Hi,
I'm trying to do something a little tricky. I'd like to track failed
delivery messages from a mail client, through our smarthosts, to our
relays and match failed deliveries. The log files are aggregated. Here's an
example of what I'd like to match, whilst retaining the original hostname:
05:14:02 smarthost exim: 1SRWuP-0000Un-1P <= em...@example.com
H=mail.example.com
05:14:02 smarthost exim: 1SRWuP-0000Un-1P => em...@example.com
H=relay000.example.com C="250 OK id=1SRWuQ-0000rr-Po"
05:14:02 relay0000 exim: 1SRWuQ-0000rr-Po ** em...@example.com: Unrouteable
address
Perl isn't my strong point, nor programming in general, but the following seems
to mostly work. Note that we need to first entry to capture the original
hostname, the second to correlate the two message-ids, and the third to match a
failed delivery.
type=pair
continue=takenext
ptype=regexp
pattern=(smarthost) exim: (\w{6}-\w{6}-\w{2}) <= ([a-z0-9.-]+@[a-z0-9.-]+)
H=(([a-z0-9-]+\.)+example.com>
desc=Incoming message $2 from host $4
action=assign %p foo
ptype2=regexp
pattern2=(smarthost) exim: ($2) =>
([a-z0-9.-]+@[a-z0-9.-]+).*H=relay\0+\.example\.com.*C="250 OK
id=(\w{6}-\w{6}-\w{2})"
desc2=Mail passed from smtp to relays
action2=create $4 4 ; add $4 %4
window=4
type=single
continue=takenext
ptype=regexp
pattern=(relays\d+) exim\[\d+\]: (\w{6}-\w{6}-\w{2}) \*\*
([a-z0-9.-]+@[a-z0-9.-]+)
context=$2
desc=failed delivery $2
action=copy $2 %host_fail ; eval %z ( $host_fail = '%host_fail' ;
$host_fails{$host_fail}++; ); \
logonly %s from host %host_fail (%z) mesage id $2
Now the problem arises because quite often the log messages arrive out of
sequence. Is there a way to match against three log entries out of sequence?
Again I need the original hostname, so the second (logical) log entry needs to
tie the two message-id, or contexts together for the third to match a failed
delivery.
Apologies if this doesn't make sense, I've been staring at it for so long now I
can't see the wood for the trees.
Any help or suggestions for another approach would be very gratefully received.
Thanks,
Richard
--
Richard Jones +44 7843 588 599
"Quod gratis asseritur, gratis negatur"
Privacy notice: http://www.jonze.com/privacy.html
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
