Newbie question

We use Interworx - CloudLinux

What command can show the same information as these?


cat /var/log/maillog | grep “” | grep Login | grep “Jan 10”


Jan 10 12:14:48 SERVERX imapd[30952]: Login []
Jan 10 12:16:37 SERVERX ipop3d[14163]: Login []  nmsgs=0/0


tail -f /var/log/maillog |grep “

Show in live:

Jan 10 12:14:48 SERVERX imapd[30952]: Login []
Jan 10 12:16:37 SERVERX ipop3d[14163]: Login []  nmsgs=0/0
Jan 10 12:21:37 SERVERX ipop3d[14163]: Login []  nmsgs=2/2

Actually, I did a writeup on our log analyzer toolkit. I’ll paste it below.

With InterWorx 4.9 out, we introduce some new log analytics tools, hereafter referred to as qmail-tools. They're a set of bash scripts that provide a more human-friendly readout for qmail's logs. They convert the weird base64 timestamp formatting to something actually legible, but also allow you to break down the logs in almost any way you want to.

A brief word of caution before we begin. These logs operate only on the send level. If the mail you're looking for never touched send, but died at the smtp level, then it won't show up using these tools.

The new qmail log analytics scripts are in ~iworx/lib/logtools/bin/. It's probably easier to use them if you execute the following command first to drop them into your command path:

export PATH=$PATH:/home/interworx/lib/logtools/bin

That'll let you access the tools regardless of what directory you're in, though they do specifically refer to the qmail log files and won't be able to analyze any other logfiles.


There are two 'selector' commands, each of which lets you select a range of time to examine the logs in. You MUST pipe the selector commands into a search command to get anything useful - Running the tools by themselves just gets you a help page. Worth noting is that both tools use a 'human-friendly date stamp' or a 'fuzzy date', sometimes called an 'hstamp'. It's worth noting that if you exceed the time frame allotted by qmail's logs, it will give you an error that looks like this:

Warning: We only have logs dating back to <date of earliest log>.

qmail-last-x selects the logs for a time period starting however long ago until now. Hence 'last x', where x is any specified period.
[root@host]# qmail-last-x '3 hours' | 
[root@host]# qmail-last-x '5 minutes' | 
[root@host]# qmail-last-x '6 days' | 

Unfortunately, qmail-last-x doesn't permit you to 'mix' fuzzy dates. You cannot, for example, specify '3 days 12 hours 4 minutes'. You would need to do the math on that to get '5044 minutes'.

qmail-start-end lets you give two Epoch Seconds unix timestamps in which to gather logs, to the nearest hour's precision. (or, when combined with the `hstamp` operator, two human-readable fuzzy dates)

[root@host]# qmail-start-end `hstamp '5 hours ago'` `hstamp '3 hours ago'` | 
[root@host]# qmail-start-end `date +%s -d"2011-11-04 20:13"` `date +%s -d"2011-11-11 15:38"` | 
[root@host]# qmail-start-end 1320438841 1321043679 | 

The last two examples above both give you data from November 4, 2011 20:00:00 EST to November 11, 2011 15:00 EST.

--Search Operators--

But what do you pipe these amazing, flexible selection commands into? Why, the search operators, of course. Search operators let you specify what you're looking for within the specified time period. There are two different search operators, the 'Show' and 'Top' commands.

By default, the 'Show' search operators don't show the mail sender. The -detail version of each script, however, DOES show senders.

show-all: Shows you all successes, deferrals, and failures.
[root@host]# qmail-start-end `date +%s -d"2011-11-08 02:13"` `date +%s -d"2011-11-10 14:38"` | show-all
[root@host]# qmail-last-x '12 hours' | show-all-detail

show-failures: Shows you all failures.
[root@host]# qmail-last-x '5 minutes' | show-failures
[root@host]# qmail-start-end `hstamp '20 hours ago'` `hstamp '3 minutes ago'` | show-failures-detail

show-deferrals: Shows you all deferred mail.
[root@host]# qmail-start-end 1320438652 1321000000 | show-deferrals
[root@host]# qmail-last-x '1 week' | show-deferrals-detail

show-success: Lists all successfully delivered mail.
[root@host]# qmail-last-x '21000 seconds' | show-success
[root@host]# qmail-start-end `hstamp '5 hours ago'` `hstamp '30 seconds ago'` | show-success-detail

An important thing to remember about the 'Top' search operators is that each is able to be sorted by the various fields you can see when you've used them. 

They are:
top-recipients: Also comes in -local and -remote flavors, tells you which accounts have received the most mail.
[root@host]# qmail-last-x '21 hours' | top-recipients

top-senders: Like top-recipients, comes with -local and -remote versions, tells you who's sent the most mail.
[root@host]# qmail-last-x '2 days' | top-senders

top-success, top-deferrals, top-failures: Displays the accounts with the most successful, deferred, or failed mail transfers in the defined period.
[root@host]# qmail-last-x '1 hour' | top-success
[root@host]# qmail-last-x '4 minutes' | top-failures
[root@host]# qmail-last-x '2 weeks' | top-deferrals

top-user-stats: Scans the logs to find the users that have received and sent the most mail.
[root@host]# qmail-last-x '1 week' | top-user-stats bytes_in

top-domain-stats: Useful mainly on multi-domain boxes, this shows a list of the domains that have engaged in the most mail traffic.
[root@host]# qmail-last-x '41 minutes' | top-domain-stats mess_in


The X-Filter utilities are used a little differently.

xrcpt: Filter by recipient e-mail address.
[root@host]# qmail-last-x '6 days ago' | xrcpt example@example.tld | show-all

xsend: Filter by sender e-mail address.
[root@host]# qmail-start-end `hstamp '20 hours ago'` `hstamp '3 minutes ago'` | xsend mail-is-broken@example.tld | show-failures-detail

xuser: Filter by UNIX username.
[root@host]# qmail-start-end `hstamp '1 week ago'` `hstamp '3 seconds ago'` | xuser example1 | show-all

There's also a special xfilter that just shows you webmail usage, xwebmail.
[root@host]# qmail-last-x '12 hours ago' | xwebmail | show-all

So there's our new qmail log-analytics tools. It doesn't seem terribly useful at first glance, but with the power and flexibility of these tools you can do anything from find spammers to provide assurances to your users that their e-mails are in fact getting through to recipients.

Thanks a lot!

It is possible to know which IP is used by a user to connect to a mail account and at what time did it?

It is very important to us

Nice! So far I had been using “cat /var/log/send/current | tai64nlocal | mtrack” and similar to grep logfiles.

It would be awfully nice if there was an easy way to configure iworx qmail to use iorecord - I find qmail logging frustratingly sparse. It may be true that rsyslog/syslog-ng sucks and loses log entries, etc, but having bulletproof logs without the info one would generally need in mail logs isn’t any better :frowning:

[QUOTE=ArgenSite;18962]Thanks a lot!

It is possible to know which IP is used by a user to connect to a mail account and at what time did it?

It is very important to us[/QUOTE]

You can run:

cat /var/log/pop3/current | tai64nlocal | strack

to see connection times and IP addresses. The logs don’t appear to include any sort of standard info like TOP bytes or RETR bytes. This may be due to running the program via tcpserver or logging through multilog since pop3-ssl looks the same, and I know for certain that courier usually provides fairly detailed logs.

strack is a script you’ll have to grab online: