Today I ran into an issue with a hacked email account and of course I use postfix and sasl so I starting writing a grep command for my mail.log. I needed to find how many times each sasl user had logged into the system, and from what ip address. The command to tell how many times an account has logged in today and from what ip address using postfix standard logs is below.
sudo grep sasl /var/log/mail.log| awk -F[ '{print $3}'| sed s/],//|awk ‘{print $1 ” ” $3}’|awk -F= ‘{print $1 ” ” $2}’|awk ‘{print $1 ” ” $3}’|sort | uniq -c| sort -n