如何使用 awk 从特定中继中提取 Postfix 日志中的所有对话？

发布于 2024-10-03 06:06:57 字数 814 浏览 2 评论 0原文

我正在尝试从 postfix 日志文件中的发送中继 IP 地址中提取发件人地址

有什么想法吗？？？

非常感谢

肯的任何帮助

Nov 16 00:05:10 mailserver pfs/smtpd[4365]: 925D54E6D9B: client=client1[1.2.3.4]   
Nov 16 00:05:10 mailserver pfs/cleanup[4413]: 925D54E6D9B: message-id=<11414>    
Nov 16 00:05:10 mailserver pfs/qmgr[19118]: 925D54E6D9B: from=<11414@localhost>, size=40217, nrcpt=1 (queue active)    
Nov 16 00:05:10 mailserver pfs/smtp[4420]: 925D54E6D9B: to, relay=[1.3.5.7]:25, delay=0.02, delays=0.02/0/0/0, dsn=5.0.0, status=bounced (host [1.3.5.7] refused to talk to me: 550 Please remove this address from your list)   
Nov 16 00:05:10 mailserver pfs/bounce[4310]: 925D54E6D9B: sender non-delivery notification: 972E34E6D9F   
Nov 16 00:05:10 mailserver pfs/qmgr[19118]: 925D54E6D9B: removed

原文

I am trying to extract the from address from the sending relay IP address in a postfix log file

Any ideas???

Much appreciated for any help

Ken

Nov 16 00:05:10 mailserver pfs/smtpd[4365]: 925D54E6D9B: client=client1[1.2.3.4]   
Nov 16 00:05:10 mailserver pfs/cleanup[4413]: 925D54E6D9B: message-id=<11414>    
Nov 16 00:05:10 mailserver pfs/qmgr[19118]: 925D54E6D9B: from=<11414@localhost>, size=40217, nrcpt=1 (queue active)    
Nov 16 00:05:10 mailserver pfs/smtp[4420]: 925D54E6D9B: to, relay=[1.3.5.7]:25, delay=0.02, delays=0.02/0/0/0, dsn=5.0.0, status=bounced (host [1.3.5.7] refused to talk to me: 550 Please remove this address from your list)   
Nov 16 00:05:10 mailserver pfs/bounce[4310]: 925D54E6D9B: sender non-delivery notification: 972E34E6D9F   
Nov 16 00:05:10 mailserver pfs/qmgr[19118]: 925D54E6D9B: removed

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

指尖凝香 2024-10-10 06:06:57

嗯，如果你只是想收集 from 和 relay 字段及其显示的闪烁，你可以使用这个：

/: from=/ { lastFrom = $7 }
/relay=/ { print lastFrom, $8 }

如果你真的想提取核心地址，它会稍微更复杂...

/: from=/ { lastFrom = $7 }
/relay=/ {
  r = $8
  gsub(/from=</, "", lastFrom)
  gsub(/>,*/, "", lastFrom)
  gsub(/relay=\[/, "", r)
  gsub(/\].*/, "", r)
  print lastFrom, r
}

$ awk -f mail2.awk mail.dat
11414@localhost 1.3.5.7

像往常一样，这些解决方案在 The One True Awk 和 gawk 中都有效。

Hmm, if you just want to collect the from and relay fields with their display bling, you could use this:

/: from=/ { lastFrom = $7 }
/relay=/ { print lastFrom, $8 }

If you really want to extract the core addresses, it gets slightly more complex...

/: from=/ { lastFrom = $7 }
/relay=/ {
  r = $8
  gsub(/from=</, "", lastFrom)
  gsub(/>,*/, "", lastFrom)
  gsub(/relay=\[/, "", r)
  gsub(/\].*/, "", r)
  print lastFrom, r
}

$ awk -f mail2.awk mail.dat
11414@localhost 1.3.5.7

As usual, these solutions work in both The One True Awk as well as gawk.

回复收藏 0 原文

桃扇骨 2024-10-10 06:06:57

$7 ~ /^from=,$/ {
    from[$6] = substr($7, 7, length($7) - 8)
} 
$8 ~ /^relay=\[/ { 
    if (substr($8, "[1.3.5.7]")) 
        print from[$6]
    delete from[$6]}
}

每次看到来自记录的行时，都会将其保存在关联数组中，
按消息的队列 ID 进行索引。当看到中继线时，如果它是为了
将打印您感兴趣的关联线路的继电器。 substr() 是
使用只是为了不必 \-转义所有元字符 - “[”、“]”、“.”。
无论您是否感兴趣，来自的数据都会被清理
向上，这样数组就不会无限增长。

$7 ~ /^from=,$/ {
    from[$6] = substr($7, 7, length($7) - 8)
} 
$8 ~ /^relay=\[/ { 
    if (substr($8, "[1.3.5.7]")) 
        print from[$6]
    delete from[$6]}
}

Each time a from-recording line is seen, this saves it in an associative array,
indexed by the queue ID of the message. When a relay line is seen, if it's for
the relay you're interested in the associated from line is printed. substr() is
used just so you don't have to \-escape all of the metacharacters - "[", "]", ".".
Whether it's a relay you're interested in or not, the from data is cleaned
up so that the array doesn't grow without bounds.

回复收藏 0 原文

~没有更多了~