Python-Postfix日志的最后一小时

Question

I am looking for an effective way of getting the past hour of the maillog log file created by postfix. I want to do that in python or in bash.

So far I have extracted the month and the day that is saved in the postfix log:

now_m = today.ctime().split()[1]
now_d = int(today.ctime().split()[2])

but am stuck over here and need some fresh ideas.

Any help would be greatly appreciated.

Code example:

Apr  2 11:53:15 server01 postfix/bounce[9177]: 62A347FB99: sender non-delivery notification: 6F4B67FB97
Apr  2 11:53:15 server01 postfix/qmgr[8140]: 5E9B07FB95: removed
Apr  2 11:53:15 server01 postfix/qmgr[8140]: 62A347FB99: removed
Apr  2 11:53:15 server01 postfix/qmgr[8140]: 6F5837FB98: from=<>, size=4054, nrcpt=1 (queue active)
Apr  2 11:53:15 server01 postfix/bounce[9182]: 652D67FB9D: sender non-delivery notification: 6F5837FB98
Apr  2 11:53:15 server01 postfix/qmgr[8140]: 652D67FB9D: removed
Apr  2 11:53:15 server01 postfix/qmgr[8140]: 6EE717FB92: from=<>, size=4926, nrcpt=1 (queue active)
Apr  2 11:53:15 server01 postfix/qmgr[8140]: 6F4B67FB97: from=<>, size=3448, nrcpt=1 (queue active)
Apr  2 11:53:15 server01 postfix/smtpd[9163]: disconnect from unknown[10.0.0.4]

and another example:

Aug 30 09:00:56 server01 postfix/qmgr[2321]: 1654A7FB86: removed
Aug 30 09:01:57 server01 postfix/smtpd[4320]: connect from unknown[10.0.0.0]
Aug 30 09:01:57 server01 postfix/smtpd[4320]: disconnect from unknown[10.0.0.0]
Aug 30 09:02:16 server01 postfix/smtpd[4320]: connect from unknown[10.0.0.0]
Aug 30 09:02:16 server01 postfix/smtpd[4320]: 21F077FB86: client=unknown[10.0.0.0]

Answer 1

It's simple:

NOW=`date +%s`; THEN=`expr $NOW - 3600`; until (("$THEN" > "$NOW")); do DATE=`date -d @\$THEN +'%b %e %k:%M:%S'`; grep -e "^$DATE" /var/log/maillog && sed -n -e "/^$DATE/,\$p" /var/log/maillog && break; THEN=`expr $THEN + 1`; done

In other words:

1) get current time $NOW

2) get time one hour ago $THEN

3) if there is a line beginning with $THEN, print the line and everything after it (and break the cycle)

4) increment $THEN by one second and repeat until $NOW (or until you find something)

It's not very efficient and not very fast but will probably serve you well.

Answer 2

The basic track is to read each line, and parse it's timestamp into a datetime.datetime object. There are several options to do so, eg using its .fromtimestamp (static) method. Or the more general parsers (see utile)

Then use datetime.datetime.now() and subtract datetime.timedelta(mins=60) ; the result can be compared to the parsed timestamp.

It as simple as that! No need to do any manual, work.

PS add an example of the log file/line next time. The we can give the concrete example code