Splunk Search

Postfix Logs

Will_I_AM
Engager

I can't wrap my head around how to accomplish this, but postfix logs two separate events for one email. The first event contains the from address:

Feb 17 06:01:44 hostname postfix/qmgr[1544]: DE82B40611: from=<email@domain.com>, size=288, nrcpt=1 (queue active)

The second event contains the to address, status and other goodies:

Feb 17 06:01:45 hostname postfix/smtp[17553]: DE82B40611: to=<email@domain.com>, relay=mx.domain.com[123.123.12.123]:25, delay=30, delays=29/0/0.12/0.27, dsn=2.6.0, status=sent (250 2.6.0 <b36c397a-023f-428b-bd5a-f88c7e80d2a7@mx.domain.com> Queued mail for delivery)

I want to build a search based on the from address, but do stats on the status (separate counts for deffered, sent, reject etc.). Anyway I could make splunk realize these two events are related?

Tags (2)
1 Solution

Drainy
Champion

You could use the transaction command to build a transaction for these events. I don't have a great deal of experience with Postfix, is the DE82B40611 unique to these events?

So something you could do to merge these into one event if that is unique to this email is;

searchterms | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique

This would produce one event per all events that contain the MaybeUnique field which is the string I mentioned above in extracted form.

The other option is to do something like;

searchterms | transaction maxspan=5s startswith=postfix/qmgr* endswith=postfix/smtp*

Which should build a transaction based on the contents of the first event matching startswith and the last event in the transaction matching endswith with a max time between events of 5seconds

View solution in original post

abusayeed
New Member

I have same problem. I don't know where I'll ran that command ,I have same problem. I can not solve it. I don't know where it ran

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@abusayeed, You're adding on to a thread that is six years old and already has an accepted answer. For better chances at a helpful response, please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Drainy
Champion

You could use the transaction command to build a transaction for these events. I don't have a great deal of experience with Postfix, is the DE82B40611 unique to these events?

So something you could do to merge these into one event if that is unique to this email is;

searchterms | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique

This would produce one event per all events that contain the MaybeUnique field which is the string I mentioned above in extracted form.

The other option is to do something like;

searchterms | transaction maxspan=5s startswith=postfix/qmgr* endswith=postfix/smtp*

Which should build a transaction based on the contents of the first event matching startswith and the last event in the transaction matching endswith with a max time between events of 5seconds

Drainy
Champion

No worries, glad its working

0 Karma

dfenko
Explorer

I found that I needed to make one adjustment to your rex.

[^:]+:[^:]+:[^:]+: (?<postfix_id>[A-F0-9]\w+):

I found that in instances where postfix would warn on bad MX records, the regex was capturing the work "warning" in place of the hexadecimal queue ID for postfix. I updated the regex to only find options with valid hexadecimal values, ensuring that "warning" was not captured.

0 Karma

Will_I_AM
Engager

Brilliant and great eye! the DE82B40611 is unique to the messages! so your

searchterms | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique

Works perfectly! From there i just ran it through a where and count by status, here is the full search i ended up with.

source=/var/log/maillog | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<MaybeUnique>\w+):" | transaction MaybeUnique | where from="<email@domain.com>" | stats count by status
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...