sendmail2dlf(1) convert sendmail logfiles to dlf

SYNOPSIS

sendmail2dlf

DESCRIPTION

sendmail2dlf(1) converts a LogLevel 9 sendmail (8.10.x or higher) logfile, as created using syslog, to a Lire email Distilled Log Format file.

Input is one line per event. Outputted is one line per delivery:

 time logrelay queueid msgid fromuser fromdomain fromrelay \
 size delay xdelay touser todomain torelay stat

(This should be the format as defined in email/dlf.cfg.)

EXAMPLE

The lines

 Apr 20 03:00:11 firewall sendmail[442]: DAA00442: \
   from=<[email protected]>, size=4992, class=0, \
   pri=34992, nrcpts=1, \
   msgid=<[email protected]>, \
   proto=ESMTP, relay=host.example.nl [150.0.0.45]
 Apr 20 03:00:11 firewall sendmail[442]: DAA00442: \
   to=<[email protected]>, delay=00:00:00, mailer=smtp, \
   stat=queued
 Apr 20 05:00:11 firewall sendmail[503]: DAA00442: \
   to=<[email protected]>, delay=02:00:00, \
   xdelay=00:00:03, mailer=smtp, relay=mailgw.aap.com. \
   [3.4.64.199], stat=Sent (OK id=12i7CN-0001Kv-00)

wil be converted to

 956109611 firewall DAA00442 \
   <[email protected]> user \
   example.com host.example.nl_[150.0.0.45] 4992 0 0 \
   jan aap.com host.example.nl._[150.0.0.45] queued \
   UNKNOWN
 956116811 firewall DAA00442 \
   <[email protected]> user \
   example.com host.example.nl_[150.0.0.45] 4992 \
   7200 3 jan aap.com mailgw.aap.com._[3.4.64.199] \
   sent (ok_id=12i7cn-0001kv-00)

The lines

 Mar 17 13:34:32 mailhost sendmail[8408]: NAA08408: \
  from=<[email protected]>, size=1890, class=0, \
  pri=0, nrcpts=4, \
  msgid=<[email protected]>, \
  proto=ESMTP, [email protected][1.2.6.10]
 Mar 17 13:45:26 mailhost sendmail[8457]: NAA08408: \
  [email protected], delay=00:10:56, xdelay=00:00:01, \
  mailer=smtp, relay=www.example.nl. [194.229.43.3], \
  stat=Sent (NAA06261 Message accepted for delivery) \
 Mar 17 13:45:27 mailhost sendmail[8457]: NAA08408: \
  [email protected], delay=00:10:57, \
  xdelay=00:00:01, mailer=smtp, relay=host.example.nl. \
  [150.0.0.45], stat=Sent (OK)
 Mar 17 13:45:31 mailhost sendmail[8457]: NAA08408: \
  to=<[email protected]>,<[email protected]>,<[email protected]>, \
  delay=00:11:01, xdelay=00:00:04, mailer=smtp, \
  relay=mailgw.aap.com. [3.4.64.199], stat=Sent (OK \
  id=12Vw8J-0001iT-00)

will be converted to

 953210726 mailhost NAA08408 \
  <[email protected]>\
  piet example.com [email protected][1.2.6.10] 1890 656 1 lkrksen \
  www www.example.nl._[194.229.43.3] sent \
  (naa06261_message_accepted_for_delivery)
 953210727 mailhost NAA08408 \
  <[email protected]> \
  piet example.com [email protected][1.2.6.10] 1890 657 1 ll \
  host.example.com host.example.nl._[150.0.0.45] sent (ok)
 953210731 mailhost NAA08408 \
  <[email protected]> \
  piet example.com [email protected][1.2.6.10] 1890 661 4 mvelsla \
  aap.com mailgw.aap.com._[3.4.64.199] sent \
  (ok_id=12vw8j-0001it-00)
 953210731 mailhost NAA08408 \
  <[email protected]> \
  piet example.com [email protected][1.2.6.10] 1890 661 4 pvhove \
  aap.com mailgw.aap.com._[3.4.64.199] sent \
  (ok_id=12vw8j-0001it-00)
 953210731 mailhost NAA08408 \
  <[email protected]> \
  piet example.com [email protected][1.2.6.10] 1890 661 4 pdebaerd \
  aap.com mailgw.aap.com._[3.4.64.199] sent \
  (ok_id=12vw8j-0001it-00)

The lines

 Mar 15 13:34:09 firewall sendmail[279]: NAA00279: \
  from=<[email protected]>, size=2281952, class=0, \
  pri=2311952, nrcpts=1, \
  msgid=<[email protected]>, \
  proto=ESMTP, relay=host.example.nl [150.0.0.45]
 Mar 15 13:34:09 firewall sendmail[279]: NAA00279: \
  to=<[email protected]>, delay=00:00:04, mailer=smtp, \
  stat=queued
 Mar 15 13:39:58 firewall sendmail[401]: NAA00279: \
  to=<[email protected]>, delay=00:05:53, xdelay=00:00:06, \
  mailer=smtp, relay=mc5.law5.hotmail.com. \
  [216.32.243.136], stat=Service unavailable
 Mar 15 13:39:58 firewall sendmail[401]: NAA00279: \
  NAA00401: postmaster notify: Service unavailable
 Mar 15 13:40:04 firewall sendmail[401]: NAA00401: \
  [email protected], delay=00:00:06, \
  xdelay=00:00:04, mailer=smtp, relay=host.example.nl. \
  [150.0.0.45], stat=Sent (OK)

will be converted to

 953037249 firewall NAA00279 \
  <[email protected]> klaas \
  example.com host.example.nl_[150.0.0.45] 2281952 4 1 \
  klaas hotmail.com mailgw.csc.com._[208.219.64.199] \
  queued UNKNOWN
 953037598 firewall NAA00279 \
  <[email protected]> klaas \
  example.com host.example.nl_[150.0.0.45] 2281952 353 6 \
  klaas hotmail.com mc5.law5.hotmail.com._[216.32.243.136] \
  service unavailable

The fact that the delivery 'Mar 15 13:40:04 firewall sendmail[401]: NAA00401:' does not generate a dlf record is a bug.

When the line

 Mar 15 19:39:40 mailhost sendmail[2178]: TAA02178: \
  from=<[email protected]>, size=0, class=0, pri=0, \
  nrcpts=0, proto=SMTP, relay=[1.84.7.150]

occurs in the input, and there is no line carrying the same queueid, the line is discarded, and reported as skipped: any to- or from- line, lacking any partner, will get discarded.

Lines like:

 Mar 15 13:40:19 firewall sendmail[456]: alias database \
  /etc/aliases.db out of date

wil get discarded

EXAMPLES

To process a log as produced by sendmail:

 $ sendmail2dlf < mail.log

sendmail2dlf will be rarely used on its own, but is more likely called by lr_log2report:

 $ lr_log2report sendmail < /var/log/maillog

BUGS

When queueids are being reused within one logfile, behaviour is unpredictable. Incomplete logsnippets (e.g. from-lines without to-lines) are not treated well.

It is reported events like this occur in sendmail log files:

 SAA14845: from=<>, size=146990, class=0, pri=176990, nrcpts=1, 
  msgid=<[email protected]>, proto=ESMTP, 
  relay=omr-d06.mx.aol.com [205.188.156.71]
 SAA14845: [email protected], ctladdr=<[email protected]>, delay=00:00:01, 
  mailer=local, stat=User unknown
 SAA14845: to=<[email protected]>, delay=00:00:01, mailer=local, 
  stat=User unknown
 SAA14845: SAA14846: postmaster notify: User unknown
 SAA14846: to="|exec /usr/local/bin/procmail", [email protected] (2217/10), 
  delay=00:00:00, xdelay=00:00:00, mailer=prog, stat=Sent
 SAA14846: [email protected], delay=00:00:01, xdelay=00:00:01, mailer=esmtp, 
  relay=apex.example.edu. [152.19.4.80], 
  stat=Sent (Message received: GVV8N400.CMX)
 SAA14846: [email protected], delay=00:00:01, xdelay=00:00:00, mailer=local, 
  stat=Sent

Note that SAA14845 has _two_ final to= lines, while the from= line states nrcpts=1. This blows the axiom of this script away. We haven't decided yet on how to deal with this...

THANKS

Edward Eldred, for finding and reporting a bug.

VERSION

$Id: sendmail2dlf.in,v 1.32 2006/07/23 13:16:34 vanbaal Exp $

COPYRIGHT

Copyright (C) 2000, 2001, 2002 Stichting LogReport Foundation [email protected]

This program is part of Lire.

Lire is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html.

AUTHOR

Joost van Baal <[email protected]>