I am feeding my syslog files into a Sumo Logic collector which includes the mail logs from Postfix (and some Dovecot and Fortigate mentions).
There is a lot going on in this dashboard. (and I have a lot of tabs open in my browser – don’t hate!)
Dashboards in Sumo Logic are an easy and quick way to visualize data you have information for. In earlier posts I showed data from a Fortigate firewall to display bandwidth hogs and performance graphs.
But I wanted to see how my mail server(s) are doing.
So I built a sample dashboard to do just that.
| GeoIP of incoming connections | Postfix inbound/outbound | Postfix delivery size and # recipients |
| GeoIP of outgoing connections | milter rejection hosts | DNSBL rejection hosts |
| GeoIP of Dovecot connections | Dovecot size of in/out traffic | Postfix rejections per hour |
| Fortigate Spam Profiles | Top 10 Postfix local destinations | BLANK |
Included below are the relevant searches needed to build a dashboard as pictured above.
_index=unix_logs _sourceName="mail system" ((postfix/postscreen AND (DISCONNECT)) OR (SecureMail))
| parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://location on ip = client_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code
| sort _count
_index=unix_logs _sourceName="mail system" AND NOT (127.0.0.1 OR 192.168.110.218) AND (postfix/smtp OR postfix/smtpd)
| parse regex ".*:\ connect\ from .*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex ":.*: to=.*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*=sent"
| split src_ip delim='.' extract 1 as src_num_ip1
| split dst_ip delim='.' extract 1 as dst_num_ip1
| if ((src_num_ip1 >= "1"), 1, 0) as inbound
| if ((dst_num_ip1 >= "1"), 1, 0) as outbound
| timeslice 60m
| sum(inbound) as inbound, sum(outbound) as outbound by _timeslice
_index=unix_logs _sourceName="mail system" postfix/qmgr | parse "size=*, nrcpt=* " as size, rcpt | timeslice 60m | (size/1000000) as mbytes_in | sum(mbytes_in) as size, sum(rcpt) as recipients by _timeslice
_index=unix_logs _sourceName="mail system" postfix/smtp AND !(127.0.0.1 OR clamsmtpd OR "TLS connection established") AND "250 "
| parse regex "relay=.*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]:"
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://location on ip = client_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code
| sort _count
_index=unix_logs _sourceName="mail system" (postfix/cleanup AND " milter-reject: ")
| parse regex "\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| count as count by block_ip
| order by count
| limit 10
_index=unix_logs _sourceName="mail system" (postfix/postscreen AND " DNSBL ")
| parse "rank * " as rank nodrop
| parse regex "\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| count as count by block_ip, rank
| order by count
| limit 20
_index=unix_logs _sourceName="mail system" dovecot: AND (imap-login: OR pop3-login)
| parse regex "rip=(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),"
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://location on ip = client_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code
| sort _count
_index=unix_logs _sourceName="mail system" "dovecot:" !"Debug:" "Connection closed " | parse "imap(*)" as username nodrop | keyvalue regex "=(\d+)" keys "in", "out" as input, output | timeslice 60m | (input/1000000) as mbytes_in | (output/1000000) as mbytes_out | sum(mbytes_in) as inbound, sum(mbytes_out) as outbound by _timeslice
_index=unix_logs _sourceName="mail system" " 5.7.1 "
| parse regex "milter-reject: END-OF-MESSAGE from\ .*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "NOQUEUE: reject: .*from\ .*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| split milter_src_ip delim='.' extract 1 as milter_num_ip1
| split rbl_src_ip delim='.' extract 1 as rbl_num_ip1
| if ((milter_num_ip1 >= "1"), 1, 0) as milter
| if ((rbl_num_ip1 >= "1"), 1, 0) as rbl
| timeslice 60m
| sum(milter) as milter, sum(rbl) as rbl by _timeslice
_index=security_logs _sourceCategory=fw_security "service=SMTP" | parse "profile=* action=* " as profile, action | count as count profile | order by count
_index=unix_logs _sourceName="mail system" !(127.0.0.1 OR clamsmtpd:) "status=sent" | parse " to=<*>, " as orig_destination | toLowerCase(orig_destination) as destination | timeslice 60m | count as count destination | order by count