect I don't have it configured correctly because I'm only getting very basic logging and doesn't give me a lot of value.
Hello Jeremy
1. Make sure you have the latest ProofPoint log parser file installed on your NetWitness Log Decoders.
Latest available version on RSA Live is, Proofpoint Email Security - proofpoint, Parser Version: 32, Event Source Update: 122, last updated 2018-09-12
Check the deployed version of the proofpoint parser file on your Log Decoder appliance with the command,
egrep "xml=|revision=" /etc/netwitness/ng/envision/etc/devices/proofpoint/proofpointmsg.xml
In the output make sure you have at least the values,
xml="32"
revision="122"
2. Check that you have a version of ProofPoint that is supported by NetWitness, currently 6.3, 7.2, 7.5, 8.x.
Reference: https://community.rsa.com/community/products/netwitness/parser-network/event-sources#P
3. If the ProofPoint logs are been parsed as another device type, then consider adding a mapping in the Parser Mappings tab to force the parser to use the proofpoint parser.
Reference: Decoder: Services Config View - Parser Mappings Tab - https://community.rsa.com/docs/DOC-80185
4. If you are still finding the logs from ProofPoint are not been fully parsed of all the useful data, then export a sample of these logs from NetWitness, and open a case with RSA Customer Support.
Identify in the new case which fields of data are not getting parsed in the log messages. A request for a future enhancement (RFE) can be made to the RSA Content Team for their consideration.