Analyzing Postfix / Amavis logfiles


#1

Hey there,

I’m very new to Graylog and now I’m stuck in analyzing my MX server. The MX is a CentOS 7 with a Postfix MTA with Postgrey greylisting and AMaVisD-New for spam and virus protection. Now I wanted to read the sender, the recipient and the sending SMTP server. But when I look in the logs there are more than one line I need to read and extract to get my information. I searched the marketplace and Google for a solution but I didn’t find anything. Has anyone a way to get the information I need.

Thanks a lot

Stephan


(kregg) #2

You could install the nxlog agent send the logs as syslog.


(kregg) #3

See file input http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html#im_file


#4

Hey,
I do not have the problem with transmitting the data. My problem is analyzing the data.


(kregg) #5

I am suggesting to use nxlog to rewrite the log before it is sent.


(Jan Doberstein) #6

hej @stephan.wild

the main issue with Mailserver Logfiles is, that you will not have one Logfile per E-Mail. You get multiple Log Messages for one E-Mail. Each contain a different working-state.

Integrate such a GROK Pattern ( https://github.com/whyscream/postfix-grok-patterns ) into Graylog is easy, but then you would need to group the messages together that represent one Mail. That is not easy.

Currently I do not know any FOSS Log Management Solution that can work with vanilla/unmodified Mailserver Logfiles and give some meaningful feedback/analyse on them.

You can do this, but not without heavy customization and building of scripts.


#7

Hi,
@kregg: Thanks for the hint.

@jan: I thought maybe has someone a solution for merging the single log entries to one. I think I can grep and rewrite the logs (one day later) with the message id of postfix. This is hard work and maybe the AMaVis can be the next problem.
Thank you very much