Hi, I'm trying to do something a little tricky. I'd like to track failed delivery messages from a mail client, through our smarthosts, to our relays and match failed deliveries. The log files are aggregated. Here's an example of what I'd like to match, whilst retaining the original hostname:
05:14:02 smarthost exim: 1SRWuP-0000Un-1P <= em...@example.com H=mail.example.com 05:14:02 smarthost exim: 1SRWuP-0000Un-1P => em...@example.com H=relay000.example.com C="250 OK id=1SRWuQ-0000rr-Po" 05:14:02 relay0000 exim: 1SRWuQ-0000rr-Po ** em...@example.com: Unrouteable address Perl isn't my strong point, nor programming in general, but the following seems to mostly work. Note that we need to first entry to capture the original hostname, the second to correlate the two message-ids, and the third to match a failed delivery. type=pair continue=takenext ptype=regexp pattern=(smarthost) exim: (\w{6}-\w{6}-\w{2}) <= ([a-z0-9.-]+@[a-z0-9.-]+) H=(([a-z0-9-]+\.)+example.com> desc=Incoming message $2 from host $4 action=assign %p foo ptype2=regexp pattern2=(smarthost) exim: ($2) => ([a-z0-9.-]+@[a-z0-9.-]+).*H=relay\0+\.example\.com.*C="250 OK id=(\w{6}-\w{6}-\w{2})" desc2=Mail passed from smtp to relays action2=create $4 4 ; add $4 %4 window=4 type=single continue=takenext ptype=regexp pattern=(relays\d+) exim\[\d+\]: (\w{6}-\w{6}-\w{2}) \*\* ([a-z0-9.-]+@[a-z0-9.-]+) context=$2 desc=failed delivery $2 action=copy $2 %host_fail ; eval %z ( $host_fail = '%host_fail' ; $host_fails{$host_fail}++; ); \ logonly %s from host %host_fail (%z) mesage id $2 Now the problem arises because quite often the log messages arrive out of sequence. Is there a way to match against three log entries out of sequence? Again I need the original hostname, so the second (logical) log entry needs to tie the two message-id, or contexts together for the third to match a failed delivery. Apologies if this doesn't make sense, I've been staring at it for so long now I can't see the wood for the trees. Any help or suggestions for another approach would be very gratefully received. Thanks, Richard -- Richard Jones +44 7843 588 599 "Quod gratis asseritur, gratis negatur" Privacy notice: http://www.jonze.com/privacy.html ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users