Can you answer this member’s question?
Hi, I am new with graylog
I redirect syslog postfix log to graylog and I find difficulties to search for example a sent email from the beginning to the end as in every MTA gets new ID (I configure streams)
Any advise please? How to perfectly exploit postfix wit graylog?
Thank you,
Hello and Welcome
I’m not understanding your problem, could you explain in greater detail about this environment or show us your configurations you made. That would help us troubleshoot your issue.
Thanks
Welcome, Wafa, to the Graylog Community,
I’ve moved your question to Daily Challenges where it’s likely to get more expert eyes focused on it. While we await a response, check out this post, which may provide some guidance.
Hi @wbenkhoud,
I think we had a similar problem:
We have a few lines from postfix, with every time a bit of information in them. Once the sender email, once the sender IP, the recipent, and so on. An example:
mail.example.com mta[1513773]: 15SE09GJ1513766: to=<to@example.com>, delay=00:00:03, xdelay=00:00:02, mailer=smtp1, pri=186195, relay=[12.12.12.12] [12.12.12.11], dsn=2.0.0, stat=Sent (15SE09GJ1513766 Message accepted for delivery)
mail.example.com mta[1513763]: 15SE09GJ1513766: from=<from@example.com>, size=66195, class=0, nrcpts=1, msgid=<some.vers.long.id@example.com>, proto=ESMTPS, daemon=MTA-v4, relay=relay.example.com [123.123.123.123]
Both lines are parsed via Groks into their fields. Of our interest are here the fields email_queue_id:15SE09GJ1513766 existing in both messages, and the fields with the email_to:to@example.com and email_from:from@example.com (skipping the meta-info about timings and IPs)
The only solution on the graylog-site I am aware of at the moment is searching for the email_queue_id via all the lines. If you build an dashboard with a message-table, you can add the fields for those values in the table and get an overview quite quickly. It will be a bit messy view, as each of the lines of log only populates some fields. If you are searching for multiple email_queue_ids this might be a bit challenging to read.
We developed a solution for us and are currently in the process of figuring out if and how we can make it available to others.
3 Likes
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.