Exim4, grep the log files
From Andreida
IPs with failed login
List all IPs whit a failed login and give a count of how often they tried (maxed by deleted old log files)
zgrep -o 'failed for (\[.*\])' /var/log/exim4/rejectlog.* | grep -o '\[.*\]' | sed 's/^.//' | sed 's/.$//' | sort | uniq -c | sort -n
often accepted
Sometimes you want to be able to find out which emails are more often used for spam (rejected) or what domains are only rejected or whatever. A starter for your investigation could be something like this:
zgrep petra /var/log/exim4/mainlog* | grep -v reject | grep -o 'From .*' | awk '{ print $2 }' | sort | uniq -c | sort -n
The above script would
- do a grep over all exim4 main logs
- filter for lines where "petra" is mentioned
- filter out lines which contain "reject"
- remove everything from the lines up to the word 'From '
- print the second ($2) column of the output
- sort the output
- remove duplicates and start each line with the count of occurrences of that line
how often rejected as login name
Very often people try to hack your server. They will try the pre-@ part of e-mail-addresses or other common stuff and use a dictionary for the password.
This will show you for Exim the rejected usernames and their count:
zgrep -o -h 'set_id=[a-zA-Z0-9@\.-]*' /var/log/exim4/rejectlog.* | cut -d= -f2 | sort | uniq -c | sort -n
