All,
Splunk is Very Neat. But, it's no good at deciphering qmail's logs (or
at least, I never had any luck writing a custom search to provide the
information that I need to see.) Also, for the quantity of email logs
that I generate per day (>500MB), Splunk becomes non-free.
Qmail's logging is, in my mind, the #1 reason that some administrators
hate qmail. After coming from a postfix or sendmail world, it's damn
near impossible to determine the exact disposition of a particular
email. Admit it... Reading the /var/log/qmail/{smtp,send}/current file
is a dark art.
The best tool that I found to get proper information about the
disposition of any given email is 'qmail-track'. From the official
qmail page:
Sorrawut Korsuwansiri wrote qmail-track
(http://mailcleaner.gits.net.th/qmail-track-0.10.tar.gz), which he uses
to locate all the logfile records associated with a particular pair of
email addresses.
The command-line of which produces the following: (Remember that qmail
logs local delivery email address '[EMAIL PROTECTED]' as:
'[EMAIL PROTECTED]'. Remote delivery addresses can be typed
normally)
#./qmail-track.pl all [EMAIL PROTECTED] all
Found 28 message to [EMAIL PROTECTED] (ALL sender)
Check sender of Message No. 0 ...<[EMAIL PROTECTED]>... Match
-------------[Detail of Delivery no.: 0]-------------
2006-12-12 22:32:45.804336500 new msg 610000
2006-12-12 22:32:45.804395500 info msg 610000: bytes 82873 from
<[EMAIL PROTECTED]> qp 12816 uid 89
2006-12-12 22:32:45.857066500 starting delivery 116054: msg 610000 to
local [EMAIL PROTECTED]
2006-12-12 22:32:45.927723500 delivery 116054: success: did_0+0+1/
2006-12-12 22:32:45.927867500 end msg 610000
------------------------------------------------------
Check sender of Message No. 1 ...<[EMAIL PROTECTED]>... Match
-------------[Detail of Delivery no.: 1]-------------
2006-12-13 01:18:40.461578500 new msg 608730
2006-12-13 01:18:40.461625500 info msg 608730: bytes 48223 from
<[EMAIL PROTECTED]> qp 6354 uid 89
2006-12-13 01:18:40.506244500 starting delivery 120024: msg 608730 to
local [EMAIL PROTECTED]
2006-12-13 01:18:40.568633500 delivery 120024: success: did_0+0+1/
2006-12-13 01:18:40.568770500 end msg 608730
------------------------------------------------------
I modified the script ever so slightly, so that I could get it to search
through multiple auto-rotated logs. I changed line 12 to say
"$current_log='/var/log/qmail/send/*';" Although this method is
dog-slow, as it has to search through about 100 or so individual logs to
go back a week in time, it works GREAT!
I have also tried 'qmLogsort'
(http://www.gonefishing.org/downloads/qmLogsort), which I also found
from the main qmail page. It is very fast, but offers less search
capabilities.
Sincerely,
--
Joseph Lundgren
Systems Engineer
Peak Internet, LLC
[EMAIL PROTECTED]
-----Original Message-----
From: Will McDonald [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 19, 2006 8:46 AM
To: [email protected]
Subject: Re: [qmailtoaster] We need something to make searching qmail
logs easier
Coming to this mid-thread as I've only just subscribed since starting
to tinker with Qmailtoaster. Has Splunk been mentioned as a
possibility?
http://www.splunk.com/
http://www.google.co.uk/search?hl=en&q=site%3Ahttp%3A%2F%2Fwww.cuddletec
h.com%2Fblog%2F+splunk&meta=
This isn't something I've implemented here yet but I'm considering
doing so and Qmail support is in the pipeline I believe.
Will.
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
