I use sendmail and not qmail, but they are probably somewhat similiar in regards to what they syslog. The "log line" pertaining to a single email message could span 5 days or more of periodic updates. Each single line, while only part of the entire transaction, is a line unto itself. You also have to parse each log line to determine what it is. Some lines log recpeients, some log senders, some log deliverys, some log failures, some log retries, etc. To see an entire transaction requires a lot of work, since you need to find each line involving that qid, and then scan for all instances of it. Sometimes something will happen that involves a new qid being created, which means you have incorporate another "session" as well. Syslog just isn't the right thing to use for logging mail transactions. They are far too complicated and contain far too much data and are spread across too many lines. A large relational database would make the data accessible, but is it really worth it? On Mon, Jun 10, 2002 at 08:55:03PM +0530, Rajkumar S. wrote: > How are we going to parse logs that represent a single event in multiple > lines. For example the case of qmail where for an event "an email > send" generates multiple entries in logs. This gets more interesting when > we have a central log collector for multiple qmail servers in the network. -- William Colburn, "Sysprog" <wcolburnat_private> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 09:41:32 PDT