I am feeding my syslog files into a Sumo Logic collector which includes the mail logs from Postfix (and some Dovecot and Fortigate mentions).
There is a lot going on in this dashboard. (and I have a lot of tabs open in my browser – don’t hate!)
Dashboards in Sumo Logic are an easy and quick way to visualize data you have information for. In earlier posts I showed data from a Fortigate firewall to display bandwidth hogs and performance graphs.
But I wanted to see how my mail server(s) are doing.
So I built a sample dashboard to do just that.
GeoIP of incoming connections | Postfix inbound/outbound | Postfix delivery size and # recipients |
GeoIP of outgoing connections | milter rejection hosts | DNSBL rejection hosts |
GeoIP of Dovecot connections | Dovecot size of in/out traffic | Postfix rejections per hour |
Fortigate Spam Profiles | Top 10 Postfix local destinations | BLANK |
Included below are the relevant searches needed to build a dashboard as pictured above.
_index=unix_logs _sourceName="mail system" ((postfix/postscreen AND (DISCONNECT)) OR (SecureMail)) | parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://location on ip = client_ip | count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code | sort _count
_index=unix_logs _sourceName="mail system" AND NOT (127.0.0.1 OR 192.168.110.218) AND (postfix/smtp OR postfix/smtpd) | parse regex ".*:\ connect\ from .*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex ":.*: to=.*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*=sent" | split src_ip delim='.' extract 1 as src_num_ip1 | split dst_ip delim='.' extract 1 as dst_num_ip1 | if ((src_num_ip1 >= "1"), 1, 0) as inbound | if ((dst_num_ip1 >= "1"), 1, 0) as outbound | timeslice 60m | sum(inbound) as inbound, sum(outbound) as outbound by _timeslice
_index=unix_logs _sourceName="mail system" postfix/qmgr | parse "size=*, nrcpt=* " as size, rcpt | timeslice 60m | (size/1000000) as mbytes_in | sum(mbytes_in) as size, sum(rcpt) as recipients by _timeslice
_index=unix_logs _sourceName="mail system" postfix/smtp AND !(127.0.0.1 OR clamsmtpd OR "TLS connection established") AND "250 " | parse regex "relay=.*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]:" | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://location on ip = client_ip | count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code | sort _count
_index=unix_logs _sourceName="mail system" (postfix/cleanup AND " milter-reject: ") | parse regex "\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | count as count by block_ip | order by count | limit 10
_index=unix_logs _sourceName="mail system" (postfix/postscreen AND " DNSBL ") | parse "rank * " as rank nodrop | parse regex "\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | count as count by block_ip, rank | order by count | limit 20
_index=unix_logs _sourceName="mail system" dovecot: AND (imap-login: OR pop3-login) | parse regex "rip=(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})," | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://location on ip = client_ip | count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code | sort _count
_index=unix_logs _sourceName="mail system" "dovecot:" !"Debug:" "Connection closed " | parse "imap(*)" as username nodrop | keyvalue regex "=(\d+)" keys "in", "out" as input, output | timeslice 60m | (input/1000000) as mbytes_in | (output/1000000) as mbytes_out | sum(mbytes_in) as inbound, sum(mbytes_out) as outbound by _timeslice
_index=unix_logs _sourceName="mail system" " 5.7.1 " | parse regex "milter-reject: END-OF-MESSAGE from\ .*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex "NOQUEUE: reject: .*from\ .*\[(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | split milter_src_ip delim='.' extract 1 as milter_num_ip1 | split rbl_src_ip delim='.' extract 1 as rbl_num_ip1 | if ((milter_num_ip1 >= "1"), 1, 0) as milter | if ((rbl_num_ip1 >= "1"), 1, 0) as rbl | timeslice 60m | sum(milter) as milter, sum(rbl) as rbl by _timeslice
_index=security_logs _sourceCategory=fw_security "service=SMTP" | parse "profile=* action=* " as profile, action | count as count profile | order by count
_index=unix_logs _sourceName="mail system" !(127.0.0.1 OR clamsmtpd:) "status=sent" | parse " to=<*>, " as orig_destination | toLowerCase(orig_destination) as destination | timeslice 60m | count as count destination | order by count