How can I extract all conversations in a Postfix log from a particular relay using awk?_问答_开发者

How can I extract all conversations in a Postfix log from a particular relay using awk?

开发者 https://www.devze.com 2023-01-26 04:34 出处：网络

I am trying to extract the from address from the sending relay IP address in a postfix log file Any ideas???

I am trying to extract the from address from the sending relay IP address in a postfix log file

Any ideas???

Much appreciated for any help

Ken

Nov 16 00:05:10 mailserver pfs/smtpd[4365]: 925D54E6D9B: client=client1[1.2.3.4]   
Nov 16 00:05:10 mailserver pfs/cleanup[4413]: 925D54E6D9B: message-id=<11414>    
Nov 16 00:05:10 mailserver pfs/qmgr[19118]: 925D54E6D9B: from=<11414@localhost>, size=40217, nrcpt=1 (queue active)    
Nov 16 00:05:10 mailserver pfs/smtp[4420]: 925D54E6D9B: to, relay=[1.3.5.7]:25, delay=0.02, delays=0.02/0/0/0, dsn=5.0.0, status=bounced (host [1.3.5.7] refused to talk to me: 550 Please remove this address from your li开发者_如何学Cst)   
Nov 16 00:05:10 mailserver pfs/bounce[4310]: 925D54E6D9B: sender non-delivery notification: 972E34E6D9F   
Nov 16 00:05:10 mailserver pfs/qmgr[19118]: 925D54E6D9B: removed

Hmm, if you just want to collect the from and relay fields with their display bling, you could use this:

/: from=/ { lastFrom = $7 }
/relay=/ { print lastFrom, $8 }

If you really want to extract the core addresses, it gets slightly more complex...

/: from=/ { lastFrom = $7 }
/relay=/ {
  r = $8
  gsub(/from=</, "", lastFrom)
  gsub(/>,*/, "", lastFrom)
  gsub(/relay=\[/, "", r)
  gsub(/\].*/, "", r)
  print lastFrom, r
}

$ awk -f mail2.awk mail.dat
11414@localhost 1.3.5.7

As usual, these solutions work in both The One True Awk as well as gawk.

$7 ~ /^from=,$/ {
    from[$6] = substr($7, 7, length($7) - 8)
} 
$8 ~ /^relay=\[/ { 
    if (substr($8, "[1.3.5.7]")) 
        print from[$6]
    delete from[$6]}
}

Each time a from-recording line is seen, this saves it in an associative array, indexed by the queue ID of the message. When a relay line is seen, if it's for the relay you're interested in the associated from line is printed. substr() is used just so you don't have to \-escape all of the metacharacters - "[", "]", ".". Whether it's a relay you're interested in or not, the from data is cleaned up so that the array doesn't grow without bounds.