We had a series of events that meant our SUFs were unable to forward to their respective indexers for about 10-days.
For this whole time, the queues were blocked.
Unfortunately, for those 10-days, it appears we have lost data :(.
I have read up a bit about queues, but one thing I am unsure about is what happens when the queues are blocked?
And in my situation, where communication was lost for an extended period of time, do events cache on local disk, if so, for how long? I checked limits.conf but couldn't find much, apart from maxqueuesize.
I guess I need to find the root cause, and future mitigation, of the data loss for the higher-ups. Cheers.
... View more
We host an intermediate email greylister for our clients.
We also log all inbound attachments, and generate reports from that.
I need to show essentially the source mail-server for these attachments.
However, our postfix logs only log the last hop, which is our greylister. Therefore, all attachment logs appear to come from our greylister.
I am wondering if splunk can query MX records from an email address, convert that to an IP which I can then geoip?
For the record, here are our postfix logging config for header_checks:
/^Content-(Disposition|Type).name\s=\s*?(.(.|=2E)(.))/ WARN AttachmentFound: "$2"
Any help would be appreciated.
... View more