Refine your search:

Postfix Logs

0
1

I can't wrap my head around how to accomplish this, but postfix logs two separate events for one email. The first event contains the from address:

Feb 17 06:01:44 hostname postfix/qmgr[1544]: DE82B40611: from=<email@domain.com>, size=288, nrcpt=1 (queue active)

The second event contains the to address, status and other goodies:

Feb 17 06:01:45 hostname postfix/smtp[17553]: DE82B40611: to=<email@domain.com>, relay=mx.domain.com[123.123.12.123]:25, delay=30, delays=29/0/0.12/0.27, dsn=2.6.0, status=sent (250 2.6.0 <b36c397a-023f-428b-bd5a-f88c7e80d2a7@mx.domain.com> Queued mail for delivery)

I want to build a search based on the from address, but do stats on the status (separate counts for deffered, sent, reject etc.). Anyway I could make splunk realize these two events are related?

asked 17 Feb '12, 03:16

Will%20I%20AM's gravatar image

Will I AM
213
accept rate: 0%

edited 17 Feb '12, 03:57

Drainy's gravatar image

Drainy
8.2k617
One Answer:
oldestnewestmost voted
5

You could use the transaction command to build a transaction for these events. I don't have a great deal of experience with Postfix, is the DE82B40611 unique to these events?

So something you could do to merge these into one event if that is unique to this email is;

searchterms | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique

This would produce one event per all events that contain the MaybeUnique field which is the string I mentioned above in extracted form.

The other option is to do something like;

searchterms | transaction maxspan=5s startswith=postfix/qmgr* endswith=postfix/smtp*

Which should build a transaction based on the contents of the first event matching startswith and the last event in the transaction matching endswith with a max time between events of 5seconds

link

answered 17 Feb '12, 03:56

Drainy's gravatar image

Drainy
8.2k617
accept rate: 24%

Brilliant and great eye! the DE82B40611 is unique to the messages! so your 

searchterms | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique

Works perfectly! From there i just ran it through a where and count by status, here is the full search i ended up with.

source=/var/log/maillog | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique | where from="<email@domain.com>" | stats count by status
(17 Feb '12, 04:19) Will I AM

No worries, glad its working

(17 Feb '12, 04:55) Drainy
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,651
×10

Asked: 17 Feb '12, 03:16

Seen: 1,170 times

Last updated: 17 Feb '12, 04:55

Related questions

Postfix Queue ID

Postfix mail delay subsearch

Postfix logs index time transaction

Join events with different field names but with same value

Install Splunk for Postfix

Query MX records or lookup MX records?

Timestamping difficulties on files with the same names but with different formats

postfix_syslog time extraction inaccuracies

Couldn't trace alert send from splunk via postfix?

Copyright © 2005-2012 Splunk Inc. All rights reserved.