loki logql corellate maillogs

发布于 2025-02-06 02:53:58 字数 1728 浏览 2 评论 0原文

请使用Loki＆amp;请帮助我解析邮件日志。 Grafana :)

我的记录服务器从Linux服务器收集Maillog文件，我想使用Loki检查特定用户的消息的状态（发送，递延，递延等）。

问题在于，邮件日志被分为不同的日志线，我需要使用消息ID（ 40F36420E05 ）在下面的文本中关联不同的日志行）：

Jun  9 22:38:36 mail postfix/smtp[376635]: 40F36420E05: to=<otheruser@domain2>, relay=domain3[11.11.11.11]:25, delay=13, delays=0.58/0/4.6/7.8, dsn=2.6.0, status=sent (250 2.6.0 <20220609193823.D980A420E06@mail> [InternalId=13731010457062, Hostname=XXX] 15472 bytes in 0.524, 28.786 KB/sec Queued mail for delivery)
Jun  9 22:37:35 mail postfix/qmgr[193514]: 40F36420E05: from=<user@domain>, size=4496, nrcpt=1 (queue active)
Jun  9 22:37:35 mail opendkim[251972]: 40F36420E05: DKIM-Signature field added (s=mail, d=domain)
Jun  9 22:37:35 mail postfix/cleanup[376634]: 40F36420E05: message-id=<20220609193735.40F36420E05@mail>
Jun  9 22:37:35 mail postfix/submission/smtpd[376557]: 40F36420E05: client=compute-1.amazonaws.com[44.11.11.11], sasl_method=PLAIN, sasl_username=user

我正在使用此查询来查找所需的邮件和Regexp提取MessageID标签的功能：

{host="mail.com"} |~"from=<user@domain>" | regexp "(?P<messageid>\\S+): from="

Jun  9 22:59:58 mail postfix/qmgr[377114]: 40F36420E05: from=<user@domain>, size=11916, nrcpt=1 (queue active)
Jun  9 22:59:58 mail postfix/qmgr[377114]: C3E5D420E05: from=<user@domain>, size=9622, nrcpt=1 (queue active)
Jun  9 22:59:57 mail postfix/qmgr[377114]: 27057420E07: from=<user@domain>, size=6695, nrcpt=1 (queue active)

现在，我想获取所有包含从上一个查询中提取的所有消息ID标签的日志行。像{host =“ mail.com”} |〜“来自=＆lt; user@domain＆gt;” | REGEXP”（？ messageId = {list_of_parsed_messageids}

我该如何实现？谢谢！

原文

please assist me on parsing mail logs using Loki & Grafana :)

My logging server collects maillog files from Linux server, and I want to use Loki to check status (sent, deferred, etc) of messages from specific user.

The problem is that mail logs are divided into different log lines and I need to correlate different log lines using message id (40F36420E05 in text below):

Jun  9 22:38:36 mail postfix/smtp[376635]: 40F36420E05: to=<otheruser@domain2>, relay=domain3[11.11.11.11]:25, delay=13, delays=0.58/0/4.6/7.8, dsn=2.6.0, status=sent (250 2.6.0 <20220609193823.D980A420E06@mail> [InternalId=13731010457062, Hostname=XXX] 15472 bytes in 0.524, 28.786 KB/sec Queued mail for delivery)
Jun  9 22:37:35 mail postfix/qmgr[193514]: 40F36420E05: from=<user@domain>, size=4496, nrcpt=1 (queue active)
Jun  9 22:37:35 mail opendkim[251972]: 40F36420E05: DKIM-Signature field added (s=mail, d=domain)
Jun  9 22:37:35 mail postfix/cleanup[376634]: 40F36420E05: message-id=<20220609193735.40F36420E05@mail>
Jun  9 22:37:35 mail postfix/submission/smtpd[376557]: 40F36420E05: client=compute-1.amazonaws.com[44.11.11.11], sasl_method=PLAIN, sasl_username=user

I'm using this query to find required mail messages and regexp function to extract messageid label:

{host="mail.com"} |~"from=<user@domain>" | regexp "(?P<messageid>\\S+): from="

Jun  9 22:59:58 mail postfix/qmgr[377114]: 40F36420E05: from=<user@domain>, size=11916, nrcpt=1 (queue active)
Jun  9 22:59:58 mail postfix/qmgr[377114]: C3E5D420E05: from=<user@domain>, size=9622, nrcpt=1 (queue active)
Jun  9 22:59:57 mail postfix/qmgr[377114]: 27057420E07: from=<user@domain>, size=6695, nrcpt=1 (queue active)

Now I want to fetch all log lines containing with all messageid labels extracted from previous query. Like {host="mail.com"} |~"from=<user@domain>" | regexp "(?P<messageid>\\S+): from="} | messageid={list_of_parsed_messageids}

How can I achieve that? Thanks!

分享到QQ

分享到微博