
它的man rsyslog.conf出来的东西太少了,根本搞不明白怎么回事.还是上了官网才搞明白.



个人理解是rsyslog它有多种向它请求记录的对象,如The  facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security
       (same as auth), syslog, user, uucp and local0 through local7.

然后还有一个是日志的级别.如The  priority  is  one  of  the following keywords, in ascending order: debug, info, notice, warning, warn (same as
       warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)





接着设置写入消息的格式,一般最好是一个消息一行.就是使用$template 格式名字(用于后面引用),"格式规则" 如:$template mailOkFail,"%timegenerated% %msg%\n",这个命令要独自一行.这是制定一个名叫mailOkFail的规则,规则详情是 默认时间格式 日志内容 换行,然后通过 分号格式名 引用

日志写入的文件是 -/var/log/mail.debug

就是按照 日志对象 存储 一行这样的写法来配置的

daemon.*                        -/var/log/daemon.log

批的就是把 管道的所有日志放到 后面的那个路径的文件中,至于-我现在还不明白这有什么作用,没看完全部文档.

通过 对象.级别 过滤了,可能像我还需要把某些过滤掉,那么它也提供了对于某个级别的日志进行内容级的过滤,如

if ($syslogtag startswith 'postfix/smtp[') and not ($msg contains 'to=<service@myhrd.cn>' or $msg startswith 'connect to ') then /var/log


当配置好后(配置文件路径是root@chrd-edm:/etc/rsyslog.d# cat 50-default.conf),

如想看mail日志配置的情况,需要先把mail所有的日志删除,运行 rm mail*把所有的mail日志删除.




root@chrd-edm:/etc/rsyslog.d# cat 50-default.conf
#  Default rules for rsyslog.
#                       For more information see rsyslog.conf(5) and /etc/rsyslog.conf

# First some standard log files.  Log by facility.
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
cron.*                          /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
user.*                          -/var/log/user.log

# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#only log smtp ok or fail,主要是这节到后面的空格,可以让下面的debug中的乱日志只记录smtpok与失败到mail.smtp中
$template mailOkFail,"%timegenerated% %msg%\n"
if ($syslogtag startswith 'postfix/smtp[') and not ($msg contains 'to=<service@myhrd.cn>' or $msg startswith 'connect to ') then /var/log/mail.smtp;mailOkFail
mail.debug                      -/var/log/mail.debug
mail.info                       -/var/log/mail.info
#mail.notice                    -/var/log/mail.notice
mail.warning                    -/var/log/mail.warning
#mail.warn                      -/var/log/mail.warn
#mail.error                     -/var/log/mail.error
#mail.err                       /var/log/mail.err
#mail.crit                      -/var/log/mail.crit
#mail.alert                     -/var/log/mail.alert
#mail.emerg                     -/var/log/mail.emerg
#mail.panic                     -/var/log/mail.panic
# Logging for INN news system.
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice

# Some "catch-all" log files.
        news.none;mail.none     -/var/log/debug
        mail,news.none          -/var/log/messages

# Emergencies are sent to everybody logged in.
*.emerg                         *

# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#    $ xconsole -file /dev/xconsole [...]
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
        *.=notice;*.=warn       |/dev/xconsole



mail.debug /var/log/mail.debug



Nov 15 15:31:58 chrd-edm postfix/smtp[23044]: 3FBFA101459: to=<366334509@qq.com>, relay=mx3.qq.com[]:25, delay=18626, delays=0.06/18618/4.1/2.9, dsn=2.0.0, status=sent (250 Ok: queued as )
Nov 15 15:31:58 chrd-edm postfix/qmgr[20433]: 3FBFA101459: removed
Nov 15 15:32:01 chrd-edm postfix/smtpd[23253]: connect from localhost[]
Nov 15 15:32:01 chrd-edm postfix/smtpd[23253]: 524E2101459: client=localhost[]
Nov 15 15:32:01 chrd-edm postfix/cleanup[23243]: 524E2101459: message-id=<4ec2157150df4@myhrd.cn>
Nov 15 15:32:01 chrd-edm postfix/qmgr[20433]: 524E2101459: from=<service@myhrd.cn>, size=1666, nrcpt=1 (queue active)
Nov 15 15:32:01 chrd-edm postfix/smtpd[23253]: disconnect from localhost[]



#only log smtp ok or fail,主要是这节到后面的空格,可以让下面的debug中的乱日志只记录smtpok与失败到mail.smtp中
$template mailOkFail,"%timegenerated% %msg%\n"
if ($syslogtag startswith 'postfix/smtp[') and not ($msg contains 'to=<service@myhrd.cn>' or $msg startswith 'connect to ') then /var/log/mail.smtp;mailOkFail



Nov 15 15:31:58  3FBFA101459: to=<366334509@qq.com>, relay=mx3.qq.com[]:25, delay=18626, delays=0.06/18618/4.1/2.9, dsn=2.0.0, status=sent (250 Ok: queued as )
Nov 15 15:32:05  73564104C90: to=<4034655433@163.com>, relay=163mx02.mxmail.netease.com[]:25, delay=1.3, delays=0.08/1.1/0.04/0.09, dsn=2.0.0, status=sent (250 Mail OK queued as mx28,TsCowECpdUdVFcJO3CfmBQ--.1495S2 1321342293)
Nov 15 15:32:34  5D9E8100940: to=<36785011@qq.com>, relay=mx3.qq.com[]:25, delay=18661, delays=0.07/18655/1.2/4.7, dsn=2.0.0, status=sent (250 Ok: queued as )
Nov 15 15:32:44  ABB30104CA1: to=<404001724@163.com>, relay=163mx01.mxmail.netease.com[]:25, delay=11, delays=0.08/3/7.7/0.7, dsn=2.0.0, status=sent (250 Mail OK queued as mx15,QcCowEBZclZ0FcJOL4G2AQ--.1330S2 1321342331)
Nov 15 15:33:05  6F3E010145B: to=<36794443@qq.com>, relay=mx3.qq.com[]:25, delay=18692, delays=0.09/18691/0.32/0.68, dsn=2.0.0, status=sent (250 Ok: queued as )





mail.debug   ^ /sbin/php /var/www/email/logrec.php








# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#only log smtpd domain error
$template mailOkFail,"%timegenerated% %msg%\n"
if ($syslogtag startswith 'postfix/smtpd[') and ($msg contains 'Domain not found') then /var/log/mail.smtpd.domain.err;mailOkFail

#send ok
if ($syslogtag startswith 'postfix/smtp[') and ($msg contains 'status=sent') then /var/log/mail.smtp.sent;mailOkFail

#bound status=bounced
if ($syslogtag startswith 'postfix/smtp[') and ($msg contains 'status=bounced') then /var/log/mail.smtp.bounced;mailOkFail

if ($syslogtag startswith 'postfix/smtp[') and ($msg contains 'status=deferred') then /var/log/mail.smtp.deferred;mailOkFail


postfix 日志过滤与linux 日志 模块rsyslog配置_重启

但是查看 了一下,发现日志中没有信的标题(某种程序上,如不存在相同标题的信)或是发件人(发件人与信相关,且唯一,因为向外发,用户并不重要),需要更改postfix程序在每个日志中都有mail from 和rcpt to这样就可以从日志中根据mail from区别不同信,而进行一封信的统计