Servers generate a lot of email. If you're a sysadmin, you already know this. If you work with sysadmins, then you're to blame (ok, maybe not). In either case, dealing with server email is time consuming, and the signal-to-noise ratio is low. More often than not these emails are ignored (procmail FTW!).
Is this a good thing?
These emails are generated for a reason, and that reason is usually that
there's something amiss on your server. Instead of
/dev/null'ing all of
these useful nuggets, why not mine them with Splunk?
In this How To we'll setup a catch-all Postfix server and use it to Splunk all of your system generated email.
Note: Splunk need not be installed on the same system as Postfix, but for the purposes of this How To, they are co-existent.
apt-get install postfix -f).
virtual_alias_domains = sfeserv01.splunk.com,sfeserv31.splunk.com
virtual_alias_maps = hash:/etc/postfix/virtual
In Postfix's virtual_alias_map file create a catch-all alias for each host from which you'll be accepting mail:
@sfeserv01.splunk.com catch-all @sfeserv31.splunk.com catch-all
In Postfix's aliases file create a catch-all alias and redirect it to a
Refresh aliases, rehash maps, and reload Postfix configs:
sudo newaliases sudo postmap /etc/postfix/virtual sudo postfix reload
In Splunk's inputs.conf file configure batch monitor of the catch-all Maildir:
# $SPLUNK_HOME/etc/system/local/inputs.conf [batch:///var/mail/catch-all] interval = 300 disabled = false index = admin_mail source = admin_mail move_policy = sinkhole sourcetype = admin_mail
In Splunk's props.conf file configure email event parsing:
# $SPLUNK_HOME/etc/system/local/props.conf [admin_mail] TRUNCATE = 0 MAX_EVENTS=200000 TIME_PREFIX = Date:\s LINE_BREAKER = x6939844b3e9eae3093ed00e67a0dd33b BREAK_ONLY_BEFORE = x6939844b3e9eae3093ed00e67a0dd33b
In Splunk's indexes.conf file configure the email index:
# $SPLUNK_HOME/etc/system/local/indexes.conf [admin_mail] homePath = $SPLUNK_DB/admin_mail/db coldPath = $SPLUNK_DB/admin_mail/colddb thawedPath = $SPLUNK_DB/admin_mail/thaweddb
relayhost = mail-relay.splunk.com
You can now search Splunk for system emails:
Which should return results like these: