I recently needed to search through my mail log to see if an email had been sent when someone told me it had been sent. I knew I could use grep for this but had no clue how to make it work so that it would show me only the data I needed to see. I did a quick review of the man page for grep and came up with a very simple search. To get the information I needed, I knew I wanted to search the maillog in /var/log and I knew I needed to see when, or even if, sender@domain.com had sent their email; here is the command I used:
# tail -n 100 /var/log/maillog | grep sender@domain.com
The tail command returns output from the log file I direct it to parse (in this instance, /var/log/maillog), the -n option returns the number of lines I specify – in this case, 100.
This query didn’t return any results which made me question the command I had used; to verify my query was valid, I ran the command again using my email address (since I knew I had sent an email from my gmail acocunt to my personal email account that day). This time I got a result back showing me sending an email from my gmail account; here’s the command and the resulting output:
# tail -n 100 /var/log/maillog | grep me@gmail.com
# Jul 19 12:24:25 sendmail[25379]: p6JHOKeI025379: from=me@gmail.com, size=1667, class=0, nrcpts=2, msgid=, proto=ESMTP, daemon=MTA, relay=mail.gmail.com [xxx.xxx.xxx.xxx]
Now let’s say I want to actively watch for an email to come in to the server so I can watch for an email from sender@domain.com; all I have to do is add the option “f” so that the tail command will “follow” the log file and report any changes to the log file that match my search criteria:
# tail -fn 100 /var/log/maillog | grep sender@domain.com
Since my query didn’t return any results, I know that, for whatever reason, the email sent from sender@domain.com isn’t making it to my server; oddly enough, about six hours later an email from them appeared in the logs – funny how that works…