Now that you have seen the basics of exigrep, let us dive into some e-mail troubleshooting where exigrep really shines.
Picking a Search String
Choosing the right search string for exigrep can help you find your e-mail issue faster. Exigrep will match any string against any line in exim’s error_log. But just what is in the log for you to search for?
- Timestamp: the beginning of each line has the date and time in ISO standard format. If you know approximately when an email failed to get through, you could search for that time.
- Transaction ID: each transaction has a unique identification string; if for some reason you happen to know this, it is easily the easiest thing for exigrep to find.
- Hostnames: both the sending and receiving MX servers are listed. If you are troubleshooting a problem sending to a particular mailserver, this could be useful to search for.
- Subjects: each transaction logs the subject of the e-mail. If you know the entire subject, or if you know an uncommon word is in the subject, that might be a useful and unique piece of information to search for.
- Sender and Recipient E-mail Addresses: by far the most useful part of the log to search for.
Exigrep and Redirection
Suppose you are having trouble sending e-mail to a specific e-mail address. Or, perhaps you sent one particular e-mail to someone, but you want to make sure that it left your mailserver just fine.
The easiest way to find this transaction is to chain together two exigreps using the pipe, or “|” command. The search will look something like this:
exigrep "email@example.com" /var/log/exim_mainlog | exigrep "firstname.lastname@example.org"
The command starts out by exigrepping for a particular e-mail address. The pipe (|) takes the results from from the first exigrep, and sends them as an argument to the second exigrep instead of printing them to the screen. This is why the second exigrep does not have the path to the logfile at the end; the output from the first exigrep replaces the logfile.
This will give you every transaction in the logfile that has both of those e-mail addresses in it. The most recent ones will be at the bottom of the output. If you have an approximate idea of what time it was sent, you might want to pipe this output to another exigrep searching for the hour in which it was sent; otherwise you should be able to quickly scan each transaction visually for the proper time until you find the one you are looking for.
Hopefully you now have some tricks under your belt to troubleshoot mail issues by using exigrep. Further articles on this topic will focus on exim log entries for e-mail transactions that do not go as planned.