On Mon, May 7, 2012 at 11:58 AM, C. L. Martinez <[email protected]> wrote: > Hi all, > > Somebody have tried to parse or correlate logs from Ironport e-Mail > devices?? For example, this log: > > Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 From: > <[email protected]> > Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 LDAPACCEPT > bypass applied to <[email protected]> > Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 RID 0 To: > <[email protected]> > Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: helo identity > [email protected] None > Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: mailfrom identity > [email protected] Pass (spf2.0) > Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: pra identity > [email protected] Pass (spf2.0) headers from > Tue May 1 05:46:15 2012 Info: MID 2095675 Message-ID > '<[email protected]>' > Tue May 1 05:46:15 2012 Info: MID 2095675 Subject > "De'Longhi-Nespresso, Davidelfin Hogar, Mahal y Etnies hoy en BuyVIP" > Tue May 1 05:46:15 2012 Info: MID 2095675 ready 34645 bytes from > <[email protected]> > Tue May 1 05:46:15 2012 Info: MID 2095675 matched all recipients for > per-recipient policy DEFAULT in the inbound table > Tue May 1 05:46:15 2012 Info: ICID 1898648 close > Tue May 1 05:46:16 2012 Info: MID 2095675 interim verdict using > engine: CASE spam suspect > Tue May 1 05:46:16 2012 Info: MID 2095675 using engine: CASE spam suspect > Tue May 1 05:46:16 2012 Info: ISQ: Tagging MID 2095675 for quarantine > Tue May 1 05:46:16 2012 Info: MID 2095675 interim AV verdict using Sophos > CLEAN > Tue May 1 05:46:16 2012 Info: MID 2095675 antivirus negative > Tue May 1 05:46:16 2012 Info: MID 2095675 queued for delivery > Tue May 1 05:46:20 2012 Info: RPC Delivery start RCID 8087124 MID > 2095675 to local IronPort Spam Quarantine > Tue May 1 05:46:20 2012 Info: ISQ: Quarantined MID 2095675 > Tue May 1 05:46:20 2012 Info: RPC Message done RCID 8087124 MID 2095675 > Tue May 1 05:46:20 2012 Info: Message finished MID 2095675 done > > As you can see, seeing line by line in this log, little information > can be extracted, but if it is possible to group, it all makes sense. > > Can I, for example, parse this entry to store only the relevant > information in one line?? > > For example: MID 2095675: From: <[email protected]>, To: > <[email protected]>, interim verdict using engine: CASE spam suspect, > spam suspect, Tagging MID 2095675 for quarantine, Delivery start RCID > 8087124 MID 2095675 to local IronPort Spam Quarantine, ISQ: > Quarantined MID 2095675, Message done RCID 8087124 MID 2095675, > Message finished MID 2095675 done
Please, any idea how to do this?? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
