sendmail log search

I wrote a sendmail log search script in Perl to perform log searches based on envelope sender, envelope recipient(s), or relay IP.

You may download the script here.

The script has the following features:

Multiple envelope senders, envelope recipients, or relay IPs may be specified on the command line.
Regular expressions may be specified for any of the mandatory options on the command line.
Only unique information will be returned, even if the combination of mandatory arguments would return redundant information.
Results may be returned in chronological order (default) or by queue ID (visually groups all information about a message).
By default (--match), the script will loop through the log(s) and find all information relating to a matched envelope sender, envelope recipient, or relay IP. For example, when searching --from user@example.com, the envelope recipient(s) for these message(s) will also be returned unless --no-match is specified.
Results may be written to an output file; by default, results are sent to STDOUT.
Multiple logs may be specified on the command line. Logs may be in plaintext or gzip format.
By specifying --count-only, only a count of the number of matches will be returned.

Script usage

Usage: maillog_search [OPTION]... [FILE]...

Mandatory options:
--from                search envelope sender address
--to                  search envelope recipient address(es)
--both                search envelope sender and envelope recipient address(es)
--relay               search relay IP
[FILE]...             one or more maillogs in plaintext or gzip format

Default options:
--match               return all log information with the same queue ID
--chronological-order return information in chronological order

Non-default options:
--no-match            only loop through the maillog(s) once
--queue-id-order      return information sorted by queue ID
--output-file         save results to a file
--count-only          return only the number of matches

Example usage

1. Search /var/log/maillog and /var/log/maillog.0.gz for mail (1) from user1@example.com, (2) to user2@example.com, or (3) involving relay 192.168.1.1.

$ ./maillog_search --from user1@example.com --to user2@example.com --relay 192.168.1.1 /var/log/maillog /var/log/maillog.0.gz

2. How many envelopes did we send with at least one example.com recipient?
$ ./maillog_search --to example.com --count-only /var/log/maillog

Note:
If maillog_search encounters multiple matching envelope recipients in the same envelope, such as to=<user1@example.com>,<user2@example.com>, the envelope will only be counted once.

3. Search /var/log/maillog for messages involving an envelope sender with user followed by one or more numbers with a domain of example.com.
$ ./maillog_search --from 'user[0-9]+@example.com' /var/log/maillog

Back to brandonhutchinson.com.