Reporting

track email using sendmail logs over multiple relay jumps

DanneFo
Explorer

We are trying to find a way to track email that goes through more than one relay, but haven't found a way yet. Yes, we are quite new to Splunk.

Goal: show "from", "to" and other fields for an email passing through several relays, per relay.

We tried this, which is close but not quite right:

sourcetype=sendmail_syslog qid=* [search sourcetype=sendmail_syslog relay="*google.com" | fields msgid ] | transaction qid | table _time qid from to nrcpts host arg1

The only (should be) unique field connecting an email transaction on relay1 and relay2 is "msgid", so this should work but it only gets the msgid line of each transaction. The entire log line with "to" is missing from the results. The "transaction qid" does not help.

What did we miss?

Log example:

Jun 14 09:43:01 relay1 sendmail[93821]: u5E7h032096841: from=<from@domain.com>, size=4479, class=0, nrcpts=1, msgid=<uniquie-msgid-001mail.gmail.com>, proto=ESMTP, daemon=MTA, relay=mail-qg0-f44.google.com [209.85.192.44]
Jun 14 09:43:01 relay1 sendmail[94832]: u5E7h032096841: to=<to@domain.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=124479, relay=mailserver.domain.com. [22.33.44.55], dsn=2.0.0, stat=Sent (Ok: queued as 4283441)
Jun 14 09:43:02 relay2 sendmail[10865]: u5E7h2Lu010855: from=<from@domain.com>, size=5773, class=0, nrcpts=1, msgid=<uniquie-msgid-001mail.gmail.com>, proto=ESMTP, daemon=MTA, relay=mailserver.domain.com [22.33.44.55]
Jun 14 09:47:37 relay2 sendmail[11976]: u5E7h2Lu010855: SMTP outgoing connect on relay2.ministry.se
Jun 14 09:47:37 relay2 sendmail[11987]: u5E7h2Lu010855: to=<to@domain.com>, delay=00:04:35, xdelay=00:00:00, mailer=smtp, pri=125773, relay=internalmta.domain.com. [11.22.33.44], dsn=2.0.0, stat=Sent (<uniquie-msgid-001mail.gmail.com> [InternalId=03849873487] Queued mail for delivery)
Jun 14 09:47:37 relay2 sendmail[11978]: u5E7h2Lu010855: done; delay=00:04:35, ntries=1
0 Karma
1 Solution

DanneFo
Explorer

I'll answer my own question.

This solved it our problem; two subsearches:

sourcetype=sendmail_syslog [ search sourcetype=sendmail_syslog [ search sourcetype=sendmail_syslog relay="*google.com" | fields msgid] | fields qid ] | transaction qid | table _timestamp qid msgid from to nrcpts host relay stat

View solution in original post

DanneFo
Explorer

I'll answer my own question.

This solved it our problem; two subsearches:

sourcetype=sendmail_syslog [ search sourcetype=sendmail_syslog [ search sourcetype=sendmail_syslog relay="*google.com" | fields msgid] | fields qid ] | transaction qid | table _timestamp qid msgid from to nrcpts host relay stat
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...