pflogthreader

Logs of the Postfix mail server have records written as events occur, sequentially in time. This causes lines multiple messages to have their events interleaved rather than threaded together such as this example with three messages:

Jul 15 10:05:21 testhost postfix/smtpd[12281]: connect from sender1[192.168.10.1] Jul 15 10:05:23 testhost postfix/smtpd[12282]: connect from sender2[192.168.10.2] Jul 15 10:05:25 testhost postfix/smtpd[12283]: connect from sender3[192.168.10.3] Jul 15 10:05:26 testhost postfix/smtpd[12283]: B29E423803C: client=sender3[192.168.10.3] Jul 15 10:05:27 testhost postfix/cleanup[12883]: B29E423803C: message-id=<fakefake003@testhost.example.com> Jul 15 10:05:28 testhost postfix/qmgr[19613]: B29E423803C: from=<test3@example.com> Jul 15 10:05:29 testhost postfix/smtpd[12283]: disconnect from sender3[192.168.10.3] Jul 15 10:05:30 testhost postfix/local[12983]: B29E423803C: to=<recipient@testhost.example.com>, status=sent Jul 15 10:05:31 testhost postfix/qmgr[19613]: B29E423803C: removed Jul 15 10:05:32 testhost postfix/smtpd[12282]: B29E423803B: client=sender2[192.168.10.2] Jul 15 10:05:33 testhost postfix/cleanup[12882]: B29E423803B: message-id=<fakefake002@testhost.example.com> Jul 15 10:05:34 testhost postfix/qmgr[19612]: B29E423803B: from=<test2@example.com> Jul 15 10:05:35 testhost postfix/smtpd[12282]: disconnect from sender2[192.168.10.2] Jul 15 10:05:36 testhost postfix/local[12982]: B29E423803B: to=<recipient@testhost.example.com>, status=sent Jul 15 10:05:37 testhost postfix/qmgr[19612]: B29E423803B: removed Jul 15 10:05:38 testhost postfix/smtpd[12281]: B29E423803A: client=sender1[192.168.10.1] Jul 15 10:05:39 testhost postfix/cleanup[12881]: B29E423803A: message-id=<fakefake001@testhost.example.com> Jul 15 10:05:40 testhost postfix/qmgr[19611]: B29E423803A: from=<test1@example.com> Jul 15 10:05:41 testhost postfix/smtpd[12281]: disconnect from sender1[192.168.10.1] Jul 15 10:05:42 testhost postfix/local[12981]: B29E423803A: to=<recipient@testhost.example.com>, status=sent Jul 15 10:05:43 testhost postfix/qmgr[19611]: B29E423803A: removed

pflogthreader --wrap < maillog will thread the events for each message based on the process id and queue id resulting in this output sequentially via "connect" time:

Jul 15 10:05:21 from sender1[192.168.10.1] +17s queued as B29E423803A +19s from=test1@example.com +20s disconnect +21s to=recipient@testhost.example.com status=sent Jul 15 10:05:23 from sender2[192.168.10.2] +9s queued as B29E423803B +11s from=test2@example.com +12s disconnect +13s to=recipient@testhost.example.com status=sent Jul 15 10:05:25 from sender3[192.168.10.3] +1s queued as B29E423803C +3s from=test3@example.com +4s disconnect +5s to=recipient@testhost.example.com status=sent

Without the use of the "--wrap" option each thread is output as a single line, allowing for filtering via grep, etc. but needing to turn the tab delimiters back to line feeds: pflogthreader < maillog | grep sender3 | tr '\t' '\n' | cut -c1-50

Jul 15 10:05:25 from sender3[192.168.10.3] +1s queued as B29E423803C +3s from=test3@example.com +4s disconnect +5s to=recipient@testhost.example.com status=se

Options:

--wrap (not default) = remove need for `tr "\t" "\n"` afterwards
--direction=both (default) = both incoming and outgoing
--direction=out = only outgoing
--direction=in = only incoming
--skip=none (default) = don't skip any messages
--skip=rejected = don't show rejected messages (or lost, timeout, etc)
--skip=delivered = show only rejected messages
--help = display this list of options
--version = display the version number

sourceforge.net

j.andrea

aug.29/2009