Monitoring mail outbound (egress) using Splunk isn’t as straight forward as you might think. I’ve put together a nice search string that will help identify egress email from an Ubuntu server.


I’ve broken this down into parts but it can be merged into one long string.

host=HOSTNAME source=/var/log/syslog NOT "NOQUEUE" | 
rex field=_raw "[^:]+:[^:]+:[^:]+: (?\w+):" | 
transaction MaybeUnique | 
search from="@domain1.tld" | 
OR from="@domain2.tld" | 
OR from="@domain3.tld" |
OR from="@domain4.tld" | 
search NOT "postfix/pickup" | 
NOT "[email protected]" | 
timechart  count by host

You’ll need to change the “HOSTNAME”.

And change domain*.tld parts to filter on particular domains that egress mail.

You can remove “NOT [email protected]” if you don’t need to exclude email addresses. I exclude my monitoring email address so I only see “user” egress mail.

Example String

Click on image to see example (sensitive information is blanked out)


Example Chart


Most things are quick and easy to search except this one just because of the log structure, I hope this helps.


Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.