- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Has anyone successfully parsed Exim logs into Splu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone successfully parsed Exim logs into Splunk?
I'm trying to get Exim logs parsed into Splunk to log inbound/outbound mail. I'm very new using RegEx and have been fighting to get something to parse it correctly. I've tried field-extractor and it only grabs about 13%, I've also tried the add-on builder.
Has anyone successfully consumed Exim logs? Can you provide some help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to answer this question a little earlier and it seems have failed somehow.
If this is ends up being a duplicate, my apologies.
I was looking for a head start on this myself when I found your post.
I have a new exim4 relay server that I need to monitor.
Here’s what I came up with myself - wiser spelunkers are welcome to improve on it:
First, a lot of the fields are parsed automatically by Splunk. That’s because they are name=value pairs. You can find their meanings in the exim4 docs. In Splunk they look like H=xxx, CN=xxx, etc.
You can use rename to give the fields friendlier names.
Here’s an example (your index name is undoubtedly different):
index=smtpexim | rename H as HostSender | stats count by HostSender host
This is useful for seeing which hosts are using the relay server.
I also needed to get alerts when there are email transfer failures. Here I needed to combine all the events related to one mail transfer. A good use of transactions. I also had to extract the message id which, strangely enough, is not part of a name value pair. It follows the time stamp in the log.
This search uses the index and sourcetype I defined. Just substitute here.
In actual use I saved the regex as a field extraction after testing it in the search, below.
index=smtpexim sourcetype=exim4logs | rex field=_raw "^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\s(?P<messageID>.+?)\s.*" |transaction messageID | search NOT Completed AND NOT "queue run"
This should not return any events unless a message transfer is not successfully completed. I still haven’t tested it with a bogus message. But I think the Splunk part is good start.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was looking for a head start on this myself when I found your post.
I have a new exim4 relay server that I need to monitor.
Here’s what I came up with myself - wiser spelunkers are welcome to improve on it:
First, a lot of the fields are parsed automatically by Splunk. That’s because they are name=value pairs. You can find their meanings in the exim4 docs. In Splunk they look like H=xxx, CN=xxx, etc.
You can use rename to give the fields friendlier names.
Here’s an example (your index name is undoubtedly different):
index=smtpexim | rename H as HostSender | stats count by HostSender host
This is useful for seeing which hosts are using the relay server.
I also needed to get alerts when there are email transfer failures. Here I needed to combine all the events related to one mail transfer. A good use of transactions. I also had to extract the message id which, strangely enough, is not part of a name value pair. It follows the time stamp in the log.
This search uses the index and sourcetype I defined. Just substitute here.
In actual use I saved the regex as a field extraction after testing it in the search, below.
index=smtpexim sourcetype=exim4logs | rex field=_raw "^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\s(?P<messageID>.+?)\s.*" |transaction messageID | search NOT Completed AND NOT "queue run"
This should not return any events unless a message transfer is not successfully completed. I still haven’t tested it with a bogus message. But I think the Splunk part is good starting point.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you provide some sample data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is something similar to what I am working with. As you can see, it includes multiple events in the logs and once those can be separated out, combining the messages with transaction should be straightforward.
2017-06-22 00:00:32 1dNw6R-0004dN-VU <= Yajane_doe@generic.com H=svr-xxx--01.xxx.genericg.com [99.99.99.999] P=esmtp K S=76706 id=d7a4493e0b7e40d29ee9156d95ee9f02@svr-xxx--01.xxx.genericg.com
2017-06-22 00:00:32 H=esa3.generic.iphmx.com [99.99.999.999] F= rejected RCPT : bounce_localunknown router forced verify failure
2017-06-22 00:00:32 1dNw6Q-0004bW-Im => mumad.atif.b.abd.raz@xx.com.com R=dnslookup T=remote_smtp H=mga14.xx.com.com [99.99.99.999] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 ok: Message 227984017 accepted"
2017-06-22 00:00:32 1dNw6Q-0004bW-Im -> amit.radhak@xx.com.com R=dnslookup T=remote_smtp H=mga14.xx.com.com [99.99.99.99] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 ok: Message 227984017 accepted"
2017-06-22 00:00:32 1dNw6Q-0004bW-Im -> abhil.bm@xx.com.com R=dnslookup T=remote_smtp H=mga14.xx.com.com [99.99.99.999] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 ok: Message 227984017 accepted"
2017-06-22 00:00:32 1dNw6Q-0004bW-Im -> hish.mar.m@xx.com.com R=dnslookup T=remote_smtp H=mga14.xx.com.com [99.99.99.999] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 ok: Message 227984017 accepted"
2017-06-22 00:00:32 1dNw6Q-0004bW-Im Completed
2017-06-22 00:00:32 1dNw6R-0004dN-VU => arn.sine@nmt.com R=dnslookup T=remote_smtp H=aspmx.l.gxxx.com [99.99.99.999] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes K C="250 2.0.0 OK g6si645764iof.8 - gsmtp"
2017-06-22 00:00:32 1dNw6R-0004dN-VU Completed
2017-06-22 00:00:33 no IP address found for host aj.to.genericg.com (during SMTP connection from es3.generic.iphmx.com [99.99.999.999])
2017-06-22 00:00:33 H=esa3.generic.iphmx.com [99.99.999.999] X=TLSv1.2:RC4-SHA:128 CV=no F= temporarily rejected RCPT : lookup of host "aj.to.generic.com" failed in xxx_routes router
2017-06-22 00:00:34 1dNw6U-0004dl-Ia <= error@err.gna.co.jp H=esa2.generic.iphmx.com [99.99.99.99] P=esmtps X=TLSv1.2:RC4-SHA:128 CV=no S=12467 id=1498.114822.305392@err.gna.co.jp
2017-06-22 00:00:35 1dNw6U-0004dl-Ia => masashi_shigemori@generic.com R=exchange_users T=remote_smtp_ex_hosts H=mail-na.genericg.com [99.99.999.999] X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=yes K C="250 2.6.0 <1498.114822.305392@err.gna.co.jp> [InternalId=5521513] Queued mail for delivery"
2017-06-22 00:00:35 1dNw6U-0004dl-Ia Completed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ingesting this sample through the GUI, seems to parse the events OK. It's also grabbing the timestamp properly. A good practice would be to take a sample, ingest it through the GUI. If things aren't linebreaking or timestamping properly, you can make adjustments in the GUI and save the settings in a sourcetype. Once you have the sourcetype, you can create your input to read the logs in, specifying the new sourcetype you created.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
