
Overview
Monitoring mail outbound (egress) using Splunk isn’t as straight forward as you might think. I’ve put together a nice search string that will help identify egress email from an Ubuntu server.
Search
I’ve broken this down into parts but it can be merged into one long string.
host=HOSTNAME source=/var/log/syslog NOT "NOQUEUE" |
rex field=_raw "[^:]+:[^:]+:[^:]+: (?\w+):" |
transaction MaybeUnique |
search from="@domain1.tld" |
OR from="@domain2.tld" |
OR from="@domain3.tld" |
OR from="@domain4.tld" |
search NOT "postfix/pickup" |
NOT "[email protected]" |
timechart count by host
You’ll need to change the “HOSTNAME”.
And change domain*.tld parts to filter on particular domains that egress mail.
You can remove “NOT [email protected]” if you don’t need to exclude email addresses. I exclude my monitoring email address so I only see “user” egress mail.
Example String
Click on image to see example (sensitive information is blanked out)

Example Chart

Conclusion
Most things are quick and easy to search except this one just because of the log structure, I hope this helps.
Leave a Reply