I tried to answer this question a little earlier and it seems have failed somehow.
If this is ends up being a duplicate, my apologies.
I was looking for a head start on this myself when I found your post.
I have a new exim4 relay server that I need to monitor.
Here’s what I came up with myself - wiser spelunkers are welcome to improve on it:
First, a lot of the fields are parsed automatically by Splunk. That’s because they are name=value pairs. You can find their meanings in the exim4 docs. In Splunk they look like H=xxx, CN=xxx, etc.
You can use rename to give the fields friendlier names.
Here’s an example (your index name is undoubtedly different):
index=smtpexim | rename H as HostSender | stats count by HostSender host
This is useful for seeing which hosts are using the relay server.
I also needed to get alerts when there are email transfer failures. Here I needed to combine all the events related to one mail transfer. A good use of transactions. I also had to extract the message id which, strangely enough, is not part of a name value pair. It follows the time stamp in the log.
This search uses the index and sourcetype I defined. Just substitute here.
In actual use I saved the regex as a field extraction after testing it in the search, below.
index=smtpexim sourcetype=exim4logs | rex field=_raw "^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\s(?P<messageID>.+?)\s.*" |transaction messageID | search NOT Completed AND NOT "queue run"
This should not return any events unless a message transfer is not successfully completed. I still haven’t tested it with a bogus message. But I think the Splunk part is good start.
... View more
