0

I have to write parser for postfix log on ruby. It should find bounce, format it to JSON and send somewhere. I'm not system administrator and don't want to install postfix server on my laptop. Where can I find such file to work with? Can someone send it ?

mlwrm
  • 11
  • 1
  • 3

2 Answers2

1

From http://en.redinskala.com/postfix-maillog-interpretation/ :

General syntax of maillog

The following line represents the basic format in which information is logged into maillog:

Jan 2 11:15:39 tmcent01 postfix/smtpd[17397]: connect from unknown[127.0.0.1]

As you can see, the first section (in bold) indicates only the date and time in which the event was recorded. In production mail servers it is advisable for this information to be the most accurate, since any failure at this point may generate inconsistencies when correlating events.

Jan 2 11:15:39 tmcent01 postfix/smtpd[17397]: connect from unknown[127.0.0.1]

The next field shows the name of the server which is recording the event, in this case it is our own Postfix server.

Jan 2 11:15:39 tmcent01 postfix/smtpd[17397]: connect from unknown[127.0.0.1]

The next field is one of the most critical when troubleshooting mail flow or a Postfix failure. Here, you can see the service / proccess [PID] that was executing the operation recorded. This information can help you diferentiate each of the phases involved when Postfix receives, sends or process a specific mail. For example, from the line above we can assume that the daemon in execution was “smtpd” which is the daemon used by Postfix to receive mail, therefor we can assume we are reviewing an incoming mail transaction and additionally we have the PID of the daemon that received that mail. You can use that same PID for searching all the operation that specific daemon performed on the mail.

Jan 2 11:15:39 tmims8201 postfix/smtpd[17397]: connect from unknown[127.0.0.1]

Finally, the last field is just a description for the recorded event. Here you’ll be able to see status / error codes or textual descriptions for a more detailed interpretation.

With this information you can easily identify each of the steps involved in the receiving, sending and processing of a mail through the Postfix engine. Now let’s get the specific details of each of these sections and the log blocks.

Jeroen Jacobs
  • 1,386
  • 3
  • 16
  • 25
  • 1
    Please use [Markdown](http://serverfault.com/editing-help) and/or the formatting options in the edit menu to properly type-set your posts to improve their readability and in particular use the quote option to indicate citations. See http://serverfault.com/help/referencing – HBruijn Apr 20 '16 at 15:36
0

Check grok patterns that Logstash uses to parse the log file. Not sure where did I get our rules from, but this seems to be well maintained:

https://github.com/whyscream/postfix-grok-patterns/blob/master/postfix.grok

brablc
  • 611
  • 6
  • 7