topic Re: Postfix Logs in Splunk Search

Postfix Logs

Will_I_AM — Fri, 17 Feb 2012 11:16:52 GMT

I can't wrap my head around how to accomplish this, but postfix logs two separate events for one email. The first event contains the from address:

Feb 17 06:01:44 hostname postfix/qmgr[1544]: DE82B40611: from=<email@domain.com>, size=288, nrcpt=1 (queue active)

The second event contains the to address, status and other goodies:

Feb 17 06:01:45 hostname postfix/smtp[17553]: DE82B40611: to=<email@domain.com>, relay=mx.domain.com[123.123.12.123]:25, delay=30, delays=29/0/0.12/0.27, dsn=2.6.0, status=sent (250 2.6.0 <b36c397a-023f-428b-bd5a-f88c7e80d2a7@mx.domain.com> Queued mail for delivery)

I want to build a search based on the from address, but do stats on the status (separate counts for deffered, sent, reject etc.). Anyway I could make splunk realize these two events are related?

Re: Postfix Logs

Drainy — Fri, 17 Feb 2012 11:56:39 GMT

You could use the transaction command to build a transaction for these events. I don't have a great deal of experience with Postfix, is the DE82B40611 unique to these events?

So something you could do to merge these into one event if that is unique to this email is;

searchterms | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique

This would produce one event per all events that contain the MaybeUnique field which is the string I mentioned above in extracted form.

The other option is to do something like;

searchterms | transaction maxspan=5s startswith=postfix/qmgr* endswith=postfix/smtp*

Which should build a transaction based on the contents of the first event matching startswith and the last event in the transaction matching endswith with a max time between events of 5seconds

Re: Postfix Logs

Will_I_AM — Fri, 17 Feb 2012 12:19:17 GMT

Brilliant and great eye! the DE82B40611 is unique to the messages! so your

searchterms | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique

Works perfectly! From there i just ran it through a where and count by status, here is the full search i ended up with.

source=/var/log/maillog | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique | where from="<email@domain.com>" | stats count by status

Re: Postfix Logs

Drainy — Fri, 17 Feb 2012 12:55:02 GMT

No worries, glad its working

Re: Postfix Logs

dfenko — Mon, 23 Mar 2015 19:40:08 GMT

I found that I needed to make one adjustment to your rex.

[^:]+:[^:]+:[^:]+: (?<postfix_id>[A-F0-9]\w+):

I found that in instances where postfix would warn on bad MX records, the regex was capturing the work "warning" in place of the hexadecimal queue ID for postfix. I updated the regex to only find options with valid hexadecimal values, ensuring that "warning" was not captured.

Re: Postfix Logs

abusayeed — Tue, 27 Feb 2018 10:34:24 GMT

I have same problem. I don't know where I'll ran that command ,I have same problem. I can not solve it. I don't know where it ran

Re: Postfix Logs

richgalloway — Tue, 27 Feb 2018 13:48:15 GMT

@abusayeed, You're adding on to a thread that is six years old and already has an accepted answer. For better chances at a helpful response, please post a new question.