Hello, I think you have to be a bit more specific on what you want to achieve in order to get some help.
If the amount of logs you have is relatively small, you can pipe them via omprog to a custom script which can do pretty much whatever you want with them. Otherwise, can you say what's the end result you're trying to get? Best regards, Radu 2012/5/17 C. L. Martinez <[email protected]>: > On Mon, May 7, 2012 at 11:58 AM, C. L. Martinez <[email protected]> wrote: >> Hi all, >> >> Somebody have tried to parse or correlate logs from Ironport e-Mail >> devices?? For example, this log: >> >> Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 From: >> <[email protected]> >> Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 LDAPACCEPT >> bypass applied to <[email protected]> >> Tue May 1 05:46:15 2012 Info: MID 2095675 ICID 1898648 RID 0 To: >> <[email protected]> >> Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: helo identity >> [email protected] None >> Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: mailfrom identity >> [email protected] Pass (spf2.0) >> Tue May 1 05:46:15 2012 Info: MID 2095675 SPF: pra identity >> [email protected] Pass (spf2.0) headers from >> Tue May 1 05:46:15 2012 Info: MID 2095675 Message-ID >> '<[email protected]>' >> Tue May 1 05:46:15 2012 Info: MID 2095675 Subject >> "De'Longhi-Nespresso, Davidelfin Hogar, Mahal y Etnies hoy en BuyVIP" >> Tue May 1 05:46:15 2012 Info: MID 2095675 ready 34645 bytes from >> <[email protected]> >> Tue May 1 05:46:15 2012 Info: MID 2095675 matched all recipients for >> per-recipient policy DEFAULT in the inbound table >> Tue May 1 05:46:15 2012 Info: ICID 1898648 close >> Tue May 1 05:46:16 2012 Info: MID 2095675 interim verdict using >> engine: CASE spam suspect >> Tue May 1 05:46:16 2012 Info: MID 2095675 using engine: CASE spam suspect >> Tue May 1 05:46:16 2012 Info: ISQ: Tagging MID 2095675 for quarantine >> Tue May 1 05:46:16 2012 Info: MID 2095675 interim AV verdict using Sophos >> CLEAN >> Tue May 1 05:46:16 2012 Info: MID 2095675 antivirus negative >> Tue May 1 05:46:16 2012 Info: MID 2095675 queued for delivery >> Tue May 1 05:46:20 2012 Info: RPC Delivery start RCID 8087124 MID >> 2095675 to local IronPort Spam Quarantine >> Tue May 1 05:46:20 2012 Info: ISQ: Quarantined MID 2095675 >> Tue May 1 05:46:20 2012 Info: RPC Message done RCID 8087124 MID 2095675 >> Tue May 1 05:46:20 2012 Info: Message finished MID 2095675 done >> >> As you can see, seeing line by line in this log, little information >> can be extracted, but if it is possible to group, it all makes sense. >> >> Can I, for example, parse this entry to store only the relevant >> information in one line?? >> >> For example: MID 2095675: From: <[email protected]>, To: >> <[email protected]>, interim verdict using engine: CASE spam suspect, >> spam suspect, Tagging MID 2095675 for quarantine, Delivery start RCID >> 8087124 MID 2095675 to local IronPort Spam Quarantine, ISQ: >> Quarantined MID 2095675, Message done RCID 8087124 MID 2095675, >> Message finished MID 2095675 done > > Please, any idea how to do this?? > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
