Hi all, Somebody have tried to parse or correlate logs from Ironport e-Mail devices?? For example, this log:
Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 From: <[email protected]> Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 LDAPACCEPT bypass applied to <[email protected]> Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 RID 0 To: <[email protected]> Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: helo identity [email protected] None Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: mailfrom identity [email protected] Pass (spf2.0) Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: pra identity [email protected] Pass (spf2.0) headers from Tue May 1 05:46:15 2012 Info: MID 2095675 Message-ID '<[email protected]>' Tue May 1 05:46:15 2012 Info: MID 2095675 Subject "De'Longhi-Nespresso, Davidelfin Hogar, Mahal y Etnies hoy en BuyVIP" Tue May 1 05:46:15 2012 Info: MID 2095675 ready 34645 bytes from <[email protected]> Tue May 1 05:46:15 2012 Info: MID 2095675 matched all recipients for per-recipient policy DEFAULT in the inbound table Tue May 1 05:46:15 2012 Info: ICID 1898648 close Tue May 1 05:46:16 2012 Info: MID 2095675 interim verdict using engine: CASE spam suspect Tue May 1 05:46:16 2012 Info: MID 2095675 using engine: CASE spam suspect Tue May 1 05:46:16 2012 Info: ISQ: Tagging MID 2095675 for quarantine Tue May 1 05:46:16 2012 Info: MID 2095675 interim AV verdict using Sophos CLEAN Tue May 1 05:46:16 2012 Info: MID 2095675 antivirus negative Tue May 1 05:46:16 2012 Info: MID 2095675 queued for delivery Tue May 1 05:46:20 2012 Info: RPC Delivery start RCID 8087124 MID 2095675 to local IronPort Spam Quarantine Tue May 1 05:46:20 2012 Info: ISQ: Quarantined MID 2095675 Tue May 1 05:46:20 2012 Info: RPC Message done RCID 8087124 MID 2095675 Tue May 1 05:46:20 2012 Info: Message finished MID 2095675 done As you can see, seeing line by line in this log, little information can be extracted, but if it is possible to group, it all makes sense. Can I, for example, parse this entry to store only the relevant information in one line?? For example: MID 2095675: From: <[email protected]>, To: <[email protected]>, interim verdict using engine: CASE spam suspect, spam suspect, Tagging MID 2095675 for quarantine, Delivery start RCID 8087124 MID 2095675 to local IronPort Spam Quarantine, ISQ: Quarantined MID 2095675, Message done RCID 8087124 MID 2095675, Message finished MID 2095675 done _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
