> On Mar 05, 2015, at 12.51, Wietse Venema <wie...@porcupine.org> wrote: > > btb: >> when reviewing postscreen entries in logs, it's difficult to quickly >> grep for entries relevant to a particular session, since the only unique >> value in the entry is the pid, which is quite long lived and spans many >> sessions. i wondered how practical it might be to include a unique id >> along with the log message, to assist in exercises like this. > > Instead of a session ID, you could use the remote IP address and > TCP port. In the example below, that is [198.251.79.135]:60343. > > Untested PCRE pattern: (for|from)\s(\[[0-9a-f:.]+\]:\d+). > Use $2 to extract the interesting bits. > > Wietse > > Mar 5 00:06:22 spike postfix/postscreen[95625]: CONNECT from > [198.251.79.135]:60343 to [168.100.189.2]:25 > Mar 5 00:06:22 spike postfix/postscreen[95625]: PREGREET 14 after 0.05 from > [198.251.79.135]:60343: EHLO ylmf-pc\r\n > Mar 5 00:06:22 spike postfix/postscreen[95625]: DNSBL rank 2 for > [198.251.79.135]:60343 > Mar 5 00:06:22 spike postfix/postscreen[95625]: HANGUP after 0.11 from > [198.251.79.135]:60343 in tests after SMTP handshake > Mar 5 00:06:22 spike postfix/postscreen[95625]: DISCONNECT > [198.251.79.135]:60343
ah, of course. thanks wietse and noel for this idea, it should be more than adequate. i understand the importance of efficiency in postscreen, and wanting to avoid adding things that will slow it down. -ben
