Analyze Postfix mail Logs

Description,

Pflogsumm is a log analyzer/summarizer for the Postfix MTA. It is
designed to provide an over-view of Postfix activity, with just enough
detail to give the administrator a “heads up” for potential trouble
spots.

Pflogsumm generates summaries and, in some cases, detailed reports of
mail server traffic volumes, rejected and bounced email, and server
warnings, errors and panics.

Pflogsumm is a great tool to create a summary of Postfix logs. Install it on Ubuntu with:
apt install pflogsumm
(Make sure you logded in with sudo else add sueo infront of the above command)
After installing you can use the following commands to generate reports.

pflogsumm -d today /var/log/mail.log This command will generate the report for today

pflogsumm -d yesterday /var/log/mail.log This command Generate a report for yesterday.

If you like to generate a report for this week.
pflogsumm /var/log/mail.log

If you like to see “problem reports (warning, defers, reject, bounces) before the “normal” report add the following parameters (flags)
--problems-first
like
pflogsumm -d today /var/log/mail.log --problems-first

TO add the email from address to each listing in reject report use the following parameters/flags

--rej-add-from

Like
pflogsumm -d today /var/log/mail.log --rej-add-from

To Display the full reason in reject summaries, use --verbose-msg-detail parameters/flag.

like this

pflogsumm -d today /var/log/mail.log --rej-add-from --verbose-msg-detail

To send a report to your email address every day.
We can add a crontab job.

crontab -e

Add the following line, which will generate a report every day at 2:00 AM.

0 2 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q

To receive the report via email, add the following line above all cron jobs.

MAILTO="you@exmaple.com"

If the MAILTO variable has already been set but you want Postfix mail log summary sent to a different email address, you can put the following line in your Cron job.

0 2 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q | mutt -s "Postfix mail log summary" you@example.com

The output of pflogsumm command is redirected to mutt, a command line mail user agent, which will use the output as the email body and send it to the email address you specify at the end.

You need to install mutt on your Linux server.

apt install mutt

Here is

Synopsis

pflogsumm.pl -[eq] [-d ] [-h ] [-u ]
[–verp_mung[=]] [–verbose_msg_detail] [–iso_date_time]
[-m│–uucp_mung] [-i│–ignore_case] [–smtpd_stats] [–mailq]
[–problems_first] [–rej_add_from] [–no_bounce_detail]
[–no_deferral_detail] [–no_reject_detail] [–no_no_msg_size]
[–no_smtpd_warnings] [–zero_fill] [–syslog_name=string]
[file1 [filen]]

Options

-d today generate report for just today
-d yesterday generate report for just “yesterday”

-e extended (extreme? excessive?) detail

Emit detailed reports. At present, this includes
only a per-message report, sorted by sender domain,
then user-in-domain, then by queue i.d.

WARNING: the data built to generate this report can
quickly consume very large amounts of memory if a
lot of log entries are processed!

-h top to display in host/domain reports.

0 = none.

See also: “-u” and “–no_*_detail” for further
report-limiting options.

–help Emit short usage message and bail out.

(By happy coincidence, “-h” alone does much the same,
being as it requires a numeric argument :-). Yeah, I
know: lame.)

-i
–ignore_case Handle complete email address in a case-insensitive
manner.

Normally pflogsumm lower-cases only the host and
domain parts, leaving the user part alone. This
option causes the entire email address to be lower-
cased.

–iso_date_time

For summaries that contain date or time information,
use ISO 8601 standard formats (CCYY-MM-DD and HH:MM),
rather than “Mon DD CCYY” and “HHMM”.

-m modify (mung?) UUCP-style bang-paths
–uucp_mung

This is for use when you have a mix of Internet-style
domain addresses and UUCP-style bang-paths in the log.
Upstream UUCP feeds sometimes mung Internet domain
style address into bang-paths. This option can
sometimes undo the “damage”. For example:
“somehost.dom!username@foo” (where “foo” is the next
host upstream and “somehost.dom” was whence the email
originated) will get converted to
“foo!username@somehost.dom”. This also affects the
extended detail report (-e), to help ensure that by-
domain-by-name sorting is more accurate.

–mailq Run “mailq” command at end of report.

Merely a convenience feature. (Assumes that “mailq”
is in $PATH. See “$mailqCmd” variable to path thisi
if desired.)

–no_bounce_detail
–no_deferral_detail
–no_reject_detail

Suppresses the printing of the following detailed
reports, respectively:

message bounce detail (by relay)
message deferral detail
message reject detail

See also: “-u” and “-h” for further report-limiting
options.

–no_no_msg_size

Do not emit report on “Messages with no size data”.

Message size is reported only by the queue manager.
The message may be delivered long-enough after the
(last) qmgr log entry that the information is not in
the log(s) processed by a particular run of
pflogsumm.pl. This throws off “Recipients by message
size” and the total for “bytes delivered.” These are
normally reported by pflogsumm as “Messages with no
size data.”

–no_smtpd_warnings

On a busy mail server, say at an ISP, SMTPD warnings
can result in a rather sizeable report. This option
turns reporting them off.

–problems_first

Emit “problems” reports (bounces, defers, warnings,
etc.) before “normal” stats.

–rej_add_from
For those reject reports that list IP addresses or
host/domain names: append the email from address to
each listing. (Does not apply to “Improper use of
SMTP command pipelining” report.)

-q quiet – don’t print headings for empty reports

note: headings for warning, fatal, and “master”
messages will always be printed.

–smtpd_stats

Generate smtpd connection statistics.

The “per-day” report is not generated for single-day
reports. For multiple-day reports: “per-hour” numbers
are daily averages (reflected in the report heading).

–syslog_name=name

Set syslog_name to look for for Postfix log entries.

By default, pflogsumm looks for entries in logfiles
with a syslog name of “postfix,” the default.
If you’ve set a non-default “syslog_name” parameter
in your Postfix configuration, use this option to
tell pflogsumm what that is.

See the discussion about the use of this option under
“NOTES,” below.

-u top to display in user reports. 0 == none.

See also: “-h” and “–no_*_detail” for further
report-limiting options.

–verbose_msg_detail

For the message deferral, bounce and reject summaries:
display the full “reason”, rather than a truncated one.

Note: this can result in quite long lines in the report.

–verp_mung do “VERP” generated address (?) munging. Convert
–verp_mung=2 sender addresses of the form
“list-return-NN-someuser=some.dom@host.sender.dom”
to
“list-return-ID-someuser=some.dom@host.sender.dom”

In other words: replace the numeric value with “ID”.

By specifying the optional “=2” (second form), the
munging is more “aggressive”, converting the address
to something like:

“list-return@host.sender.dom”

Actually: specifying anything less than 2 does the
“simple” munging and anything greater than 1 results
in the more “aggressive” hack being applied.

See “NOTES” regarding this option.

–version Print program name and version and bail out.

–zero_fill “Zero-fill” certain arrays so reports come out with
data in columns that that might otherwise be blank.

Return Value

Pflogsumm doesn’t return anything of interest to the shell.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More post