9.8. Analyzing syslog

As Sendmail runs, it writes transaction records using the syslog facility. The syslog facility can be configured to mix Sendmail's log records in with everything else it receives, or it can be set up to write a separate log file just for Sendmail. Send-mail's syslog volume will probably dwarf all the rest of your syslog traffic combined; this follows from the fact that syslog was written to be part of Sendmail originally. It makes sense that Sendmail will always be syslog's best customer.

You might find your Sendmail logs in any of the following places:

/var/spool/mqueue/syslog/var/log/syslog/var/log/maillog/var/log/sendmail

It all depends on what you've got in your syslog configuration file. The file will probably be named /etc/syslog.conf, but you know how vendors love to move stuff around, so if you don't find it at first, keep looking.

The format of Sendmail's syslog records varies according to the whim of your vendor or whichever clever person you got your Sendmail from. Even Berkeley Sendmail's syslog record format has evolved a little over time, so be prepared for variation among the different kinds of hosts you maintain. It is especially important to keep format variations in mind when you write Perl or AWK scripts that post-process the syslog files. The examples we'll show here came from King James Send-mail, aka DECWRL-IDA Sendmail. Note that Sendmail can log a lot of data per mail message, or it can log very little.