|
Packit |
57988d |
.TH AMAVIS-LOGWATCH 1
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.SH NAME
|
|
Packit |
57988d |
amavis-logwatch
|
|
Packit |
57988d |
\-
|
|
Packit |
57988d |
An Amavisd-new log parser and analysis utility
|
|
Packit |
57988d |
.SH "SYNOPSIS"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
\fBamavis-logwatch\fR [\fIoptions\fR] [\fIlogfile ...\fR]
|
|
Packit |
57988d |
.SH DESCRIPTION
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
The \fBamavis-logwatch\fR(1) utility is an Amavisd-new log parser
|
|
Packit |
57988d |
that produces summaries, details, and statistics regarding
|
|
Packit |
57988d |
the operation of Amavisd-new (henceforth, simply called Amavis).
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
This utility can be used as a
|
|
Packit |
57988d |
standalone program, or as a Logwatch filter module to produce
|
|
Packit |
57988d |
Amavisd-new summary and detailed reports from within Logwatch.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBAmavis-logwatch\fR is able to produce
|
|
Packit |
57988d |
a wide range of reports with data grouped and sorted as much as possible
|
|
Packit |
57988d |
to reduce noise and highlight patterns.
|
|
Packit |
57988d |
Brief summary reports provide a
|
|
Packit |
57988d |
quick overview of general Amavis operations and message
|
|
Packit |
57988d |
delivery, calling out warnings that may require attention.
|
|
Packit |
57988d |
Detailed reports provide easy to scan, hierarchically-arranged
|
|
Packit |
57988d |
and organized information, with as much or little detail as
|
|
Packit |
57988d |
desired.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
Much of the interesting data is available when Amavis'
|
|
Packit |
57988d |
$log_level is set to at least 2.
|
|
Packit |
57988d |
See \fBAmavis Log Level\fR below.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBAmavis-logwatch\fR outputs two principal sections: a \fBSummary\fR section
|
|
Packit |
57988d |
and a \fBDetailed\fR section.
|
|
Packit |
57988d |
For readability and quick scanning, all event or hit counts appear in the left column,
|
|
Packit |
57988d |
followed by brief description of the event type, and finally additional
|
|
Packit |
57988d |
statistics or count representations may appear in the rightmost column.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The following segment from a sample Summary report illustrates:
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
****** Summary ********************************************
|
|
Packit |
57988d |
|
|
Packit |
57988d |
9 Miscellaneous warnings
|
|
Packit |
57988d |
|
|
Packit |
57988d |
20313 Total messages scanned ---------------- 100.00%
|
|
Packit |
57988d |
1008.534M Total bytes scanned 1,057,524,252
|
|
Packit |
57988d |
======== ================================================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
1190 Blocked ------------------------------- 5.86%
|
|
Packit |
57988d |
18 Malware blocked 0.09%
|
|
Packit |
57988d |
4 Banned name blocked 0.02%
|
|
Packit |
57988d |
416 Spam blocked 2.05%
|
|
Packit |
57988d |
752 Spam discarded (no quarantine) 3.70%
|
|
Packit |
57988d |
|
|
Packit |
57988d |
19123 Passed -------------------------------- 94.14%
|
|
Packit |
57988d |
47 Bad header passed 0.23%
|
|
Packit |
57988d |
19076 Clean passed 93.91%
|
|
Packit |
57988d |
======== ================================================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
18 Malware ------------------------------- 0.09%
|
|
Packit |
57988d |
18 Malware blocked 0.09%
|
|
Packit |
57988d |
|
|
Packit |
57988d |
4 Banned -------------------------------- 0.02%
|
|
Packit |
57988d |
4 Banned file blocked 0.02%
|
|
Packit |
57988d |
|
|
Packit |
57988d |
1168 Spam ---------------------------------- 5.75%
|
|
Packit |
57988d |
416 Spam blocked 2.05%
|
|
Packit |
57988d |
752 Spam discarded (no quarantine) 3.70%
|
|
Packit |
57988d |
|
|
Packit |
57988d |
19123 Ham ----------------------------------- 94.14%
|
|
Packit |
57988d |
47 Bad header passed 0.23%
|
|
Packit |
57988d |
19076 Clean passed 93.91%
|
|
Packit |
57988d |
======== ================================================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
1982 SpamAssassin bypassed
|
|
Packit |
57988d |
32 Released from quarantine
|
|
Packit |
57988d |
2 DSN notification (debug supplemental)
|
|
Packit |
57988d |
2 Bounce unverifiable
|
|
Packit |
57988d |
2369 Whitelisted
|
|
Packit |
57988d |
2 Blacklisted
|
|
Packit |
57988d |
12 MIME error
|
|
Packit |
57988d |
58 Bad header (debug supplemental)
|
|
Packit |
57988d |
40 Extra code modules loaded at runtime
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
The report indicates there were 9 general warnings, and
|
|
Packit |
57988d |
\fBAmavis\fR scanned a total of 20313 messages
|
|
Packit |
57988d |
for a total of 1008.53 megabytes or 1,057,524,252 bytes.
|
|
Packit |
57988d |
The next summary groups shows the Blocked / Passed overview,
|
|
Packit |
57988d |
with 1190 Blocked messages (broken down as 18 messages blocked as malware,
|
|
Packit |
57988d |
4 messages with banned names, 416 spam messages, and 752 discarded
|
|
Packit |
57988d |
messages), and 19123 Passed messages (47 messages with bad headers
|
|
Packit |
57988d |
and 19076 clean messages).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The next (optional) summary grouping shows message disposition by contents category.
|
|
Packit |
57988d |
There were 18 malware messages and 4 banned file messages (all blocked),
|
|
Packit |
57988d |
1168 Spam messages, of which 416 were blocked (quarantined) and 752 discarded.
|
|
Packit |
57988d |
Finally, there were 19123 messages consdidered to be Ham (i.e. not spam), 47
|
|
Packit |
57988d |
of which contained bad headers.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Additional count summaries for a variety of events are also listed.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
There are dozens of sub-sections available in the \fBDetailed\fR report, each of
|
|
Packit |
57988d |
whose output can be controlled in various ways.
|
|
Packit |
57988d |
Each sub-section attempts to group and present the most meaningful data at superior levels,
|
|
Packit |
57988d |
while pushing less useful or \fInoisy\fR data towards inferior levels.
|
|
Packit |
57988d |
The goal is to provide as much benefit as possible from smart grouping of
|
|
Packit |
57988d |
data, to allow faster report scanning, pattern identification, and problem solving.
|
|
Packit |
57988d |
Data is always sorted in descending order by count, and then numerically by IP address
|
|
Packit |
57988d |
or alphabetically as appropriate.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
The following Spam blocked segment from a sample \fBDetailed\fR report
|
|
Packit |
57988d |
illustrates the basic hierarchical level structure of \fBamavis-logwatch\fR:
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
****** Detailed *******************************************
|
|
Packit |
57988d |
|
|
Packit |
57988d |
19346 Spam blocked -----------------------------------
|
|
Packit |
57988d |
756 from@example.com
|
|
Packit |
57988d |
12 10.0.0.2
|
|
Packit |
57988d |
12 <>
|
|
Packit |
57988d |
12 192.168.2.2
|
|
Packit |
57988d |
12 <>
|
|
Packit |
57988d |
5 192.168.2.1
|
|
Packit |
57988d |
...
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
The \fBamavis-logwatch\fR utility reads from STDIN or from the named Amavis
|
|
Packit |
57988d |
\fIlogfile\fR.
|
|
Packit |
57988d |
Multiple \fIlogfile\fR arguments may be specified, each processed
|
|
Packit |
57988d |
in order.
|
|
Packit |
57988d |
The user running \fBamavis-logwatch\fR must have read permission on
|
|
Packit |
57988d |
each named log file.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
.SS Options
|
|
Packit |
57988d |
The options listed below affect the operation of \fBamavis-logwatch\fR.
|
|
Packit |
57988d |
Options specified later on the command line override earlier ones.
|
|
Packit |
57988d |
Any option may be abbreviated to an unambiguous length.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fB--[no]autolearn\fR"
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--show_autolearn \fIboolean\fR"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Enables (disables) output of the autolearn report.
|
|
Packit |
57988d |
This report is only available if the default Amavis \fB$log_templ\fR
|
|
Packit |
57988d |
has been modified to provide autolearn results in log entries.
|
|
Packit |
57988d |
This can be done by uncommenting two lines in the Amavis program itself (where the
|
|
Packit |
57988d |
default log templates reside), or by correctly adding the \fB$log_templ\fR
|
|
Packit |
57988d |
variable to the \fBamavisd.conf\fR file.
|
|
Packit |
57988d |
See Amavis' \fBREADME.customize\fR and search near the end
|
|
Packit |
57988d |
of the Amavisd program for "autolearn".
|
|
Packit |
57988d |
.IP "\fB--[no]by_ccat_summary\fR"
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--show_by_ccat_summary \fIboolean\fR"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Enables (disables) the by contents category summary in the \fBSummary\fR section.
|
|
Packit |
57988d |
Default: enabled.
|
|
Packit |
57988d |
.IP "\fB-f \fIconfig_file\fR"
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--config_file \fIconfig_file\fR"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Use an alternate configuration file \fIconfig_file\fR instead of
|
|
Packit |
57988d |
the default.
|
|
Packit |
57988d |
This option may be used more than once.
|
|
Packit |
57988d |
Multiple configuration files will be processed in the order presented on the command line.
|
|
Packit |
57988d |
See \fBCONFIGURATION FILE\fR below.
|
|
Packit |
57988d |
.IP "\fB--debug \fIkeywords\fR"
|
|
Packit |
57988d |
Output debug information during the operation of \fBamavis-logwatch\fR.
|
|
Packit |
57988d |
The parameter \fIkeywords\fR is one or more comma or space separated keywords.
|
|
Packit |
57988d |
To obtain the list of valid keywords, use --debug xxx where xxx is any invalid keyword.
|
|
Packit |
57988d |
.IP "\fB--detail \fIlevel\fR"
|
|
Packit |
57988d |
Sets the maximum detail level for \fBamavis-logwatch\fR to \fIlevel\fR.
|
|
Packit |
57988d |
This option is global, overriding any other output limiters described below.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The \fBamavis-logwatch\fR utility
|
|
Packit |
57988d |
produces a \fBSummary\fR section, a \fBDetailed\fR section, and
|
|
Packit |
57988d |
additional report sections.
|
|
Packit |
57988d |
With \fIlevel\fR less than 5, \fBamavis-logwatch\fR will produce
|
|
Packit |
57988d |
only the \fBSummary\fR section.
|
|
Packit |
57988d |
At \fIlevel\fR 5 and above, the \fBDetailed\fR section, and any
|
|
Packit |
57988d |
additional report sections are candidates for output.
|
|
Packit |
57988d |
Each incremental increase in \fIlevel\fR generates one additional
|
|
Packit |
57988d |
hierarchical sub-level of output in the \fBDetailed\fR section of the report.
|
|
Packit |
57988d |
At \fIlevel\fR 10, all levels are output.
|
|
Packit |
57988d |
Lines that exceed the maximum report width (specified with
|
|
Packit |
57988d |
\fBmax_report_width\fR) will be cut.
|
|
Packit |
57988d |
Setting \fIlevel\fR to 11 will prevent lines in the report from being cut (see also \fB--line_style\fR).
|
|
Packit |
57988d |
.IP "\fB--[no]first_recip_only\fR"
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--show_first_recip_only \fIboolean\fR"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Specifies whether or not to sort by, and show, only the first
|
|
Packit |
57988d |
recipient when a scanned messages contains multiple recipients.
|
|
Packit |
57988d |
.IP "\fB--help\fR"
|
|
Packit |
57988d |
Print usage information and a brief description about command line options.
|
|
Packit |
57988d |
.IP "\fB--ipaddr_width \fIwidth\fR"
|
|
Packit |
57988d |
Specifies that IP addresses in address/hostname pairs should be printed
|
|
Packit |
57988d |
with a field width of \fIwidth\fR characters.
|
|
Packit |
57988d |
Increasing the default may be useful for systems using long IPv6 addresses.
|
|
Packit |
57988d |
.IP "\fB-l limiter=levelspec\fR"
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--limit limiter=levelspec\fR"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Sets the level limiter \fIlimiter\fR with the specification \fIlevelspec\fR.
|
|
Packit |
57988d |
.IP "\fB--line_style \fIstyle\fR"
|
|
Packit |
57988d |
Specifies how to handle long report lines.
|
|
Packit |
57988d |
Three styles are available: \fBfull\fR, \fBtruncate\fR, and \fBwrap\fR.
|
|
Packit |
57988d |
Setting \fIstyle\fR to \fBfull\fR will prevent cutting lines to \fBmax_report_width\fR;
|
|
Packit |
57988d |
this is what occurs when \fBdetail\fR is 11 or higher.
|
|
Packit |
57988d |
When \fIstyle\fR is \fBtruncate\fR (the default),
|
|
Packit |
57988d |
long lines will be truncated according to \fBmax_report_width\fR.
|
|
Packit |
57988d |
Setting \fIstyle\fR to \fBwrap\fR will wrap lines longer than \fBmax_report_width\fR such that
|
|
Packit |
57988d |
left column hit counts are not obscured.
|
|
Packit |
57988d |
This option takes precedence over the line style implied by the \fBdetail\fR level.
|
|
Packit |
57988d |
The options \fB--full\fR, \fB--truncate\fR, and \fB--wrap\fR are synonyms.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fB--nodetail\fR"
|
|
Packit |
57988d |
Disables the \fBDetailed\fR section of the report, and all supplemental reports.
|
|
Packit |
57988d |
This option provides a convenient mechanism to quickly disable all sections
|
|
Packit |
57988d |
under the \fBDetailed\fR report, where subsequent command line
|
|
Packit |
57988d |
options may re-enable one or more sections to create specific reports.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--sarules \fR\`\fIS,H\fR\'"
|
|
Packit |
57988d |
.IP "\fB--sarules default"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Enables the SpamAssassin Rules Hit report.
|
|
Packit |
57988d |
The comma-separated \fIS\fR and \fIH\fR arguments are top N values for the Spam and Ham
|
|
Packit |
57988d |
reports, respectively, and can be any integer greater than or equal to 0, or the keyword \fBall\fR.
|
|
Packit |
57988d |
The keyword \fBdefault\fR uses the built-in default values.
|
|
Packit |
57988d |
.IP "\fB--nosarules\fR"
|
|
Packit |
57988d |
Disables the SpamAssassin Rules Hit report.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--sa_timings \fR\fInrows\fR"
|
|
Packit |
57988d |
Enables the SpamAssassin Timings percentiles report.
|
|
Packit |
57988d |
The report can be limited to the top N rows with the \fInrows\fR argument.
|
|
Packit |
57988d |
This report requires Amavis 2.6+ and SpamAssassin 3.3+.
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
.IP "\fB--sa_timings_percentiles \fR\`\fIP1 [P2 ...]\fR\'"
|
|
Packit |
57988d |
Specifies the percentiles shown in the SpamAssassin Timings report.
|
|
Packit |
57988d |
The arguments \fIP1 ...\fR are integers from 0 to 100 inclusive.
|
|
Packit |
57988d |
Their order will be preserved in the report.
|
|
Packit |
57988d |
.IP "\fB--nosa_timings\fR"
|
|
Packit |
57988d |
Disables the SpamAssassin Timings report.
|
|
Packit |
57988d |
.IP "\fB--version\fR"
|
|
Packit |
57988d |
Print \fBamavis-logwatch\fR version information.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--score_frequencies \fR\`\fIB1 [B2 ...]\fR\'"
|
|
Packit |
57988d |
.IP "\fB--score_frequencies default"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Enables the Spam Score Frequency report.
|
|
Packit |
57988d |
The arguments \fIB1 ...\fR are frequency distribution buckets, and can be any real numbers.
|
|
Packit |
57988d |
Their order will be preserved in the report.
|
|
Packit |
57988d |
The keyword \fBdefault\fR uses the built-in default values.
|
|
Packit |
57988d |
.IP "\fB--noscore_frequencies\fR"
|
|
Packit |
57988d |
Disables the Spam Score Frequency report.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--score_percentiles \fR\`\fIP1 [P2 ...]\fR\'"
|
|
Packit |
57988d |
.IP "\fB--score_percentiles default"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Enables the Spam Score Percentiles report.
|
|
Packit |
57988d |
The arguments \fIP1 ...\fR specify the percentiles shown in the report,
|
|
Packit |
57988d |
and are integers from 0 to 100 inclusive.
|
|
Packit |
57988d |
The keyword \fBdefault\fR uses the built-in default values.
|
|
Packit |
57988d |
.IP "\fB--noscore_percentiles\fR"
|
|
Packit |
57988d |
Disables the Spam Score Percentiles report.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fB--[no]sect_vars\fR"
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--show_sect_vars \fIboolean\fR"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Enables (disables) supplementing each \fBDetailed\fR section title
|
|
Packit |
57988d |
with the name of that section's level limiter.
|
|
Packit |
57988d |
The name displayed is the command line option (or configuration
|
|
Packit |
57988d |
file variable) used to limit that section's output.
|
|
Packit |
57988d |
.
|
|
Packit |
57988d |
With the large number of level limiters available in \fBamavis-logwatch\fR,
|
|
Packit |
57988d |
this a convenient mechanism for determining exactly which level limiter
|
|
Packit |
57988d |
affects a section.
|
|
Packit |
57988d |
.IP "\fB--[no]startinfo\fR"
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--show_startinfo \fIboolean\fR"
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
Enables (disables) the Amavis startup report showing most recent Amavis startup details.
|
|
Packit |
57988d |
.IP "\fB--[no]summary\fR"
|
|
Packit |
57988d |
.IP "\fB--show_summary\fR"
|
|
Packit |
57988d |
Enables (disables) displaying of the the \fBSummary\fR section of the report.
|
|
Packit |
57988d |
The variable Amavis_Show_Summary in used in a configuration file.
|
|
Packit |
57988d |
.IP "\fB--syslog_name \fInamepat\fR"
|
|
Packit |
57988d |
Specifies the syslog service name that \fBamavis-logwatch\fR uses
|
|
Packit |
57988d |
to match syslog lines.
|
|
Packit |
57988d |
Only log lines whose service name matches
|
|
Packit |
57988d |
the perl regular expression \fInamepat\fR will be used by
|
|
Packit |
57988d |
\fBamavis-logwatch\fR; all non-matching lines are silently ignored.
|
|
Packit |
57988d |
This is useful when a pre-installed Amavis package uses a name
|
|
Packit |
57988d |
other than the default (\fBamavis\fR).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
\fBNote:\fR if you use parenthesis in your regular expression, be sure they are cloistering
|
|
Packit |
57988d |
and not capturing: use \fB(?:\fIpattern\fB)\fR instead of \fB(\fIpattern\fB)\fR.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.IP "\fB--timings \fR\fIpercent\fR"
|
|
Packit |
57988d |
Enables the Amavis Scan Timings percentiles report.
|
|
Packit |
57988d |
The report can be top N-percent limited with the \fIpercent\fR argument.
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
.IP "\fB--timings_percentiles \fR\`\fIP1 [P2 ...]\fR\'"
|
|
Packit |
57988d |
Specifies the percentiles shown in the Scan Timings report.
|
|
Packit |
57988d |
The arguments \fIP1 ...\fR are integers from 0 to 100 inclusive.
|
|
Packit |
57988d |
Their order will be preserved in the report.
|
|
Packit |
57988d |
.IP "\fB--notimings\fR"
|
|
Packit |
57988d |
Disables the Amavis Scan Timings report.
|
|
Packit |
57988d |
.IP "\fB--version\fR"
|
|
Packit |
57988d |
Print \fBamavis-logwatch\fR version information.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.SS Level Limiters
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
The output of every section in the \fBDetailed\fR report is controlled by a level limiter.
|
|
Packit |
57988d |
The name of the level limiter variable will be output when the \fBsect_vars\fR option is set.
|
|
Packit |
57988d |
Level limiters are set either via command line in standalone mode with \fB--limit \fIlimiter\fB=\fIlevelspec\fR option,
|
|
Packit |
57988d |
or via configuration file variable \fB$amavis_\fIlimiter\fB=\fIlevelspec\fR.
|
|
Packit |
57988d |
Each limiter requires a \fIlevelspec\fR argument, which is described below in \fBLEVEL CONTROL\fR.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The list of level limiters is shown below.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.de TQ
|
|
Packit |
57988d |
. br
|
|
Packit |
57988d |
. ns
|
|
Packit |
57988d |
. TP \\$1
|
|
Packit |
57988d |
..
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.PD 0
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
Amavis major contents category (ccatmajor) sections, listed in order of priority:
|
|
Packit |
57988d |
VIRUS, BANNED, UNCHECKED, SPAM, SPAMMY, BADH, OVERSIZED, MTA, CLEAN.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBMalwareBlocked"
|
|
Packit |
57988d |
.IP "\fBMalwarePassed"
|
|
Packit |
57988d |
Blocked or passed messages that contain malware (ccatmajor: VIRUS).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBBannedNameBlocked"
|
|
Packit |
57988d |
.IP "\fBBannedNamePassed"
|
|
Packit |
57988d |
Blocked or passed messages that contain banned names in MIME parts (ccatmajor: BANNED).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBUncheckedBlocked"
|
|
Packit |
57988d |
.IP "\fBUncheckedPassed"
|
|
Packit |
57988d |
Blocked or passed messages that were not checked by a virus scanner or SpamAssassin (Amavis ccatmajor: UNCHECKED).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBSpamBlocked"
|
|
Packit |
57988d |
.IP "\fBSpamPassed"
|
|
Packit |
57988d |
Blocked or passed messages that were considered spam that reached kill level (Amavis ccatmajor: SPAM)
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBSpammyBlocked"
|
|
Packit |
57988d |
.IP "\fBSpammyPassed"
|
|
Packit |
57988d |
Blocked or passed messages that were considered spam, but did not reach kill level (Amavis ccatmajor: SPAMMY)
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBBadHeaderBlocked"
|
|
Packit |
57988d |
.IP "\fBBadHeaderPassed"
|
|
Packit |
57988d |
Blocked or passed messages that contain bad mail headers (ccatmajor: BAD-HEADER).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBOversizedBlocked"
|
|
Packit |
57988d |
.IP "\fBOversizedPassed"
|
|
Packit |
57988d |
Blocked or passed messages that were considered oversized (Amavis ccatmajor: OVERSIZED).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBMtaBlocked"
|
|
Packit |
57988d |
.IP "\fBMtaPassed"
|
|
Packit |
57988d |
Blocked or passed messages due to failure to re-inject to MTA (Amavis ccatmajor: MTA-BLOCKED).
|
|
Packit |
57988d |
Occurrences of this event indicates a configuration problem.
|
|
Packit |
57988d |
[ note: I don't believe mtapassed occurs, but exists for completeness.]
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBOtherBlocked"
|
|
Packit |
57988d |
.IP "\fBOtherPassed"
|
|
Packit |
57988d |
Blocked or passed messages that are not any of other major contents categories (Amavis ccatmajor: OTHER).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBTempFailBlocked"
|
|
Packit |
57988d |
.IP "\fBTempfailPassed"
|
|
Packit |
57988d |
Blocked or passed messages that had a temporary failure (Amavis ccatmajor: TEMPFAIL)
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBCleanBlocked"
|
|
Packit |
57988d |
.IP "\fBCleanPassed "
|
|
Packit |
57988d |
Messages blocked or passed which were considered clean (Amavis ccatmajor: CLEAN; i.e. non-spam, non-viral).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
Other sections, arranged alphabetically:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBAvConnectFailure"
|
|
Packit |
57988d |
Problems connecting to Anti-Virus scanner(s).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBAvTimeout"
|
|
Packit |
57988d |
Timeouts awaiting responses from Anti-Virus scanner(s).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBArchiveExtract"
|
|
Packit |
57988d |
Archive extraction problems.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBBadHeaderSupp"
|
|
Packit |
57988d |
Supplemental debug information regarding messages containing bad mail headers.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBBayes"
|
|
Packit |
57988d |
Messages frequencies by Bayesian probability buckets.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBBadAddress"
|
|
Packit |
57988d |
Invalid mail address syntax.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBBlacklisted"
|
|
Packit |
57988d |
Messages that were (soft-)blacklisted. See also Whitelisted below.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBBounceKilled"
|
|
Packit |
57988d |
.IP "\fBBounceRescued"
|
|
Packit |
57988d |
.IP "\fBBounceUnverifiable"
|
|
Packit |
57988d |
Disposition of incoming bounce messages (DSNs).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBContentType"
|
|
Packit |
57988d |
MIME attachment breakdown by type/subtype.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBDccError"
|
|
Packit |
57988d |
Errors encountered with or returned by DCC.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBDefangError"
|
|
Packit |
57988d |
Errors encountered during defang process.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBDefanged"
|
|
Packit |
57988d |
Messages defanged (rendered harmless).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBDsnNotification"
|
|
Packit |
57988d |
Errors encountered during attempt to send delivery status notification.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBDsnSuppressed"
|
|
Packit |
57988d |
Delivery status notification (DSN) intentionally suppressed.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBExtraModules"
|
|
Packit |
57988d |
Additional code modules Amavis loaded during runtime.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBFakeSender"
|
|
Packit |
57988d |
Forged sender addresses, as determimed by Amavis.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBFatal"
|
|
Packit |
57988d |
Fatal events. These are presented at the top of the report, as they may require attention.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBLocalDeliverySkipped"
|
|
Packit |
57988d |
Failures delivering to a local address.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBMalwareByScanner"
|
|
Packit |
57988d |
Breakdown of malware by scanner(s) that detected the malware.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBMimeError"
|
|
Packit |
57988d |
Errors encountered during MIME extraction.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBPanic"
|
|
Packit |
57988d |
Panic events. These are presented at the top of the report, as they may require attention.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBp0f"
|
|
Packit |
57988d |
Passive fingerprint (p0f) hits, grouped by mail contents type (virus, unchecked, banned, spam, ham),
|
|
Packit |
57988d |
next by operating system genre, and finally by IP address.
|
|
Packit |
57988d |
Note: Windows systems are refined by Windows OS version, whereas versions of other operating systems
|
|
Packit |
57988d |
are grouped generically.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBReleased"
|
|
Packit |
57988d |
Messages that were released from Amavis quarantine.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBSADiags"
|
|
Packit |
57988d |
Diagnostics as reported from SpamAssassin.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBSmtpResponse"
|
|
Packit |
57988d |
SMTP responses received during dialog with MTA. These log entries are primarly debug.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBTmpPreserved"
|
|
Packit |
57988d |
Temporary directories preserved by Amavis when some component encounters a problem or failure.
|
|
Packit |
57988d |
Directories listed and their corresponding log entries should be evaluated for problems.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBVirusScanSkipped"
|
|
Packit |
57988d |
Messages that could not be scanned by a virus scanner.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBWarning"
|
|
Packit |
57988d |
Warning events not categorized in specific warnings below.
|
|
Packit |
57988d |
These are presented at the top of the report, as they may require attention.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBWarningAddressModified"
|
|
Packit |
57988d |
Incomplete email addresses modified by Amavis for safety.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBWarningNoQuarantineId"
|
|
Packit |
57988d |
Attempts to release a quarantined message that did not contain an X-Quarantine-ID header.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBWarningSecurity \fIlevelspec\fR"
|
|
Packit |
57988d |
Insecure configuration or utility used by Amavis.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBWarningSmtpShutdown"
|
|
Packit |
57988d |
Failures during SMTP conversation with MTA.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBWarningSql"
|
|
Packit |
57988d |
Failures to communicate with, or error replies from, SQL service.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.IP "\fBWhitelisted"
|
|
Packit |
57988d |
Messages that were (soft-)whitelisted. See also Blacklisted above.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.PD
|
|
Packit |
57988d |
.SH LEVEL CONTROL
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
The \fBDetailed\fR section of the report consists of a number of sub-sections,
|
|
Packit |
57988d |
each of which is controlled both globally and independently.
|
|
Packit |
57988d |
Two settings influence the output provided in the \fBDetailed\fR report:
|
|
Packit |
57988d |
a global detail level (specified with \fB--detail\fR) which has final (big hammer)
|
|
Packit |
57988d |
output-limiting control over the \fBDetailed\fR section,
|
|
Packit |
57988d |
and sub-section specific detail settings (small hammer), which allow further limiting
|
|
Packit |
57988d |
of the output for a sub-section.
|
|
Packit |
57988d |
Each sub-section may be limited to a specific depth level, and each sub-level may be limited with top N or threshold limits.
|
|
Packit |
57988d |
The \fIlevelspec\fR argument to each of the level limiters listed above is used to accomplish this.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
It is probably best to continue explanation of sub-level limiting with the following well-known outline-style hierarchy, and
|
|
Packit |
57988d |
some basic examples:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
level 0
|
|
Packit |
57988d |
level 1
|
|
Packit |
57988d |
level 2
|
|
Packit |
57988d |
level 3
|
|
Packit |
57988d |
level 4
|
|
Packit |
57988d |
level 4
|
|
Packit |
57988d |
level 2
|
|
Packit |
57988d |
level 3
|
|
Packit |
57988d |
level 4
|
|
Packit |
57988d |
level 4
|
|
Packit |
57988d |
level 4
|
|
Packit |
57988d |
level 3
|
|
Packit |
57988d |
level 4
|
|
Packit |
57988d |
level 3
|
|
Packit |
57988d |
level 1
|
|
Packit |
57988d |
level 2
|
|
Packit |
57988d |
level 3
|
|
Packit |
57988d |
level 4
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
The simplest form of output limiting suppresses all output below a specified level.
|
|
Packit |
57988d |
For example, a \fIlevelspec\fR set to "2" shows only data in levels 0 through 2.
|
|
Packit |
57988d |
Think of this as collapsing each sub-level 2 item, thus hiding all inferior levels (3, 4, ...),
|
|
Packit |
57988d |
to yield:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
level 0
|
|
Packit |
57988d |
level 1
|
|
Packit |
57988d |
level 2
|
|
Packit |
57988d |
level 2
|
|
Packit |
57988d |
level 1
|
|
Packit |
57988d |
level 2
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
Sometimes the volume of output in a section is too great, and it is useful to suppress any data that does not exceed a certain threshold value.
|
|
Packit |
57988d |
Consider a dictionary spam attack, which produces very lengthy lists of hit-once recipient email or IP addresses.
|
|
Packit |
57988d |
Each sub-level in the hierarchy can be threshold-limited by setting the \fIlevelspec\fR appropriately.
|
|
Packit |
57988d |
Setting \fIlevelspec\fR to the value "2::5" will suppress any data at level 2 that does not exceed a hit count of 5.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
Perhaps producing a top N list, such as top 10 senders, is desired.
|
|
Packit |
57988d |
A \fIlevelspec\fR of "3:10:" limits level 3 data to only the top 10 hits.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
With those simple examples out of the way, a \fIlevelspec\fR is defined as a whitespace- or comma-separated list of one or more of the following:
|
|
Packit |
57988d |
.IP "\fIl\fR"
|
|
Packit |
57988d |
Specifies the maximum level to be output for this sub-section, with a range from 0 to 10.
|
|
Packit |
57988d |
if \fIl\fR is 0, no levels will be output, effectively disabling the sub-section
|
|
Packit |
57988d |
(level 0 data is already provided in the Summary report, so level 1 is considered the first useful level in the \fBDetailed\fR report).
|
|
Packit |
57988d |
Higher values will produce output up to and including the specified level.
|
|
Packit |
57988d |
.IP "\fIl\fB.\fIn\fR"
|
|
Packit |
57988d |
Same as above, with the addition that \fIn\fR limits this section's level 1 output to
|
|
Packit |
57988d |
the top \fIn\fR items.
|
|
Packit |
57988d |
The value for \fIn\fR can be any integer greater than 1.
|
|
Packit |
57988d |
(This form of limiting has less utility than the syntax shown below. It is provided for
|
|
Packit |
57988d |
backwards compatibility; users are encouraged to use the syntax below).
|
|
Packit |
57988d |
.IP "\fIl\fB:\fIn\fB:\fIt\fR"
|
|
Packit |
57988d |
This triplet specifies level \fIl\fR, top \fIn\fR, and minimum threshold \fIt\fR.
|
|
Packit |
57988d |
Each of the values are integers, with \fIl\fR being the level limiter as described above, \fIn\fR being
|
|
Packit |
57988d |
a top \fIn\fR limiter for the level \fIl\fR, and \fIt\fR being the threshold limiter for level \fIl\fR.
|
|
Packit |
57988d |
When both \fIn\fR and \fIt\fR are specified, \fIn\fR has priority, allowing top \fIn\fR lists (regardless of
|
|
Packit |
57988d |
threshold value).
|
|
Packit |
57988d |
If the value of \fIl\fR is omitted, the specified values for \fIn\fR and/or \fIt\fR are used for
|
|
Packit |
57988d |
all levels available in the sub-section.
|
|
Packit |
57988d |
This permits a simple form of wildcarding (eg. place minimum threshold limits on all levels).
|
|
Packit |
57988d |
However, specific limiters always override wildcard limiters.
|
|
Packit |
57988d |
The first form of level limiter may be included in \fIlevelspec\fR to restrict output, regardless of how many triplets are present.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
All three forms of limiters are effective only when \fBamavis-logwatch\fR's detail level is 5
|
|
Packit |
57988d |
or greater (the \fBDetailed\fR section is not activated until detail is at least 5).
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
See the \fBEXAMPLES\fR section for usage scenarios.
|
|
Packit |
57988d |
.SH CONFIGURATION FILE
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
\fBAmavis-logwatch\fR can read configuration settings from a configuration file.
|
|
Packit |
57988d |
Essentially, any command line option can be placed into a configuration file, and
|
|
Packit |
57988d |
these settings are read upon startup.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Because \fBamavis-logwatch\fR can run either standalone or within Logwatch,
|
|
Packit |
57988d |
to minimize confusion, \fBamavis-logwatch\fR inherits Logwatch's configuration
|
|
Packit |
57988d |
file syntax requirements and conventions.
|
|
Packit |
57988d |
These are:
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
White space lines are ignored.
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
Lines beginning with \fB#\fR are ignored
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
Settings are of the form:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
\fIoption\fB = \fIvalue\fR
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
Spaces or tabs on either side of the \fB=\fR character are ignored.
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
Any \fIvalue\fR protected in double quotes will be case-preserved.
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
All other content is reduced to lowercase (non-preserving, case insensitive).
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
All \fBamavis-logwatch\fR configuration settings must be prefixed with "\fB$amavis_\fR" or
|
|
Packit |
57988d |
\fBamavis-logwatch\fR will ignore them.
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
When running under Logwatch, any values not prefixed with "\fB$amavis_\fR" are
|
|
Packit |
57988d |
consumed by Logwatch; it only passes to \fBamavis-logwatch\fR (via environment variable)
|
|
Packit |
57988d |
settings it considers valid.
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
The values \fBTrue\fR and \fBYes\fR are converted to 1, and \fBFalse\fR and \fBNo\fR are converted to 0.
|
|
Packit |
57988d |
.IP \(bu 4'.
|
|
Packit |
57988d |
Order of settings is not preserved within a configuration file (since settings are passed
|
|
Packit |
57988d |
by Logwatch via environment variables, which have no defined order).
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To include a command line option in a configuration file,
|
|
Packit |
57988d |
prefix the command line option name with the word "\fB$amavis_\fR".
|
|
Packit |
57988d |
The following configuration file setting and command line option are equivalent:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
\fB$amavis_Line_Style = Truncate\fR
|
|
Packit |
57988d |
|
|
Packit |
57988d |
\fB--line_style Truncate\fR
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
Level limiters are also prefixed with \fB$amavis_\fR, but on the command line are specified with the \fB--limit\fR option:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
\fB$amavis_SpamBlocked = 2\fR
|
|
Packit |
57988d |
|
|
Packit |
57988d |
\fB--limit SpamBlocked=2\fR
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The order of command line options and configuration file processing occurs as follows:
|
|
Packit |
57988d |
1) The default configuration file is read if it exists and no \fB--config_file\fR was specified on a command line.
|
|
Packit |
57988d |
2) Configuration files are read and processed in the order found on the command line.
|
|
Packit |
57988d |
3) Command line options override any options already set either via command line or from any configuration file.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Command line options are interpreted when they are seen on the command line, and later options will override previously set options.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.SH "EXIT STATUS"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
The \fBamavis-logwatch\fR utility exits with a status code of 0, unless an error
|
|
Packit |
57988d |
occurred, in which case a non-zero exit status is returned.
|
|
Packit |
57988d |
.SH "EXAMPLES"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.SS Running Standalone
|
|
Packit |
57988d |
\fBNote:\fR \fBamavis-logwatch\fR reads its log data from one or more named Amavis log files, or from STDIN.
|
|
Packit |
57988d |
For brevity, where required, the examples below use the word \fIfile\fR as the command line
|
|
Packit |
57988d |
argument meaning \fI/path/to/amavis.log\fR.
|
|
Packit |
57988d |
Obviously you will need to substitute \fIfile\fR with the appropriate path.
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To run \fBamavis-logwatch\fR in standalone mode, simply run:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBamavis-logwatch \fIfile\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
A complete list of options and basic usage is available via:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBamavis-logwatch --help\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To print a summary only report of Amavis log data:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBamavis-logwatch --detail 1 \fIfile\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To produce a summary report and a one-level detail report for May 25th:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBgrep 'May 25' \fIfile\fB | amavis-logwatch --detail 5\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To produce only a top 10 list of Sent email domains, the summary report and detailed reports
|
|
Packit |
57988d |
are first disabled. Since commands line options are read and enabled left-to-right,
|
|
Packit |
57988d |
the Sent section is re-enabled to level 1 with a level 1 top 10 limiter:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBamavis-logwatch --nosummary --nodetail \\
|
|
Packit |
57988d |
--limit spamblocked '1 1:10:' \fIfile\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
The following command and its sample output shows a more complex level limiter example.
|
|
Packit |
57988d |
The command gives the top 4 spam blocked recipients (level 1), and under with each recipient
|
|
Packit |
57988d |
the top 2 sending IPs (level 2) and finally below that, only envelope from addresses (level 3) with hit counts
|
|
Packit |
57988d |
greater than 6.
|
|
Packit |
57988d |
Ellipses indicate top N or threshold-limited data:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBamavis-logwatch --nosummary --nodetail \\
|
|
Packit |
57988d |
--limit spamblocked '1:4: 2:2: 3::6' \fIfile\fR
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
19346 Spam blocked -----------------------------------
|
|
Packit |
57988d |
756 joe@example.com
|
|
Packit |
57988d |
12 10.0.0.1
|
|
Packit |
57988d |
12 <>
|
|
Packit |
57988d |
12 10.99.99.99
|
|
Packit |
57988d |
12 <>
|
|
Packit |
57988d |
...
|
|
Packit |
57988d |
640 fred@example.com
|
|
Packit |
57988d |
8 10.0.0.1
|
|
Packit |
57988d |
8 <>
|
|
Packit |
57988d |
8 192.168.3.19
|
|
Packit |
57988d |
8 <>
|
|
Packit |
57988d |
...
|
|
Packit |
57988d |
595 peter@sample.net
|
|
Packit |
57988d |
8 10.0.0.1
|
|
Packit |
57988d |
8 <>
|
|
Packit |
57988d |
7 192.168.3.3
|
|
Packit |
57988d |
7 <>
|
|
Packit |
57988d |
...
|
|
Packit |
57988d |
547 paul@example.us
|
|
Packit |
57988d |
8 192.168.3.19
|
|
Packit |
57988d |
8 <>
|
|
Packit |
57988d |
7 10.0.0.1
|
|
Packit |
57988d |
7 <>
|
|
Packit |
57988d |
...
|
|
Packit |
57988d |
...
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.SS Running within Logwatch
|
|
Packit |
57988d |
\fBNote:\fR Logwatch versions prior to 7.3.6, unless configured otherwise, required the \fB--print\fR option to print to STDOUT instead of sending reports via email.
|
|
Packit |
57988d |
Since version 7.3.6, STDOUT is the default output destination, and the \fB--print\fR option has been replaced
|
|
Packit |
57988d |
by \fB--output stdout\fR. Check your configuration to determine where report output will be directed, and add the appropriate option to the commands below.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To print a summary report for today's Amavis log data:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBlogwatch --service amavis --range today --detail 1\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To print a report for today's Amavis log data, with one level
|
|
Packit |
57988d |
of detail in the \fBDetailed\fR section:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBlogwatch --service amavis --range today --detail 5\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To print a report for yesterday, with two levels of detail in the \fBDetailed\fR section:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBlogwatch --service amavis --range yesterday --detail 6\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To print a report from Dec 12th through Dec 14th, with four levels of detail in the \fBDetailed\fR section:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBlogwatch --service amavis --range \\
|
|
Packit |
57988d |
'between 12/12 and 12/14' --detail 8\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
To print a report for today, with all levels of detail:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBlogwatch --service amavis --range today --detail 10\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
Same as above, but leaves long lines uncropped:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.RS 4
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBlogwatch --service amavis --range today --detail 11\fR
|
|
Packit |
57988d |
.RE 0
|
|
Packit |
57988d |
.SS "Amavis Log Level"
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
Amavis provides additional log information when the variable
|
|
Packit |
57988d |
\fB$log_level\fR is increased above the default 0 value.
|
|
Packit |
57988d |
This information is used by the \fBamavis-logwatch\fR utility to provide additional reports,
|
|
Packit |
57988d |
not available with the default \fB$log_level\fR=0 value.
|
|
Packit |
57988d |
A \fB$log_level\fR of 2 is suggested.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
If you prefer not to increase the noise level in your main mail or Amavis logs,
|
|
Packit |
57988d |
you can configure syslog to log Amavis' output to multiple log files,
|
|
Packit |
57988d |
where basic log entries are routed to your main mail log(s) and more detailed
|
|
Packit |
57988d |
entries routed to an Amavis-specific log file used to feed the \fBamavis-logwatch\fR utility.
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
A convenient way to accomplish this is to change the Amavis
|
|
Packit |
57988d |
configuration variables in \fBamavisd.conf\fR as shown below:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
amavisd.conf:
|
|
Packit |
57988d |
$log_level = 2;
|
|
Packit |
57988d |
$syslog_facility = 'local5';
|
|
Packit |
57988d |
$syslog_priority = 'debug';
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
This increases \fB$log_level\fR to 2, and sends Amavis' log entries to
|
|
Packit |
57988d |
an alternate syslog facility (eg. \fBlocal5\fR, user), which can then be
|
|
Packit |
57988d |
routed to one or more log files, including your main mail log file:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
syslog.conf:
|
|
Packit |
57988d |
#mail.info -/var/log/maillog
|
|
Packit |
57988d |
mail.info;local5.notice -/var/log/maillog
|
|
Packit |
57988d |
|
|
Packit |
57988d |
local5.info -/var/log/amavisd-info.log
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.PP
|
|
Packit |
57988d |
\fBAmavis\fR' typical \fB$log_level\fR 0 messages will be directed to both your maillog
|
|
Packit |
57988d |
and to the \fBamavisd-info.log\fR file, but higher \fB$log_level\fR messages
|
|
Packit |
57988d |
will only be routed to the \fBamavisd-info.log\fR file.
|
|
Packit |
57988d |
For additional information on Amavis' logging, search the
|
|
Packit |
57988d |
file \fBRELEASE_NOTES\fR in the Amavis distribution for:
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
|
|
Packit |
57988d |
"syslog priorities are now dynamically derived"
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
.SH "ENVIRONMENT"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
The \fBamavis-logwatch\fR program uses the following (automatically set) environment
|
|
Packit |
57988d |
variables when running under Logwatch:
|
|
Packit |
57988d |
.IP \fBLOGWATCH_DETAIL_LEVEL\fR
|
|
Packit |
57988d |
This is the detail level specified with the Logwatch command line argument \fB--detail\fR
|
|
Packit |
57988d |
or the \fBDetail\fR setting in the ...conf/services/amavis.conf configuration file.
|
|
Packit |
57988d |
.IP \fBLOGWATCH_DEBUG\fR
|
|
Packit |
57988d |
This is the debug level specified with the Logwatch command line argument \fB--debug\fR.
|
|
Packit |
57988d |
.IP \fBamavis_\fIxxx\fR
|
|
Packit |
57988d |
The Logwatch program passes all settings \fBamavis_\fIxxx\fR in the configuration file ...conf/services/amavis.conf
|
|
Packit |
57988d |
to the \fBamavis\fR filter (which is actually named .../scripts/services/amavis) via environment variable.
|
|
Packit |
57988d |
.SH "FILES"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.SS Standalone mode
|
|
Packit |
57988d |
.IP "/usr/local/bin/amavis-logwatch"
|
|
Packit |
57988d |
The \fBamavis-logwatch\fR program
|
|
Packit |
57988d |
.IP "/usr/local/etc/amavis-logwatch.conf"
|
|
Packit |
57988d |
The \fBamavis-logwatch\fR configuration file in standalone mode
|
|
Packit |
57988d |
.SS Logwatch mode
|
|
Packit |
57988d |
.IP "/etc/logwatch/scripts/services/amavis"
|
|
Packit |
57988d |
The Logwatch \fBamavis\fR filter
|
|
Packit |
57988d |
.IP "/etc/logwatch/conf/services/amavis.conf"
|
|
Packit |
57988d |
The Logwatch \fBamavis\fR filter configuration file
|
|
Packit |
57988d |
.SH "SEE ALSO"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
logwatch(8), system log analyzer and reporter
|
|
Packit |
57988d |
.SH "README FILES"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
README, an overview of \fBamavis-logwatch\fR
|
|
Packit |
57988d |
Changes, the version change list history
|
|
Packit |
57988d |
Bugs, a list of the current bugs or other inadequacies
|
|
Packit |
57988d |
Makefile, the rudimentary installer
|
|
Packit |
57988d |
LICENSE, the usage and redistribution licensing terms
|
|
Packit |
57988d |
.SH "LICENSE"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
.ad
|
|
Packit |
57988d |
Covered under the included MIT/X-Consortium License:
|
|
Packit |
57988d |
http://www.opensource.org/licenses/mit-license.php
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.SH "AUTHOR(S)"
|
|
Packit |
57988d |
.na
|
|
Packit |
57988d |
.nf
|
|
Packit |
57988d |
Mike Cappella
|
|
Packit |
57988d |
|
|
Packit |
57988d |
.fi
|
|
Packit |
57988d |
The original \fBamavis\fR Logwatch filter was written by
|
|
Packit |
57988d |
Jim O'Halloran, and has had many contributors over the years.
|
|
Packit |
57988d |
They are entirely not responsible for any errors, problems or failures since the current author's
|
|
Packit |
57988d |
hands have touched the source code.
|