Today I had to search through dozens of mail logs (syslog) located on several mail relays and find all entries related to a particular user.
Given:
- All servers are managed via a remote tty console,
- The ksh-script must be copy&pasteable
- All logs are gzipped
- I need all entries with the same message number (the ninth field) as the found log entry
This is what I came up with:
{
a=$1
temp1=/tmp/alekz.mail.log
temp2=/tmp/alekz.mailid
shift
for file in $*
do
fgrep -i $a $temp1 | cut -d” ” -f9 | sort -u > $temp2
for i in `cat $temp2`
do
echo “\n”
done
rm $temp1 $temp2
}
This is an example:
Sep 24 00:05:55 relay-mail-1 sendmail[23518]: [ID 801593 mail.info] m8O05sfe023518: from=<>, size=6747, class=0, nrcpts=1, msgid=<0K7O001BAAXTX600@mr-mta-1.mydomain.com>, proto=ESMTP, daemon=MTA, relay=[10.14.2.24]
Sep 24 00:06:05 relay-mail-1 sendmail[23520]: [ID 801593 mail.info] m8O05sfe023518: to=<root@mailman.putt.edu>, delay=00:00:11, xdelay=00:00:10, mailer=esmtp, pri=126747, relay=mailman.putt.edu. [136.1.8.7], dsn=4.0.0, stat=Deferred: Connection timed out with mailman.putt.edu.
Sep 24 00:31:33 relay-mail-1 sendmail[27735]: [ID 801593 mail.info] m8O05sfe023518: to=<root@mailman.putt.edu>, delay=00:25:39, xdelay=00:01:00, mailer=esmtp, pri=216747, relay=mailman.putt.edu. [136.1.8.7], dsn=4.0.0, stat=Deferred: Connection timed out with mailman.putt.edu.
. . .
As you can see the pattern to=<root was found in the 2nd and the 3d log entries, however the 1st line is also here because it contains the same message number (or whatever it’s called).
Hi,
its called the queue ID not message number.
🙂
Cheers
Steve
Ah, thanks Steve. Never knew the correct name for this field 😉