I would like to write a search to give me all log lines relating to a particular bounced email message:
Basically I can monitor for a log line that has "postmaster-mail.sh" in it. That log line also contains the initial Message ID (which doesn't get extracted by default by I created a field called msgID).
I then have to run a series of manual searches to find out all log line.
Basically I search for w010cweA015328
, the find the next message ID, which is x000mbnW025320
, that will give me the next message ID which is a070yZwR021222
.
So my search would end up looking like this:
sourcetype=syslog host="relay" process=sm-mta w010cweA015328 OR x000mbnW025320 OR a070yZwR021222
I then get the following lines, which tell me why the message failed and from which IP it came from.
Jan 7 11:14:57 mailserver sm-mta[00228]: w010cweA015328: to=| postmaster-mail.sh, ctladdr=postmaster (1/0), delay=00:00:01, xdelay=00:00:01, mailer=esta, pri=20001, dsn=2.0.0, stat=Sent
Jan 7 11:14:56 mailserver sm-mta[00228]: x000mbnW025320: w010cweA015328: return to sender: User unknown
Jan 7 11:14:46 mailserver sm-mta[00228]: x000mbnW025320: to=, delay=00:00:05, xdelay=00:00:05, mailer=smtp, pri=10332, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:41 mailserver sm-mta[00228]: a070yZwR021222: x000mbnW025320: DSN: User unknown
Jan 7 11:14:41 mailserver sm-mta[00228]: a070yZwR021222: to=,,,,,,,,,,,,,, delay=00:00:30, xdelay=00:00:30, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=2.0.0, stat=Sent (<201300020033.a070yZwR021222@mailserver.ken.qt.rae.zg> Queued mail for delivery)
Jan 7 11:14:41 mailserver sm-mta[00228]: a070yZwR021222: to=,,,,,,,,,,,,,,,,,,,,,,,, [more], delay=00:00:30, xdelay=00:00:30, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=2.0.0, stat=Sent (<201300020033.a070yZwR021222@mailserver.ken.qt.rae.zg> Queued mail for delivery)
Jan 7 11:14:36 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:25, xdelay=00:00:25, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:31 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:20, xdelay=00:00:20, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:26 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:15, xdelay=00:00:15, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:21 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:10, xdelay=00:00:10, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:16 mailserver sm-mta[00228]: a070yZwR021222: to=, delay=00:00:05, xdelay=00:00:05, mailer=smtp, pri=0250112, relay=[10.140.12.43] [10.140.12.43], dsn=5.1.1, stat=User unknown
Jan 7 11:14:11 mailserver sm-mta[11642]: a070yZwR021222: from=, size=1210, class=0, nrcpts=41, msgid=<201300020033.a070yZwR021222@mailserver.ken.qt.rae.zg>, proto=DEANA, daemon=MTA, relay=guogcagiv01 [10.005.12.107]
The first message ID will give me the first two line, the second one will give me the next 2 and the third the rest.
I've tried a number of things, but am having problems working it out. My first thought was to use sub searches, so I tried to extract the msg ID, but that did not work (mostly because the msgID if the second line is different to the message ID of the first line).
I would need to run the second search without the msgID= part (ie only the actual value w010cweA015328)
I'm sure there is an easier way, but I can't think of it.
Thanks.
Hi horst.poehlmann,
look at your events in reverse order, so your first event is this one:
Jan 7 11:14:11 mailserver sm-mta[11642]: a070yZwR021222: from=, size=1210, class=0, nrcpts=41, msgid=<201300020033.a070yZwR021222@mailserver.ken.qt.rae.zg>, proto=DEANA, daemon=MTA, relay=guogcagiv01 [10.005.12.107]
Assuming your msgID
would now be msgID=a070yZwR021222
and all the sendmail transaction related to this msgID
will not be longer as one minute, you can try to run a transaction on the events like this:
sourcetype=syslog host="relay" process=sm-mta | transaction "msgID", "to" startswith="from=" endswith="postmaster-mail.sh" maxspan=1min
This will use the fields msgID
and to
to build a transaction starting with events containing the string from=
and ending with events containing postmaster-mail.sh
which does not take longer as one minute.
Maybe you need to adapt some options, but it should give you something to start with.
cheers, MuS