Extract sender activity from postfix logs for auditing user
Posted
by
Aseques
on Server Fault
See other posts from Server Fault
or by Aseques
Published on 2012-01-19T10:50:24Z
Indexed on
2012/09/13
15:40 UTC
Read the original article
Hit count: 256
We have a mail user on our postfix server that was using the company mail to send compromising information to the competence.
I've been asked to make a report of the actions for that user in the last time.
There are tools like pflogsumm and others that can extract statistic data, but I haven't so far find anything useful to get all the info for a user because the data is in multiple lines.
I'd like to get something like this:
For the sent mail
11/11/11 00:00:00 [email protected] -> [email protected]
11/11/11 00:00:01 [email protected] -> [email protected]
For the received mail
10/10/11 00:00:00 [email protected] -> [email protected]
10/10/11 00:00:01 [email protected] -> [email protected]
I know I can do a script by myself, but matching the postfix ID for every mail is not something that can be made with a simple grep, and I've a lot of mail history that I have to recheck distributed among diferent files and so on.
The source log is the standard postfix format, for example this one...
Sep 13 16:15:57 server postfix/qmgr[18142]: B35CB5ED3D: from=<[email protected], size=10755, nrcpt=1 (queue active)
Sep 13 16:15:57 server postfix/smtpd[32099]: disconnect from localhost[127.0.0.1]
Sep 13 16:15:57 server postfix/smtp[32420]: 58C3E5EC9C: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.01/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=32697-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B35CB5ED3D)
Sep 13 16:15:57 server postfix/qmgr[18142]: 58C3E5EC9C: removed
Sep 13 16:15:57 server postfix/smtp[32379]: B35CB5ED3D: to=<[email protected]>, relay=mail.anothercompany.com[123.123.123.163]:25, delay=0.06, delays=0.03/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 77D0EB6C025)
Sep 13 16:15:57 server postfix/qmgr[18142]: B35CB5ED3D: removed
© Server Fault or respective owner