Using NetCrunch to monitor Postfix mail server
NetCrunch text log can be used not only to raise alerts on certain conditions, it can also add additional information directly to alert. This article will show another way of using text log sensor to monitor the Postfix log.
This article will introduce another way of using the text log sensor. Here you will learn how to not only to raise an alert when a condition is met but also to include additional information directly on the alert. This kind of information might be essential for resolving the issue without browsing the log manually.
Introductory information about text log monitoring is included in Monitoring text log files with NetCrunch article
Scenario
Say we want NetCrunch to alert us when the Postfix mail service cannot deliver emails to a recipient server. This will be reflected in the log by the entry: deferred.
Additionally, to make diagnostics faster, we want NetCrunch to include ESMTP info that lists more details about the particular problem that has been encountered.
This article will focus on this particular log entry:
Jun 26 04:38:12 mail postfix/smtp[17532]: 1741E447CA00: to=<yourmail@mail.com>, relay=aa.mail.mail.com[123.123.123.123]:25, delay=290344, delays=290344/0.07/0.21/0, dsn=1.2.3, status=deferred (host aa.mail.mail.com[123.123.123.123] refused to talk to me: 123-aa.mail.mail.com ESMTP 450 4.7.1 Client host rejected: cannot find your reverse hostname, [123.123.123.12])
Based on this line of the log, the monitoring sensor will raise an alert if status=deferred is detected and it will also include an ESMTP response in the alert. This way the user will not be forced to browse the log for that information, expediting resolution time.
Setting a Parsing Expression
For detailed instructions on creating a new parsing expression, please visit this article
First, we must create a Text Parsing Expression, as seen in the image below.
Regular Expression:
.*postfix\/smtp.*status=(\S*).*ESMTP (.*)\)
This regular expression needs only two variables: NetCrunch will search for a value in the status field and an ESMTP response. The rest of the text will be ignored.
Creating a sensor with an alerting rule
After adding the sensor, the only alerting rule we need to add is when status contains deferred
Result
NetCrunch will now raise alerts when the deferred status is located in new log lines and it will include all ESMTP responses in the alert message and alert details. To see this information, simply click on the Show Parameters button on the right part of the window.
NetCrunch offers a powerful framework to locate, identify and resolve network problems. Monitoring text logs is an easy way to simplify the life of the systems administrator.
All DNS names and IP addresses have been chosen randomly, and no identification with actual names or addresses is intended.
