Skip to content

Log Analysis

Guide to analyzing Mailborder logs for troubleshooting and monitoring.

Log Locations

Main logs: 

/var/log/mailborder/mailborder.log      # General system log
/var/log/mailborder/auth.log            # Authentication events
/var/log/mailborder/spam.log            # Spam detection
/var/log/mailborder/virus.log           # Virus scanning
/var/log/mailborder/policy.log          # Policy enforcement
/var/log/mailborder/geoip.log           # GeoIP filtering
/var/log/mail.log                       # Postfix SMTP log

Service logs: 

/var/log/mailborder/mb-rpcd.log
/var/log/mailborder/mb-filter.log
/var/log/mailborder/mb-milter.log
/var/log/mailborder/mb-scribe.log

Common Log Searches

Find Errors

# All errors today
sudo grep ERROR /var/log/mailborder/*.log

# Specific service errors
sudo grep ERROR /var/log/mailborder/mb-filter.log | tail -n 20

# Critical errors only
sudo grep CRITICAL /var/log/mailborder/mailborder.log

Track Email

By message ID: 

sudo grep "<message-id@sender.com>" /var/log/mail.log
sudo grep "<message-id@sender.com>" /var/log/mailborder/mb-filter.log

By sender: 

sudo grep "from=sender@example.com" /var/log/mail.log

By recipient: 

sudo grep "to=user@example.com" /var/log/mail.log

Authentication Events

Failed logins: 

sudo grep "Failed login" /var/log/mailborder/auth.log | tail -n 20

Successful logins: 

sudo grep "Login successful" /var/log/mailborder/auth.log | tail -n 20

Account lockouts: 

sudo grep "Account locked" /var/log/mailborder/auth.log

By IP address: 

sudo grep "198.51.100.25" /var/log/mailborder/auth.log

Spam Detection

High spam scores: 

sudo grep "spam score" /var/log/mailborder/spam.log | \
  awk '$NF > 15 {print}' | tail -n 20

Rejected as spam: 

sudo grep "REJECT.*spam" /var/log/mail.log | tail -n 20

False positives (released from quarantine): 

sudo grep "Released.*spam" /var/log/mailborder/quarantine.log

Virus Detection

All virus detections: 

sudo grep "Virus detected" /var/log/mailborder/virus.log

By virus name: 

sudo grep "Win.Trojan" /var/log/mailborder/virus.log

Recent detections: 

sudo tail -f /var/log/mailborder/virus.log

Log Analysis Tools

Using journalctl

View service logs: 

sudo journalctl -u mb-rpcd
sudo journalctl -u mb-filter -n 100
sudo journalctl -u mb-filter -f  # Follow

Time-based: 

# Last hour
sudo journalctl -u mb-filter --since "1 hour ago"

# Today
sudo journalctl -u mb-rpcd --since today

# Specific date
sudo journalctl -u mb-filter --since "2025-01-13 00:00" --until "2025-01-13 23:59"

Priority filtering: 

# Errors only
sudo journalctl -u mb-rpcd -p err

# Warnings and above
sudo journalctl -u mb-filter -p warning

Using grep

Count occurrences: 

sudo grep ERROR /var/log/mailborder/mailborder.log | wc -l

Most common errors: 

sudo grep ERROR /var/log/mailborder/mailborder.log | \
  cut -d':' -f4- | sort | uniq -c | sort -rn | head -n 10

Error frequency by hour: 

sudo grep ERROR /var/log/mailborder/mailborder.log | \
  awk '{print $1, $2}' | cut -d':' -f1 | uniq -c

Using awk

Extract specific fields: 

# Spam scores
sudo awk '/spam score/ {print $NF}' /var/log/mailborder/spam.log | \
  sort -n | tail -n 20

Calculate averages: 

# Average spam score
sudo awk '/spam score/ {sum+=$NF; count++} END {print sum/count}' \
  /var/log/mailborder/spam.log

Processing times: 

# Average processing time
sudo awk '/Processing Time/ {sum+=$NF; count++} END {print sum/count "ms"}' \
  /var/log/mailborder/mb-filter.log

Monitoring Patterns

Emails per hour: 

sudo grep "message accepted" /var/log/mail.log | \
  awk '{print $1, $2}' | cut -d':' -f1 | uniq -c

Spam ratio: 

TOTAL=$(sudo grep "Verdict:" /var/log/mailborder/mb-filter.log | wc -l)
SPAM=$(sudo grep "Verdict: QUARANTINE\|Verdict: REJECT" /var/log/mailborder/mb-filter.log | wc -l)
echo "Spam rate: $(echo "scale=2; $SPAM/$TOTAL*100" | bc)%"

Performance Monitoring

Slow requests: 

sudo grep "Processing Time" /var/log/mailborder/mb-filter.log | \
  awk '$NF > 1000 {print}' | tail -n 20
# Shows requests > 1 second

Queue depth over time: 

while true; do
    echo "$(date): $(sudo mailq | tail -n 1)"
    sleep 60
done

Security Monitoring

Brute force attempts: 

sudo grep "Failed login" /var/log/mailborder/auth.log | \
  awk '{print $(NF-2)}' | sort | uniq -c | sort -rn | head -n 10
# Shows IPs with most failed attempts

Blocked IPs: 

sudo grep "IP blocked" /var/log/mailborder/security.log | \
  awk '{print $NF}' | sort -u

Automated Log Analysis

Create Analysis Script

#!/bin/bash
# /usr/local/bin/analyze-logs.sh

echo "=== Mailborder Log Analysis ==="
echo "Date: $(date)"
echo

echo "Errors (last hour):"
sudo journalctl --since "1 hour ago" | grep -c ERROR
echo

echo "Email processed (last hour):"
sudo grep "Verdict:" /var/log/mailborder/mb-filter.log | \
  grep "$(date +%Y-%m-%d) $(date +%H):" | wc -l
echo

echo "Spam caught (last hour):"
sudo grep "Verdict: QUARANTINE\|Verdict: REJECT" /var/log/mailborder/mb-filter.log | \
  grep "$(date +%Y-%m-%d) $(date +%H):" | wc -l
echo

echo "Failed logins (last hour):"
sudo grep "Failed login" /var/log/mailborder/auth.log | \
  grep "$(date +%Y-%m-%d) $(date +%H):" | wc -l

Schedule: 

0 * * * * /usr/local/bin/analyze-logs.sh | \
  mail -s "Hourly Log Summary" admin@example.com

Log Aggregation

Using logwatch: 

sudo apt install logwatch
sudo logwatch --output mail --mailto admin@example.com --detail high

Custom Logwatch configuration: 

sudo nano /etc/logwatch/conf/logfiles/mailborder.conf

Log Rotation

Check rotation config: 

sudo cat /etc/logrotate.d/mailborder

Example configuration: 

/var/log/mailborder/*.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 0640 mailborder mailborder
    sharedscripts
    postrotate
        systemctl reload mb-rpcd >/dev/null 2>&1 || true
    endscript
}

Manual rotation: 

sudo logrotate -f /etc/logrotate.d/mailborder

Exporting Logs

For Support

Create support bundle: 

sudo tar czf /tmp/mailborder-logs-$(date +%Y%m%d).tar.gz \
  /var/log/mailborder/*.log \
  /var/log/mail.log \
  /var/log/syslog

Sanitize if needed: 

# Remove sensitive email addresses
sed 's/[a-zA-Z0-9._%+-]\+@[a-zA-Z0-9.-]\+\.[a-zA-Z]\{2,\}/redacted@example.com/g' \
  input.log > sanitized.log

For Analysis Tools

Export to CSV: 

# Spam scores
sudo awk '/spam score/ {print $1, $2, $NF}' /var/log/mailborder/spam.log | \
  sed 's/ /,/g' > spam-scores.csv

Export to JSON: 

# Recent errors
sudo grep ERROR /var/log/mailborder/mailborder.log | \
  tail -n 100 | jq -R 'split(" ") | {date: .[0], time: .[1], level: .[2], message: .[3:] | join(" ")}' | \
  jq -s '.' > errors.json

See Also