Postfix のメールログを解析する (pflogsumm)

pflogsumm.pl

メールログを解析するスクリプトに pflogsumm がある。

インストール

yum --enablerepo=centosplus install postfix-perl-scripts

CentOS 5.x でのパッケージ名は postfix-pflogsumm だったが、 CentOS 6.x 以降は postfix-perl-scripts に変更された。

CentOS 7.x で postfix-perl-scripts パッケージが含まれるリポジトリは Base が 2.10.1-6 で、 CentOS Plus は 2.10.1-6.0.1 となる。パッケージ内に含まれる pflogsumm.pl のバージョンは 1.1.3 だった。
他のリポジトリの各バージョンは Lux all が 2.10.1-6, IUS が 3.2.5-2, Ghettoforge Testing が 3.3.1-1, Ghettoforge Plus が 3.2.4-1 となっている。

メールログ解析

LC_ALL=C journalctl --since=yesterday -u postfix | pflogsumm

オプション

usage: pflogsumm.pl -[eq] [-d <today|yesterday>] [--detail <cnt>]
    [--bounce_detail <cnt>] [--deferral_detail <cnt>]
    [-h <cnt>] [-i|--ignore_case] [--iso_date_time] [--mailq]
    [-m|--uucp_mung] [--no_bounce_detail] [--no_deferral_detail]
    [--no_no_msg_size] [--no_reject_detail] [--no_smtpd_warnings]
    [--problems_first] [--rej_add_from] [--reject_detail <cnt>]
    [--smtp_detail <cnt>] [--smtpd_stats]
    [--smtpd_warning_detail <cnt>] [--syslog_name=string]
    [-u <cnt>] [--verbose_msg_detail] [--verp_mung[=<n>]]
    [--zero_fill] [file1 [filen]]

       pflogsumm.pl --[version|help]

オプション	内容
--bounce_detail <cnt>	詳細なバウンスレポートを上位 <cnt> 件に限定。 0 は完全に抑制。
-d today	今日のレポートを生成。
-d yesterday	昨日のレポートを生成。
--deferral_detail <cnt>	詳細な延期レポートを上位 <cnt> 件に限定。 0 は完全に抑制。
--detail <cnt>	--*_detail, -h 及び -u すべてに <cnt> を設定。個々の設定に上書きされる。--detail 0 はすべての詳細を抑制。
-e	extended (extreme? excessive?) detail Emit detailed reports. At present, this includes only a per-message report, sorted by sender domain, then user-in-domain, then by queue i.d. WARNING: the data built to generate this report can quickly consume very large amounts of memory if a lot of log entries are processed!
-h <cnt>	ホスト/ドメインレポートの上位 <cnt> 件を表示。 0 = none. 追加のレポート制限オプションについては -u および --*_detail オプションを参照
-h --help	短い使用方法のメッセージを出して終了。
-i --ignore_case	大文字小文字を区別せずにメールアドレスを処理。 通常、ホストとドメインの部分を小文字にして、ユーザー部分はそのままになる。このオプションを使用するとメールアドレス全体が小文字になる。
--iso_date_time	For summaries that contain date or time information, use ISO 8601 standard formats (CCYY-MM-DD and HH:MM), rather than "Mon DD CCYY" and "HHMM".
-m	UUCP-style bang-paths を変更
--uucp_mung	This is for use when you have a mix of Internet-style domain addresses and UUCP-style bang-paths in the log. Upstream UUCP feeds sometimes mung Internet domain style address into bang-paths. This option can sometimes undo the "damage". For example: "somehost.dom!username@foo" (where "foo" is the next host upstream and "somehost.dom" was whence the email originated) will get converted to "foo!username@somehost.dom". This also affects the extended detail report (-e), to help ensure that by-domain-by-name sorting is more accurate.
--mailq	Run "mailq" command at end of report. Merely a convenience feature. (Assumes that "mailq" is in $PATH. See "$mailqCmd" variable to path thisi if desired.)
--no_bounce_detail --no_deferral_detail --no_reject_detail	These switches are depreciated in favour of --bounce_detail, --deferral_detail and --reject_detail, respectively. Suppresses the printing of the following detailed reports, respectively: message bounce detail (by relay) message deferral detail message reject detail See also: "-u" and "-h" for further report-limiting options.
--no_no_msg_size	Do not emit report on "Messages with no size data". Message size is reported only by the queue manager. The message may be delivered long-enough after the (last) qmgr log entry that the information is not in the log(s) processed by a particular run of pflogsumm.pl. This throws off "Recipients by message size" and the total for "bytes delivered." These are normally reported by pflogsumm as "Messages with no size data."
--no_smtpd_warnings	This switch is depreciated in favour of smtpd_warning_detail On a busy mail server, say at an ISP, SMTPD warnings can result in a rather sizeable report. This option turns reporting them off.
--problems_first	Emit "problems" reports (bounces, defers, warnings, etc.) before "normal" stats.
--rej_add_from	For those reject reports that list IP addresses or host/domain names: append the email from address to each listing. (Does not apply to "Improper use of SMTP command pipelining" report.)
-q	quiet - don't print headings for empty reports note: headings for warning, fatal, and "master" messages will always be printed.
--reject_detail <cnt>	Limit detailed smtpd reject, warn, hold and discard reports to the top <cnt>. 0 to suppress entirely.
--smtp_detail <cnt>	Limit detailed smtp delivery reports to the top <cnt>. 0 to suppress entirely.
--smtpd_stats	Generate smtpd connection statistics. The "per-day" report is not generated for single-day reports. For multiple-day reports: "per-hour" numbers are daily averages (reflected in the report heading).
--smtpd_warning_detail <cnt>	Limit detailed smtpd warnings reports to the top <cnt>. 0 to suppress entirely.
--syslog_name=name	Set syslog_name to look for for Postfix log entries. By default, pflogsumm looks for entries in logfiles with a syslog name of "postfix," the default. If you've set a non-default "syslog_name" parameter in your Postfix configuration, use this option to tell pflogsumm what that is. See the discussion about the use of this option under "NOTES," below.
-u <cnt>	top <cnt> to display in user reports. 0 == none. See also: "-h" and "--*_detail" options for further report-limiting options.
--verbose_msg_detail	For the message deferral, bounce and reject summaries: display the full "reason", rather than a truncated one. Note: this can result in quite long lines in the report.
--verp_mung --verp_mung=2	do "VERP" generated address (?) munging. Convert sender addresses of the form "list-return-NN-someuser=some.dom@host.sender.dom" to "list-return-ID-someuser=some.dom@host.sender.dom" In other words: replace the numeric value with "ID". By specifying the optional "=2" (second form), the munging is more "aggressive", converting the address to something like: "list-return@host.sender.dom" Actually: specifying anything less than 2 does the "simple" munging and anything greater than 1 results in the more "aggressive" hack being applied. See "NOTES" regarding this option.
--version	プログラム名とバージョンを出力して終了
--zero_fill	"Zero-fill" certain arrays so reports come out with data in columns that that might otherwise be blank.