IMail Log Analyzer

IMail Log Analyzer

The IMail Log Analyzer is an analysis tool that compiles reports based on your IMail Server log files. It sorts through the log files and separates information into reports, enabling you to browse statistical information quickly and easily. You can select from up to 19 different reports that extract information such as:

the number of SMTPD connections
the number of IMAP errors
the number of Web logins
the number of Web hits

Search options allow you to further define reports with settings like start and end date, start and end time, and the maximum number of returns per report. For your convenience, multiple reports are compiled into a single log analysis file, which contains detailed information from all of the requested reports. This file is stored in the same location as the specified log file, and can be created in either html or text format.

IMail Log Analyzer is accessible from Start >Programs > IMail > IMail Log Analyzer

Analyzing a Log File

To analyze the contents of a log file or files, complete the following steps:

Select the logs to analyze by clicking Select Logs and browsing to the file location. Select the log file name and click Open. Repeat this process all of the logs you want to analyze are displayed.

To remove log files from the top window, select the files you want to remove and click Remove Selected.

For Report File, enter the location where the analysis will be stored. By default the analysis file is located in the IMail spool directory, and is called analyze.html.
The analysis can be created in two formats: a text file, or html file.

To create the analysis in HTML, select HTML Report and make sure the filename entered for the Report File has an .html extension.
To create the analysis as a text file, clear HTML Report and make sure the filename entered for the Report File has a .txt extension.

Tip: One advantage to creating an analysis in html, is that a list of all report types appears at the top of the analysis with links to each report's information.

Select the reports that you want to include in the log file analysis. For an explanation of each report, see "Report Types". To select all available reports, click Select All located below the report types. To clear all report types, click Clear All.
Select the following options to further customize your log analysis:

Open report in default viewer. If selected, the report will automatically open in the default viewer when the analysis is complete. If you create an HTML analysis, your default browser opens. If you create a text analysis, your default text editor opens.
Save Settings. If selected, the current settings are saved when the application is closed. If this option is cleared, all settings are cleared and you must reset them the next time you run an analysis.

(Optional) Set the desired Search Options as described below.
Click Analyze to create your log analysis. The status bar at the bottom of the screen displays the status of the analysis as it is created.

Search Options

You can use the Search Options to further restrict your log analysis. The following options are available by clicking Options.

Start Date / End Date. Enter the dates from the log files that you want to create an analysis for. The format for both is 00/00. For example, if you enter a Start Date of 03/02, and an End Date of 05/02, this returns all entries from the selected log files between March 2 and May 2. If a selected log file has no entries for the specified time period, that log file is ignored when creating the analysis.

Start Time / End Time. Enter the time frame from the log files that you want to create an analysis for. The format for both is 00:00:00. For example if you enter a Start Time of 14:00:00, and an End Time of 15:30:00 this returns all entries from the selected log files between 2:00 and 3:30. If a selected log file has no entries for the specified time period, that log file is ignored when creating the analysis.

Max Returns per Report. Limits the number of responses returned per report type. For example, if you enter 25, the log analyzer only displays 25 lines per report type.

Report Types

There are 26 report types to select when compiling an analysis. Below is an explanation of each report type. To use a report type in an analysis, select the checkbox located next to it. To disable a report type, clear the checkbox located next to it.

If you want to run all of the reports, select Select All located below the report types. To disable all report types, click Clear All located below the report types.

Report Type

Explanation

SMTPD Connections Number of SMTPD connections made, the IP address that made each connection and the number of occurrences.

SMTPD Errors Number of SMTPD errors, including descriptions and number of occurrences.

SMTP Local Deliveries Number of mail messages delivered to local addresses, and the addresses to which each delivery was made.

SMTP Senders Remote Displays all "From" addresses when mail is sent to a remote server. Also lists the number of emails sent remotely by each "From" address.

SMTP Senders Local Displays all "From" addresses for locally delivered mail. Also lists the number of local messages sent by each "From" address.

SMTP Remote Deliveries Number of messages delivered to a remote address, and the addresses to which each delivery was made.

SMTP Remote Host Deliveries Number of messages delivered to a remote host, a list of all remote hosts and the number of times an SMTP connection was established for each.

SMTP Errors Number of SMTP Errors, descriptions and number of occurrences.

SMTP MX Failures Number of times the internal NIC card could not connect to an external IP address. Also displays the IP addresses and number of times a connection was attempted.

Web Logins Number of successful logins to Web Messaging.

Web Files Number of Web files (html, sgi, gif and graphic files) that were viewed. Each file name appears with the number of times it was viewed.

Web HEAD Requests Number of HTTP HEAD requests received by Web Messaging. HEAD requests generally occur when a client queries a document on your server to see if it is more recent than the cached version without downloading it.

Web Hits Number of Web hits (socket connections) for Web Messaging, each IP address that accessed the server and number of occurrences.

Web Errors Number of errors that occurred on the Web Messaging server, including descriptions and number of occurrences.

POP Logins Number of successful user logins to the POP3 server.

IMAP Logins Number of successful user logins to the IMAP4 server.

IMAP Errors Number of errors that occurred on the IMAP 4 server, including descriptions and number of occurrences.

POP Errors Number of errors that occurred on the POP3 server, including descriptions, and number of occurrences.

Unknown Log Lines Unidentifiable log entries. Displays the total number of occurrences, and descriptions.

Remote Delivery Size (by sending domain) The size, in bytes, of the total number of remote deliveries made, the domain name from which the mail was sent, and the number of messages delivered.

Remote Delivery Size (by sender) Size, in bytes, of the remote deliveries made, including the address from which it was sent, and the number of messages delivered.

Remote Delivery Size (by recipient domain) Size, in bytes, of the remote delivery messages made including the domain name to which the message was sent, and the number of messages delivered.

Local Delivery Size (sender domain) Size, in bytes, of local delivery messages made, including the domain name that sent the mail, and the number of messages delivered.

Local Delivery Size (sender) Size, in bytes, of the local delivery messages, including, the address from which it was sent, and the number of messages delivered.

Local Delivery Size (recipient) Size, in bytes, of the local delivery messages made, including the address to which it was sent, and the number of messages delivered.

Local Delivery Size (recipient domain) Size of the local delivery messages made, including the domain name to which it was sent, and the number of messages delivered.

Interpreting the Analysis

Whether you choose to create your analysis as a text file or an html file, the information returned is the same.

At the top of the analysis, is the Log Start time and Log End time. These times represent the beginning and ending time from which the analysis was compiled. All report information in the analysis is from within this time period. Also listed, are the names of all the Log Files, which were analyzed to create the log report.

The remainder of the analysis consists of the report data. Data is separated into categories by the report types that you selected during setup. All data is sorted in descending order starting with the highest number of occurrences or file size.

Running Log Analyzer as a Command Line Utility

In addition to using the administrative console, IMail Log Analyzer can be run from the command prompt using C:\[IMail Top Level Directory]\Analyze.exe.

Basic Command Syntax

CAnalyze H r1 r2 r3.....r26 0filename Ffilename Lmaxlines

Option

Function

r1-r26 The report types to generate.

O The output file name, with the file path if desired.

F The Input file name. This can include wildcards. Multiple F commands are accepted.

L Maximum number of lines to output per report. A value of L10 returns the top 10 occurrences in each report.

H Enables HTML output. If this option is not present, the output reports are generated in text format.

Example Command Line Entry
Analyze r1 r2 r7 r9 r15 0c:\reports\report.html c:\imail\spool\sys1012.txt FC:\[IMail Top Level Directory]\spool\w*.log L10 H 
The above example, creates an html analysis file called Report.html which contains 10 lines for each of the following: SMTPD connections, SMTPD errors, SMTP Remote Host Deliveries, SMTP MX Failures, POP logins. The log files used for the analysis are sys1012.txt and w*.log.

Report Type Commands

The following are the available command entries for the Report type.

Command Report Command Report

R1 SMTPD Connections R14 Web Errors

R2 SMTPD Errors R15 Pop Logins

R3 SMTP Local Deliveries R16 IMAP Logins

R4 SMTP Senders Remote R17 IMAP Errors

R5 SMTP Senders Local R18 POP Errors

R6 SMTP Remote Deliveries R19 Unknown Log Lines

R7 SMTP Remote Host Deliveries R20 Remote Delivery Size (by sending domain)

R8 SMTP Errors R21 Remote Delivery Size (by sender)

R9 SMTP MX Failures R22 Remote Delivery Size (by recipient domain)

R10 Web Logins R23 Local Delivery Size (by sender domain)

R11 Web Files R24 Local Delivery Size (by sender)

R12 Web Head Requests R25 Local Delivery Size (by recipient)

R13 Web Hits R26 Local delivery Size (by recipient domain)

Tip: One advantage to creating an analysis in html, is that a list of all report types appears at the top of the analysis with links to each report's information.

Report Type	Explanation
SMTPD Connections	Number of SMTPD connections made, the IP address that made each connection and the number of occurrences.
SMTPD Errors	Number of SMTPD errors, including descriptions and number of occurrences.
SMTP Local Deliveries	Number of mail messages delivered to local addresses, and the addresses to which each delivery was made.
SMTP Senders Remote	Displays all "From" addresses when mail is sent to a remote server. Also lists the number of emails sent remotely by each "From" address.
SMTP Senders Local	Displays all "From" addresses for locally delivered mail. Also lists the number of local messages sent by each "From" address.
SMTP Remote Deliveries	Number of messages delivered to a remote address, and the addresses to which each delivery was made.
SMTP Remote Host Deliveries	Number of messages delivered to a remote host, a list of all remote hosts and the number of times an SMTP connection was established for each.
SMTP Errors	Number of SMTP Errors, descriptions and number of occurrences.
SMTP MX Failures	Number of times the internal NIC card could not connect to an external IP address. Also displays the IP addresses and number of times a connection was attempted.
Web Logins	Number of successful logins to Web Messaging.
Web Files	Number of Web files (html, sgi, gif and graphic files) that were viewed. Each file name appears with the number of times it was viewed.
Web HEAD Requests	Number of HTTP HEAD requests received by Web Messaging. HEAD requests generally occur when a client queries a document on your server to see if it is more recent than the cached version without downloading it.
Web Hits	Number of Web hits (socket connections) for Web Messaging, each IP address that accessed the server and number of occurrences.
Web Errors	Number of errors that occurred on the Web Messaging server, including descriptions and number of occurrences.
POP Logins	Number of successful user logins to the POP3 server.
IMAP Logins	Number of successful user logins to the IMAP4 server.
IMAP Errors	Number of errors that occurred on the IMAP 4 server, including descriptions and number of occurrences.
POP Errors	Number of errors that occurred on the POP3 server, including descriptions, and number of occurrences.
Unknown Log Lines	Unidentifiable log entries. Displays the total number of occurrences, and descriptions.
Remote Delivery Size (by sending domain)	The size, in bytes, of the total number of remote deliveries made, the domain name from which the mail was sent, and the number of messages delivered.
Remote Delivery Size (by sender)	Size, in bytes, of the remote deliveries made, including the address from which it was sent, and the number of messages delivered.
Remote Delivery Size (by recipient domain)	Size, in bytes, of the remote delivery messages made including the domain name to which the message was sent, and the number of messages delivered.
Local Delivery Size (sender domain)	Size, in bytes, of local delivery messages made, including the domain name that sent the mail, and the number of messages delivered.
Local Delivery Size (sender)	Size, in bytes, of the local delivery messages, including, the address from which it was sent, and the number of messages delivered.
Local Delivery Size (recipient)	Size, in bytes, of the local delivery messages made, including the address to which it was sent, and the number of messages delivered.
Local Delivery Size (recipient domain)	Size of the local delivery messages made, including the domain name to which it was sent, and the number of messages delivered.

Option	Function
r1-r26	The report types to generate.
O	The output file name, with the file path if desired.
F	The Input file name. This can include wildcards. Multiple F commands are accepted.
L	Maximum number of lines to output per report. A value of L10 returns the top 10 occurrences in each report.
H	Enables HTML output. If this option is not present, the output reports are generated in text format.

Command	Report	Command	Report
R1	SMTPD Connections	R14	Web Errors
R2	SMTPD Errors	R15	Pop Logins
R3	SMTP Local Deliveries	R16	IMAP Logins
R4	SMTP Senders Remote	R17	IMAP Errors
R5	SMTP Senders Local	R18	POP Errors
R6	SMTP Remote Deliveries	R19	Unknown Log Lines
R7	SMTP Remote Host Deliveries	R20	Remote Delivery Size (by sending domain)
R8	SMTP Errors	R21	Remote Delivery Size (by sender)
R9	SMTP MX Failures	R22	Remote Delivery Size (by recipient domain)
R10	Web Logins	R23	Local Delivery Size (by sender domain)
R11	Web Files	R24	Local Delivery Size (by sender)
R12	Web Head Requests	R25	Local Delivery Size (by recipient)
R13	Web Hits	R26	Local delivery Size (by recipient domain)

Ipswitch, Inc.
http://www.ipswitch.com


©Ipswitch 2005