question about searching log files

Fazzina, Angelo Wed, 25 Jan 2017 13:45:17 -0800

Hi,
I am trying to grep out all the log lines for a particular connection.
I added logging to see the cipher being used when connecting, now i want to see 
if
anyone is actually getting connected and sending emails.


Obviously with many threads, logs are not written chronologically, so need to 
find
unique data like a message id to see all logs of one email transaction.

Here is a snippet from the grep i did below.
Can i conclude these lines are all from sending one[the same] email ?

Jan 25 14:41:51 mta1 postfix/smtpd[7493]: connect from unknown[50.28.131.133]
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: setting up TLS connection from 
unknown[50.28.131.133]
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from unknown[50.28.131.133]: TLSv1 with cipher DES-CBC3-SHA (112/168 bits)
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: 8CD6A2A54: 
client=unknown[50.28.131.133], sasl_method=LOGIN, sasl_username=fop02001
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: 8CD6A2A54: reject: RCPT from 
unknown[50.28.131.133]: 550 5.1.1 <liangliang.qi...@uconn.edu>: Recipient 
address rejected: User unknown in virtual alias table; 
from=<papa...@mail.ims.uconn.edu> to=<liangliang.qi...@uconn.edu> proto=ESMTP 
helo=<[50.28.131.133]>
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: lost connection after RCPT from 
unknown[50.28.131.133]
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: disconnect from unknown[50.28.131.133]



Not sure what else to get you all to be able to help ?
thanks for looking.
-ALF


[root@mta1 log]# egrep 'smtpd\[7493\]' maillog
Jan 25 14:36:09 mta1 postfix/smtpd[7493]: connect from unknown[186.1.186.107]
Jan 25 14:36:09 mta1 postfix/smtpd[7493]: setting up TLS connection from 
unknown[186.1.186.107]
Jan 25 14:36:12 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from unknown[186.1.186.107]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 
(256/256 bits)
Jan 25 14:36:15 mta1 postfix/smtpd[7493]: warning: SASL authentication failure: 
Password verification failed
Jan 25 14:36:15 mta1 postfix/smtpd[7493]: warning: unknown[186.1.186.107]: SASL 
PLAIN authentication failed: authentication failure
Jan 25 14:36:16 mta1 postfix/smtpd[7493]: lost connection after AUTH from 
unknown[186.1.186.107]
Jan 25 14:36:16 mta1 postfix/smtpd[7493]: disconnect from unknown[186.1.186.107]
Jan 25 14:37:09 mta1 postfix/smtpd[7493]: connect from unknown[50.28.131.133]
Jan 25 14:37:09 mta1 postfix/smtpd[7493]: setting up TLS connection from 
unknown[50.28.131.133]
Jan 25 14:37:09 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from unknown[50.28.131.133]: TLSv1 with cipher DES-CBC3-SHA (112/168 bits)
Jan 25 14:37:15 mta1 postfix/smtpd[7493]: NOQUEUE: reject: RCPT from 
unknown[50.28.131.133]: 550 5.1.1 <michael.glas...@uconn.edu>: Recipient 
address rejected: User unknown in virtual alias table; 
from=<papa...@mail.ims.uconn.edu> to=<michael.glas...@uconn.edu> proto=ESMTP 
helo=<[50.28.131.133]>
Jan 25 14:37:16 mta1 postfix/smtpd[7493]: lost connection after RCPT from 
unknown[50.28.131.133]
Jan 25 14:37:16 mta1 postfix/smtpd[7493]: disconnect from unknown[50.28.131.133]
Jan 25 14:37:16 mta1 postfix/smtpd[7493]: connect from unknown[50.28.131.133]
Jan 25 14:37:16 mta1 postfix/smtpd[7493]: setting up TLS connection from 
unknown[50.28.131.133]
Jan 25 14:37:17 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from unknown[50.28.131.133]: TLSv1 with cipher DES-CBC3-SHA (112/168 bits)
Jan 25 14:37:20 mta1 postfix/smtpd[7493]: C89F15EE: 
client=unknown[50.28.131.133], sasl_method=LOGIN, sasl_username=fop02001
Jan 25 14:37:22 mta1 postfix/smtpd[7493]: C89F15EE: reject: RCPT from 
unknown[50.28.131.133]: 550 5.1.1 <rober>: Recipient address rejected: User 
unknown in local recipient table; from=<papa...@mail.ims.uconn.edu> to=<rober> 
proto=ESMTP helo=<[50.28.131.133]>
Jan 25 14:37:22 mta1 postfix/smtpd[7493]: lost connection after RCPT from 
unknown[50.28.131.133]
Jan 25 14:37:22 mta1 postfix/smtpd[7493]: disconnect from unknown[50.28.131.133]
Jan 25 14:37:23 mta1 postfix/smtpd[7493]: connect from unknown[50.28.131.133]
Jan 25 14:37:23 mta1 postfix/smtpd[7493]: setting up TLS connection from 
unknown[50.28.131.133]
Jan 25 14:37:23 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from unknown[50.28.131.133]: TLSv1 with cipher DES-CBC3-SHA (112/168 bits)
Jan 25 14:37:24 mta1 postfix/smtpd[7493]: B66632448: 
client=unknown[50.28.131.133], sasl_method=LOGIN, sasl_username=fop02001
Jan 25 14:39:51 mta1 postfix/smtpd[7493]: warning: B66632448: queue file size 
limit exceeded
Jan 25 14:40:18 mta1 postfix/smtpd[7493]: disconnect from unknown[50.28.131.133]
Jan 25 14:41:49 mta1 postfix/smtpd[7493]: connect from unknown[50.28.131.133]
Jan 25 14:41:49 mta1 postfix/smtpd[7493]: setting up TLS connection from 
unknown[50.28.131.133]
Jan 25 14:41:49 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from unknown[50.28.131.133]: TLSv1 with cipher DES-CBC3-SHA (112/168 bits)
Jan 25 14:41:49 mta1 postfix/smtpd[7493]: ECE822912: 
client=unknown[50.28.131.133], sasl_method=LOGIN, sasl_username=fop02001
Jan 25 14:41:50 mta1 postfix/smtpd[7493]: warning: Illegal address syntax from 
unknown[50.28.131.133] in RCPT command: <'papa...@bio-orasis.com'>
Jan 25 14:41:50 mta1 postfix/smtpd[7493]: lost connection after RCPT from 
unknown[50.28.131.133]
Jan 25 14:41:50 mta1 postfix/smtpd[7493]: disconnect from unknown[50.28.131.133]
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: connect from unknown[50.28.131.133]
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: setting up TLS connection from 
unknown[50.28.131.133]
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from unknown[50.28.131.133]: TLSv1 with cipher DES-CBC3-SHA (112/168 bits)
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: 8CD6A2A54: 
client=unknown[50.28.131.133], sasl_method=LOGIN, sasl_username=fop02001
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: 8CD6A2A54: reject: RCPT from 
unknown[50.28.131.133]: 550 5.1.1 <liangliang.qi...@uconn.edu>: Recipient 
address rejected: User unknown in virtual alias table; 
from=<papa...@mail.ims.uconn.edu> to=<liangliang.qi...@uconn.edu> proto=ESMTP 
helo=<[50.28.131.133]>
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: lost connection after RCPT from 
unknown[50.28.131.133]
Jan 25 14:41:51 mta1 postfix/smtpd[7493]: disconnect from unknown[50.28.131.133]
Jan 25 14:42:35 mta1 postfix/smtpd[7493]: connect from f21.my.com[185.30.177.48]
Jan 25 14:42:35 mta1 postfix/smtpd[7493]: setting up TLS connection from 
f21.my.com[185.30.177.48]
Jan 25 14:42:35 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from f21.my.com[185.30.177.48]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 
(256/256 bits)
Jan 25 14:42:35 mta1 postfix/smtpd[7493]: disconnect from 
f21.my.com[185.30.177.48]
Jan 25 14:43:07 mta1 postfix/smtpd[7493]: connect from 
linuxhosting.doratelekom.com[46.20.150.160]
Jan 25 14:43:07 mta1 postfix/smtpd[7493]: setting up TLS connection from 
linuxhosting.doratelekom.com[46.20.150.160]
Jan 25 14:43:07 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from linuxhosting.doratelekom.com[46.20.150.160]: TLSv1.2 with cipher 
DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 25 14:43:10 mta1 postfix/smtpd[7493]: warning: 
linuxhosting.doratelekom.com[46.20.150.160]: SASL LOGIN authentication failed: 
authentication failure
Jan 25 14:43:10 mta1 postfix/smtpd[7493]: lost connection after AUTH from 
linuxhosting.doratelekom.com[46.20.150.160]
Jan 25 14:43:10 mta1 postfix/smtpd[7493]: disconnect from 
linuxhosting.doratelekom.com[46.20.150.160]
Jan 25 14:43:10 mta1 postfix/smtpd[7493]: connect from 
linuxhosting.doratelekom.com[46.20.150.160]
Jan 25 14:43:10 mta1 postfix/smtpd[7493]: setting up TLS connection from 
linuxhosting.doratelekom.com[46.20.150.160]
Jan 25 14:43:11 mta1 postfix/smtpd[7493]: Anonymous TLS connection established 
from linuxhosting.doratelekom.com[46.20.150.160]: TLSv1.2 with cipher 
DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 25 14:43:13 mta1 postfix/smtpd[7493]: warning: 
linuxhosting.doratelekom.com[46.20.150.160]: SASL LOGIN authentication failed: 
authentication failure
Jan 25 14:43:13 mta1 postfix/smtpd[7493]: lost connection after AUTH from 
linuxhosting.doratelekom.com[46.20.150.160]
Jan 25 14:43:13 mta1 postfix/smtpd[7493]: disconnect from 
linuxhosting.doratelekom.com[46.20.150.160]


-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

question about searching log files

Reply via email to