2 Replies Latest reply: May 15, 2014 9:55 AM by wolffsed _ RSS

    Postfix Logfiles

    wolffsed _

      We are still using Monarch 6.01 which fits our needs quite well... My questions might make experts laugh but still I do not know "howTo" at the moment. Thanks for your advice in advance.

       

      I do want to analyze postfix logfiles looking something like this:

       

      *********

       

      --RCPT

      -


      Client host rejected: Improper use of SMTP

      -


      1---193.65.3

      -


      1---203.131.1

      -


      1---219.140.1

      -


      Helo command rejected: Host not found

      -


      918---courtaul

      -


      232---smtp.rwt-grup

      -


      159---nep.c

      -


      135---correo.aen

      -


      96---mail.color

       

      ***********

       

      The model should look for RCPT and then take each new entry starting at column 5 as a new value adding the (varying) data below into additional columns... Hope I'm expressing myself in a proper way.

        • Postfix Logfiles
          Grant Perkins

          Originally posted by wolffsed:

          [font="courier"]--RCPT

          -


          Client host rejected: Improper use of SMTP

          -


          1---193.65.3

          -


          1---203.131.1

          -


          1---219.140.1

          -


          Helo command rejected: Host not found

          -


          918---courtaul

          -


          232---smtp.rwt-grup

          -


          159---nep.c

          -


          135---correo.aen

          -


          96---mail.color[/font][/quote][/b][/quote]Hello Wolfgang, welcome to the forum.

           

          I think you may need to 'see' the data in a slightly different way.

           

          Logically the most indented lines would be detail records with the lines starting at column 5 as APPEND tmeplates and the RCPT line as a higher level APPEND.

           

          However this may not make it easy to get the results you are hoping for.

           

          You could consider the DETAIL template to be the lines which start at column 5 and have a variable number of additional lines associated with them. (The RCPT line would still be an APPEND in that situation.)

           

           

          Monarch can do something with that concept BUT it looks like you have a very different numbers of sub-lines for each 'detail' line if using that idea. That would not be so good and makes things more complex. It would be especially difficult if some of the 'detail' lines have only one sub-detail line and others have many.

           

          I will guess that the need to identify the RCPT sections means that other parts of the source report which would be selected by any possible template trap definition need to be ignored. The easiest way to do that, if a specific trap is not possible, is to select all the data on the report and make sure that each RCPT section has RCPT added to each record as an APPEND field. Then filter the table for only the records with the associated associated RCPT field.

           

           

          One way to work with this might be to start each record on the "Client"/"Helo" lines and then have the next line treated as a BLOCK OF TEXT to capture it as a mulit line text block. This would require each detail line to have at least one additional line, with or without characters, before the next detail line.

           

          The multi-line block can then be split up into separate fields (though this should be easier if using version 8 ...).

           

          Each split part could be a field placed into a separate column but you would probably need to know the MAXIMUM number of lines (i.e. columns)that may exist ever on the report in order to obtain consistent results.

           

          If the report ever has NO LINES between the "CLIENT"/"HELO" type lines this concept will not work.

           

          Another possibility is to manage the problem in more than one phase. So perhaps you could consider firstly extracting some information in such a way that, when exported to a new 'report' file, it would make it easier to get exactly what you need by using a second model to analyse the new file.

           

          I hope this provides some ideas. I will be happy to try to answer any further questions.

           

          Grant

          • Postfix Logfiles
            wolffsed _

            Thanks for coming back so quickly.

             

            Maybe I was thinking too complicated... I took your advice and started with the detail lines working "backwards" up until the RCPT marker and it works...   smile.gif[/img] 

             

            Thanks again!