[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Locate SMTP Out Traffic in Logfiles
- To: qmail@xxxxxxxxxxxxx
- Subject: Re: Locate SMTP Out Traffic in Logfiles
- From: Kyle Wheeler <kyle-qmail@xxxxxxxxxxxxxx>
- Date: Wed, 13 Feb 2008 15:15:10 -0600
- Comment: DomainKeys? See http://domainkeys.sourceforge.net/
- Delivered-to: de5-qmail@sws5.ornl.gov
- Delivered-to: mailing list qmail@list.cr.yp.to
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=memoryhole.net; h=date: from:to:subject:message-id:references:mime-version:content-type: in-reply-to; q=dns/txt; s=default; bh=K9QQmWGeCMkpC+69epElFfMvcd M=; b=j9rlEF2O2K1gdM4qXICQyoaRaheV1w6QutscAelaA5EGimQAjfPubVdr1r 6DAVaeZdOxz7NnJ8VLuDmllCbrtt2Tsyf1nr1MHrlOB6cZGJfvvi9/PqTO/FIj/s GErjMd4jyDRkPczUfv91wy9r0nScwd8ZOMGEqDUWCJhlAZj1w=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=memoryhole.net; b=EiS1tKI4zoUYmBTJ8P+bXDutK9dOmATQSfDkvOthGjlgKEOtw+9ynGfidUKq7l7Yh7doI1Prom9Iqe0yCf05rBP3J9mQ2HuPFbLaLSHAA9sUg3FpY2YnE8/vFMnV8mVGtqpZPJ9BTcaPSv2RlBupKwkHTx/wxfrI0NPmZXjUm6Q=; h=Received:Received:Date:From:To:Subject:Message-ID:Mail-Followup-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent;
- In-reply-to: <47B34C3D.4020701@oliwel.de>
- Mail-followup-to: qmail@list.cr.yp.to
- Mailing-list: contact qmail-help@list.cr.yp.to; run by ezmlm
- References: <47B34C3D.4020701@oliwel.de>
- User-agent: Mutt/1.5.17 (2008-01-14)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday, February 13 at 08:59 PM, quoth Oliver Welter:
> I am running netqmail with mulitlog and looking for a handy solution
> to locate the source of a traffic peak.
>
> Within the last weeks, my traffic monitoring shows a huge peek on SMTP
> outgoing. I want to know who causes this traffic but dont have any idea
> on how to find this traffic. I dont even know if this is a single huge
> message or just a lot of small messages send through a mailinglist or
> the like....
>
> Anybody here has an idea on this??
Easy: find the peak time interval in your logs, and see what they're
up to (i.e. see what your remote concurrency is). The line's you'd be
looking for would look like this:
status: local 0/10 remote 0/20
^------ this is the key number
If your question is "how do I find that time interval?", that's just a
matter of being able to interpret the multilog timestamp (I assume
you're timestamping your logs?). For example, let's say that the
traffic peak you notice is between midnight and 1am last night. You
first need to find out the Unix version of those dates, like so:
$ date -d 'Wed Feb 13 00:00:00 CST 2008' +%s
1202882400
$ date -d 'Wed Feb 13 01:00:00 CST 2008' +%s
1202886000
Now, you need those in hex:
$ printf "%x\n" 1202882400
47b28760
$ printf "%x\n" 1202886000
47b29570
Then, compose those into TAI64N timestamps by prepending them with
@40000000 and appending 00000000 onto the end, to produce:
@4000000047b2876000000000
@4000000047b2957000000000
Now you can pull out just that segment of logs with a simple awk
script:
awk '{if ($1 > "@4000000047b2876000000000" && $1 < "@4000000047b2957000000000") print}' /var/log/qmail/current
If your peak period spans multiple log files, you can do this:
cat /var/log/qmail/@* /var/log/qmail/current | \
awk '{if ($1 > "@4000000047b2876000000000" && $1 < "@4000000047b2957000000000") print}'
Once you've identified the relevant log entries that way, you can
either inspect those logs by hand (as I suggested, looking at the
status lines will tell you a lot) or you can feed them into
qmailanalog to summarize them for you.
Does that help?
~Kyle
- --
What has destroyed liberty and the rights of man in every government
which has ever existed under the sun? The generalizing and
concentrating all cares and powers into one body, no matter whether of
the autocrats of Russia or France, or of the aristocrats of a Venetian
Senate.
-- Thomas Jefferson
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!
iD8DBQFHs13eBkIOoMqOI14RAuGyAJ9WsPyicHkPhbKC1IDF36vXyLl3fQCdF2Yv
l4yGerQO0q/t9vOa/uGTdQk=
=8VMc
-----END PGP SIGNATURE-----