Sendmail is a free and open-source mail transfer agent (MTA) used to route and deliver email on Unix-based systems. This technology pack will process Sendmail logs and includes parsers and dashboards to visualize key data such as sender/recipient activity, delivery status, ruleset rejections, authentication, and processing statistics.
Requirements
-
Graylog Server version 5.2.4 or later with valid Enterprise license
-
Sendmail logs delivered via syslog (RFC 5424) or Filebeat
Supported Versions
-
Sendmail version 8.15.2 and earlier compatible versions
Log Collection and Delivery
Sendmail logs can be delivered to Graylog via syslog or Filebeat. Only RFC 5424 compliant syslog messages are accepted for the syslog method.
Syslog Configuration
Configure syslog forwarding for Sendmail logs:
-
Create a matching syslog input in Graylog (UDP or TCP)
-
Configure the syslog server (e.g. rsyslog) to forward mail facility logs to the Graylog input
-
Ensure logs are RFC 5424 compliant
Filebeat Configuration
Configure Filebeat to ship Sendmail log files:
-
Create a matching Beats input in Graylog
-
Create an API access token and Linux Filebeat collector
-
Configure the collector to read Sendmail log files (e.g. /var/log/maillog)
-
Set event_source_product to 'sendmail' in the Filebeat fields configuration
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Sendmail Mail Server Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Sendmail Mail Server Logs"
What is Provided
-
Parsing rules to extract Sendmail logs into Graylog schema compatible fields
-
GIM event type categorization and enforcement fields for supported Sendmail events
-
Illuminate spotlight dashboard with six tabs: Overview, Activity, Delivery Status, Rule Rejection, Authentication, and Processing Statistics
Log Format Example
Receipt log:
t1NHIIgY028315: from=<masterchef@outlook.com>, size=496, class=0, nrcpts=5, msgid=<B3BE0AC12425C02A1FB8C9201EE5CB9E@jyvicegy>, proto=ESMTP, daemon=MTA, relay=host-47.55-234-182.cable.dynamic.website.net [182.234.55.47]
Delivery log:
e6BLc7u23822: to=foo@bar.com, ctladdr=foo (1002/1002), delay=00:00:08, xdelay=00:00:00, mailer=esmtp, pri=30025, relay=foo.bar.com., dsn=5.3.5, stat=Local configuration error
Authentication log:
AUTH=server, relay=[11.111.111.111], authid=aussie@foo.bar, mech=LOGIN, bits=0
STARTTLS log:
STARTTLS=server, relay=111-1-111-11-AAAA.aaa.foobarbusiness.net [111.1.111.11], version=TLSv1/SSLv3, verify=NO, cipher=AES128-SHA, bits=128/128
Connection log:
connect from 177-177-rev-placeholder.reverse.foo.net.bar [177.177.11.111] (may be forged)
Ruleset rejection log:
ruleset=check_rcpt, arg1=<jan@foo.bar.com>, relay=foo@odin.bar.com [192.168.1.1], reject=550 5.7.1 <jan@foo.bar.com>... Relaying denied
Pre-greeting rejection log:
rejecting commands from aa.example.com [22.22.22.22] due to pre-greeting traffic
Daemon status log:
starting daemon (8.14.7): queueing@01:00:00
Milter content filter rejection log:
k876hJS0063495: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin
Lost connection log:
k876hJS0063495: lost input channel from host.example.com [10.0.0.1] to MTA after rcpt
System error log:
NOQUEUE: SYSERR(root): daemon: cannot fork: Not enough space
GIM Categorization
GIM categorization is provided for the following log types:
Fields List ▼
| Log Type | gim_event_type_code | gim_event_category | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|
| AUTH (server-side) | 100500 | authentication | authentication.credential validation | credential validation |
| Connect from (inbound) | 120000 | network | network.network connection | network connection |
| STARTTLS (server-side) | 120000 | network | network.network connection | network connection |
| Daemon starting | 210000 | service | service.start | service started |
| Daemon stopping | 210100 | service | service.stop | service stopped |
| Mail from (receipt) | 219999 | service | service.default | service event |
| Mail to (delivery) | 219999 | service | service.default | service event |
| Ruleset rejection | 219999 | service | service.default | service event |
| Lost connection / timeout | 219999 | service | service.default | service event |
| SYSERR (system error) | 219999 | service | service.default | service event |
| Pre-greeting rejection | 300000 | detection | detection.network_detection | ids_detection |
| Discovery rejection (VRFY/EXPN) | 300000 | detection | detection.network_detection | ids_detection |
| Invalid connection (no commands issued) | 300000 | detection | detection.network_detection | ids_detection |
| Milter content filter rejection | 300000 | detection | detection.network_detection | ids_detection |
Fields Extracted by This Pack
Parsed Fields
These are the fields extracted and mapped by the Sendmail content pack.
Parsed Fields ▼
| Original Field Name | Field Name | Example Value | Field Type | Description |
|---|---|---|---|---|
| (syslog) | application_name | sendmail | string | Syslog application name |
| (syslog) | process_id | 23824 | string | Sendmail process ID |
| (parsed) | email_uid | e6BLc7u23822 | string | Sendmail queue ID |
| from= | email_from | foo@bar.com | string | Sender email address |
| to= | email_to | foo@bar.com | string | Recipient email address |
| size= | email_size | 496 | long | Message size in bytes |
| msgid= | email_message_id | <B3BE0AC12425...> | string | Message ID |
| class= | vendor_class | 0 | long | Message class |
| nrcpts= | vendor_nrcpts | 5 | long | Number of recipients |
| proto= | network_protocol | esmtp | string | Network protocol (lowercased) |
| daemon= | vendor_daemon | MTA | string | Sendmail daemon name |
| relay= | source_ip | 182.234.55.47 | string | Client relay IP address |
| relay= | source_hostname | host-47.cable.net | string | Client relay hostname |
| relay= | destination_ip | 192.168.1.3 | string | Destination relay IP address |
| relay= | destination_hostname | foo.bar.com | string | Destination relay hostname |
| delay= | vendor_delay | 00:00:08 | string | Delivery delay |
| (calculated) | vendor_delay_total_seconds | 8 | long | Total delay in seconds |
| xdelay= | vendor_xdelay | 00:00:00 | string | Transmission delay |
| mailer= | vendor_mailer | esmtp | string | Mailer type |
| pri= | vendor_pri | 30025 | long | Message priority |
| dsn= | vendor_dsn | 5.3.5 | string | Delivery Status Notification code |
| stat= | vendor_status | Sent | string | Delivery status |
| stat= | vendor_status_text | Message accepted for delivery | string | Delivery status detail |
| AUTH= | vendor_auth | server | string | Authentication direction |
| authid= | vendor_authid | aussie@foo.bar | string | Authentication user ID |
| mech= | vendor_mech | LOGIN | string | SASL authentication mechanism |
| bits= | vendor_bits | 0 | string | Authentication encryption bits |
| STARTTLS= | vendor_starttls | server | string | TLS negotiation direction |
| version= | vendor_tls_version | TLSv1/SSLv3 | string | TLS protocol version |
| cipher= | vendor_tls_cipher | AES128-SHA | string | TLS cipher suite |
| bits= | vendor_tls_cipher_size | 128/128 | string | TLS cipher key size |
| verify= | vendor_starttls_verify | NO | string | TLS certificate verification status |
| (parsed) | vendor_event_action | connect | string | Event action (connect, starting, stopping, rejecting) |
| ruleset= | vendor_ruleset | check_rcpt | string | Sendmail ruleset name |
| arg1= | vendor_arg1 | <jan@foo.bar.com> | string | Ruleset argument 1 |
| reject= | vendor_reject | 550 5.7.1 Relaying denied | string | Rejection reason with SMTP response |
| (parsed) | smtp_response_code | 550 | string | SMTP response code |
| (lookup) | smtp_response_code_description | Requested action not taken | string | SMTP response description |
| (parsed) | smtp_response_enhanced_class_code | 5 | string | Enhanced status class code |
| (parsed) | smtp_response_enhanced_status_code | 7.1 | string | Enhanced status code |
| Milter: | vendor_milter_action | data | string | Milter filter stage (data, to, header) |
| Milter: reject= | vendor_reject | 550 5.7.1 Blocked by SpamAssassin | string | Milter rejection reason with SMTP response |
| (parsed) | vendor_smtp_phase | MTA after rcpt | string | SMTP phase when connection was lost |
| SYSERR() | vendor_syserr_user | root | string | User context for system error |
| SYSERR | vendor_event_description | daemon: cannot fork | string | System error description |
| (parsed) | vendor_subtype | milter_reject | string | Log subtype (discovery_reject, invalid_connect, milter_reject, lost_connection, syserr) |
| (parsed) | vendor_relay_warning | may be forged | string | Relay hostname verification warning |
| (parsed) | vendor_version | 8.14.7 | string | Sendmail daemon version |
| (parsed) | vendor_event_outcome_reason | signal | string | Daemon stop reason |
| Mapped | gim_event_type_code | 100500 | string | GIM event type code |
| Mapped | service_name | sendmail | string | Service name for enforcement |
| Mapped | alert_signature | Suspicious SMTP connection: milter_reject | string | Alert signature for detection events |
| Mapped | alert_category | smtp | string | Alert category for detection events |
| (parsed) | vendor_arg2 | 0 | string | Additional sendmail rejection argument |
| (parsed) | vendor_ctladdr | root | string | Control address for local delivery |
| (parsed) | vendor_relay_ip | 192.168.1.50 | string | Relay IP address |
| (parsed) | vendor_relay_user | alice | string | Relay username |
| (parsed) | vendor_status_full | Sent (ok 1234 message accepted) | string | Full status message for delivery |
| (parsed) | vendor_smtp_response_message | Access denied | string | SMTP response message text |
| Mapped | smtp_response_enhanced_class_code_description | Success | string | SMTP enhanced class code description |
| Mapped | smtp_response_enhanced_subject_code | 1.1 | string | SMTP enhanced subject code |
| Mapped | smtp_response_enhanced_subject_code_description | Other or Undefined Address Status | string | SMTP enhanced subject code description |
| (parsed) | vendor_starttls_errno | 54 | string | STARTTLS error number |
| (parsed) | vendor_starttls_error | read | string | STARTTLS error type |
| (parsed) | vendor_starttls_error_code | 0x1408F10B | string | STARTTLS SSL error code |
| (parsed) | vendor_starttls_error_reason | connection reset | string | STARTTLS error reason |
| (parsed) | vendor_starttls_retry | OK | string | STARTTLS retry status |
| (parsed) | vendor_starttls_ssl_error | SSL_ERROR_SSL | string | STARTTLS SSL error name |
Illuminate:Sendmail Spotlight
This spotlight offers a dashboard with 6 tabs:
Sendmail Mail Server Overview
Activity
Delivery Status
Rule Rejection
Authentication
Processing Statistics
