Today I had to search through dozens of mail logs (syslog) located on several mail relays and find all entries related to a particular user.

Given:

  • All servers are managed via a remote tty console,
  • The ksh-script must be copy&pasteable
  • All logs are gzipped
  • I need all entries with the same message number (the ninth field) as the found log entry

This is what I came up with:

function ms
{
a=$1
temp1=/tmp/alekz.mail.log
temp2=/tmp/alekz.mailid
shift
for file in $*
do

gzcat $file > $temp1
fgrep -i $a $temp1 | cut -d" " -f9 | sort -u > $temp2
for i in `cat $temp2`
do
fgrep $i $temp1
echo "\n"
done

done
rm $temp1 $temp2
}

This is an example:

# ms 'to=<root' syslog.0.gz syslog.1.gz

Sep 24 00:05:55 relay-mail-1 sendmail[23518]: [ID 801593 mail.info] m8O05sfe023518: from=<>, size=6747, class=0, nrcpts=1, msgid=<0K7O001BAAXTX600@mr-mta-1.mydomain.com>, proto=ESMTP, daemon=MTA, relay=[10.14.2.24]

Sep 24 00:06:05 relay-mail-1 sendmail[23520]: [ID 801593 mail.info] m8O05sfe023518: to=<root@mailman.putt.edu>, delay=00:00:11, xdelay=00:00:10, mailer=esmtp, pri=126747, relay=mailman.putt.edu. [136.1.8.7], dsn=4.0.0, stat=Deferred: Connection timed out with mailman.putt.edu.

Sep 24 00:31:33 relay-mail-1 sendmail[27735]: [ID 801593 mail.info] m8O05sfe023518: to=<root@mailman.putt.edu>, delay=00:25:39, xdelay=00:01:00, mailer=esmtp, pri=216747, relay=mailman.putt.edu. [136.1.8.7], dsn=4.0.0, stat=Deferred: Connection timed out with mailman.putt.edu.
. . .

As you can see the pattern to=<root was found in the 2nd and the 3d log entries, however the 1st line is also here because it contains the same message number (or whatever it's called).

Related posts:

  1. External searching in mybb Sometimes you need to integrate web-pages with corresponding forum threads....