I’m very new to Graylog and now I’m stuck in analyzing my MX server. The MX is a CentOS 7 with a Postfix MTA with Postgrey greylisting and AMaVisD-New for spam and virus protection. Now I wanted to read the sender, the recipient and the sending SMTP server. But when I look in the logs there are more than one line I need to read and extract to get my information. I searched the marketplace and Google for a solution but I didn’t find anything. Has anyone a way to get the information I need.
the main issue with Mailserver Logfiles is, that you will not have one Logfile per E-Mail. You get multiple Log Messages for one E-Mail. Each contain a different working-state.
Integrate such a GROK Pattern ( https://github.com/whyscream/postfix-grok-patterns ) into Graylog is easy, but then you would need to group the messages together that represent one Mail. That is not easy.
Currently I do not know any FOSS Log Management Solution that can work with vanilla/unmodified Mailserver Logfiles and give some meaningful feedback/analyse on them.
You can do this, but not without heavy customization and building of scripts.
@jan: I thought maybe has someone a solution for merging the single log entries to one. I think I can grep and rewrite the logs (one day later) with the message id of postfix. This is hard work and maybe the AMaVis can be the next problem.
Thank you very much