legal contact
 

postfix logs

From and To

host=*smtp* (sourcetype=postfix_log OR sourcetype=postfix_syslog OR sourcetype=message_log) | rex field=_raw  "[^:]+:[^:]+:[^:]+: (?<postfix_id>[A-F0-9]\w+):" | transaction postfix_id | rex field=_raw "from=\<(?<postfix_from>.*?)\>," | rex field=_raw " (to|orig_to)=\<(?<postfix_to>.*?)\>" | rex field=_raw "relay=(?<postfix_relay_dns>.*?)\[(?<postfix_relay_ip>.*?)\]" | table _time, postfix_from, postfix_to, postfix_relay_dns, postfix_relay_ip

sourcetype is a Splunk forwarder on the smtp server