.TH POSTFIX-LOGWATCH 1 

.ad

.fi

.SH NAME

postfix-logwatch

\-

A Postfix log parser and analysis utility

.SH "SYNOPSIS"

.na

.nf

.fi

\fBpostfix-logwatch\fR [\fIoptions\fR] [\fIlogfile ...\fR]

.SH DESCRIPTION

.ad

.fi

The \fBpostfix-logwatch\fR(1) utility is a Postfix MTA log parser

that produces summaries, details, and statistics regarding

the operation of Postfix.

.PP

This utility can be used as a

standalone program, or as a Logwatch filter module to produce

Postfix summary and detailed reports from within Logwatch.

.PP

\fBPostfix-logwatch\fR is able to produce

a wide range of reports with data grouped and sorted as much as possible

to reduce noise and highlight patterns.

Brief summary reports provide a

quick overview of general Postfix operations and message

delivery, calling out warnings that may require attention.

Detailed reports provide easy to scan, hierarchically-arranged

and organized information, with as much or little detail as

desired.

.PP

\fBPostfix-logwatch\fR outputs two principal sections: a \fBSummary\fR section

and a \fBDetailed\fR section.

For readability and quick scanning, all event or hit counts appear in the left column,

followed by brief description of the event type, and finally additional

statistics or count representations may appear in the rightmost column.

The following segment from a sample Summary report illustrates:

.RS 4

.nf

****** Summary ********************************************

      81   *Warning: Connection rate limit reached (anvil)

     146   Warned

  68.310M  Bytes accepted                        71,628,177

  97.645M  Bytes delivered                      102,388,245

========   ================================================

    3464   Accepted                                  41.44%

    4895   Rejected                                  58.56%

--------   ------------------------------------------------

    8359   Total                                    100.00%

========   ================================================

.fi

.RE 0

The report warns that anvil's connection rate was hit 81 times,

a Postfix access check WARN action was logged 146 times, and

a total of 68.310 megabytes (71,628,177 bytes) were accepted

into the Postfix system, delivering 97.645 megabytes of

data (due to multiple recipients).

The Accepted and Rejected lines show that Postfix accepted 3464 (41.44% of the total

messages) and rejected 4895 (the remaining 58.56%) of the 8359

total messages (temporary rejects show up elsewhere).

.PP

There are dozens of sub-sections available in the \fBDetailed\fR report, each of

whose output can be controlled in various ways.

Each sub-section attempts to group and present the most meaningful data at superior levels,

while pushing less useful or \fInoisy\fR data towards inferior levels.

The goal is to provide as much benefit as possible from smart grouping of

data, to allow faster report scanning, pattern identification, and problem solving.

Data is always sorted in descending order by count, and then numerically by IP address

or alphabetically as appropriate.

.PP

The following MX errors segment from a sample \fBDetailed\fR report

illustrates the basic hierarchical level structure of \fBpostfix-logwatch\fR:

.RS 4

.nf

****** Detailed *******************************************

     261   MX errors --------------------------------------

     261      Unable to look up MX host

     222         Host not found

      73            foolishspammer.local

      60            completely.bogus.domain.example

      11            friend.example.com

      39         No address associated with hostname

      23            dummymx.sample.net

      16            pushn.spam.sample.com

.fi

.RE 0

.PP

The \fBpostfix-logwatch\fR utility reads from STDIN or from the named Postfix

\fIlogfile\fR.

Multiple \fIlogfile\fR arguments may be specified, each processed

in order.

The user running \fBpostfix-logwatch\fR must have read permission on

each named log file.

.PP

.SS Options

The options listed below affect the operation of \fBpostfix-logwatch\fR.

Options specified later on the command line override earlier ones.

Any option may be abbreviated to an unambiguous length.

.IP "\fB-f \fIconfig_file\fR"

.PD 0

.IP "\fB--config_file \fIconfig_file\fR"

.PD

Use an alternate configuration file \fIconfig_file\fR instead of

the default.

This option may be used more than once.

Multiple configuration files will be processed in the order presented on the command line.

See \fBCONFIGURATION FILE\fR below.

.IP "\fB--debug \fIkeywords\fR"

Output debug information during the operation of \fBpostfix-logwatch\fR.

The parameter \fIkeywords\fR is one or more comma or space separated keywords.

To obtain the list of valid keywords, use --debug xxx where xxx is any invalid keyword.

.IP "\fB--[no]delays\fR"

Enables (disables) output of the message delays percentiles report.

The delays percentiles report shows percentiles for each of the 4 delivery latency times reported

by Postfix (available in version 2.3 and later) in the form \fBdelays=\fIa\fR/\fIb\fR/\fIc\fR/\fId\fR, where

\fIa\fR is the amount of time before the active queue (includes time for previous delivery attempts and time in the deferred queue),

\fIb\fR is the amount of time in the active queue up to delivery agent handoff,

\fIc\fR is the amount of time spent making connections (including DNS, HELO and TLS) and

\fId\fR is the amount of time spent delivering the message.

The total delay shown comes from the \fBdelay=\fR field in a message delivery log line.

\fBNote:\fR This report may consume a large amount of memory; if you have no use for it, disable the delays report.

.IP "\fB--delays_percentiles \fIp1 [p2 ...]\fR"

Specifies the percentiles to be used in the message delays percentiles report.

The percentiles \fIp1\fR, \fIp2\fR, \fI...\fR range from 0 to 100, inclusively.

The order of the list is not sorted - the report will output the percentiles

columns in the order you specify.

.IP "\fB--detail \fIlevel\fR"

Sets the maximum detail level for \fBpostfix-logwatch\fR to \fIlevel\fR.

This option is global, overriding any other output limiters described below.

The \fBpostfix-logwatch\fR utility

produces a \fBSummary\fR section, a \fBDetailed\fR section, and

additional report sections.

With \fIlevel\fR less than 5, \fBpostfix-logwatch\fR will produce

only the \fBSummary\fR section.

At \fIlevel\fR 5 and above, the \fBDetailed\fR section, and any

additional report sections are candidates for output.

Each incremental increase in \fIlevel\fR generates one additional

hierarchical sub-level of output in the \fBDetailed\fR section of the report.

At \fIlevel\fR 10, all levels are output.

Lines that exceed the maximum report width (specified with 

\fBmax_report_width\fR) will be cut.

Setting \fIlevel\fR to 11 will prevent lines in the report from being cut (see also \fB--line_style\fR).

.IP "\fB--help\fR"

Print usage information and a brief description about command line options.

.IP "\fB--ignore_service \fIpattern\fR"

Ignore log lines that contain the postfix service name \fBpostfix/\fIservice\fR.

The parameter \fIservice\fR is a regular expression.

\fBNote:\fR if you use parenthesis in your regular expression, be sure they are cloistering

and not capturing: use  \fB(?:\fIpattern\fB)\fR instead of \fB(\fIpattern\fB)\fR.

.IP "\fB--ipaddr_width \fIwidth\fR"

Specifies that IP addresses in address/hostname pairs should be printed

with a field width of \fIwidth\fR characters.

Increasing the default may be useful for systems using long IPv6 addresses.

.IP "\fB-l limiter=levelspec\fR"

.PD 0

.IP "\fB--limit limiter=levelspec\fR"

.PD

Sets the level limiter \fIlimiter\fR with the specification \fIlevelspec\fR.

.IP "\fB--line_style \fIstyle\fR"

Specifies how to handle long report lines.

Three styles are available: \fBfull\fR, \fBtruncate\fR, and \fBwrap\fR.

Setting \fIstyle\fR to \fBfull\fR will prevent cutting lines to \fBmax_report_width\fR; 

this is what occurs when \fBdetail\fR is 11 or higher.

When \fIstyle\fR is \fBtruncate\fR (the default), 

long lines will be truncated according to \fBmax_report_width\fR.

Setting \fIstyle\fR to \fBwrap\fR will wrap lines longer than \fBmax_report_width\fR such that

left column hit counts are not obscured.

This option takes precedence over the line style implied by the \fBdetail\fR level.

The options \fB--full\fR, \fB--truncate\fR, and \fB--wrap\fR are synonyms.

.IP "\fB--[no]long_queue_ids\fR"

Enables (disables) interpretation of long queue IDs in Postfix (>= 2.9) logs.

.IP "\fB--nodetail\fR"

Disables the \fBDetailed\fR section of the report, and all supplemental reports.

This option provides a convenient mechanism to quickly disable all sections

under the \fBDetailed\fR report, where subsequent command line

options may re-enable one or more sections to create specific reports.

.IP "\fB--[no]summary\fR"

.IP "\fB--show_summary\fR"

Enables (disables) displaying of the the \fBSummary\fR section of the report.

The variable Posfix_Show_Summary in used in a configuration file.

.IP "\fB--recipient_delimiter \fIdelimiter\fR"

Split email delivery addresses using the recipient delimiter character \fIdelimiter\fR.

This should generally match

the \fBrecipient_delimiter\fR specified in the Postfix parameter

file \fBmain.cf\fR, or the default value indicated in

\fBpostconf -d recipient_delimiter\fR.

This is very useful for obtaining per-alias statistics

when a recipient delimeter is used for mail delivery.

.IP "\fB--reject_reply_patterns \fIr1 [r2 ...]\fR"

Specifies the list of reject reply patterns used to create reject groups.

Each entry in the list \fIr1 [r2 ...]\fR must be either a three character

regular expression reply code of the form [45][0-9.][0-9.], or the word "Warn".

The "." in the regular expression is a literal dot which matches any reject reply subcode;

this wildcarding allows creation of broad rejects groups.

List order is preserved, in that reject reports will be output in the same order as

the entries in the list.

Specific reject reply codes will take priority over wildcard patterns, regardless of

the list order.

The default list is "5.. 4.. Warn", which creates three groups of rejects: 

permanent rejects, temporary reject failures, and reject warnings (as in warn_if_reject).

This feature allows, for example, distinguishing 421 transmission 

channel closures from 45x errors (eg. 450 mailbox unavailable, 451

local processing errors, 452 insufficient storage).

Such a grouping would be configured with the list: "421 4.. 5.. Warn".

See RFC 2821 for more information about reply codes.

See also \fBCONFIGURATION FILE\fR regarding using \fBreject_reply_patterns\fR within a configuration file.

.IP "\fB--[no]sect_vars\fR"

.PD 0

.IP "\fB--show_sect_vars \fIboolean\fR"

.PD

Enables (disables) supplementing each \fBDetailed\fR section title

with the name of that section's level limiter.

The name displayed is the command line option (or configuration

file variable) used to limit that section's output.

.

With the large number of level limiters available in \fBpostfix-logwatch\fR,

this a convenient mechanism for determining exactly which level limiter

affects a section.

.IP "\fB--syslog_name \fInamepat\fR"

Specifies the syslog service name that \fBpostfix-logwatch\fR uses

to match syslog lines.

Only log lines whose service name matches

the perl regular expression \fInamepat\fR will be used by

\fBpostfix-logwatch\fR; all non-matching lines are silently ignored.

This is useful when a pre-installed Postfix package uses a name

other than the default (\fBpostfix\fR), or when multiple Postfix 

instances are in use and per-instance reporting is desired.

The pattern \fInamepat\fR should match the \fBsyslog_name\fR configuration

parameter specified in the Postfix parameter file \fBmain.cf\fR, the

master control file \fBmaster.cf\fR, or the default value as indicated

by the output of \fBpostconf -d syslog_name\fR.

\fBNote:\fR if you use parenthesis in your regular expression, be sure they are cloistering

and not capturing: use  \fB(?:\fIpattern\fB)\fR instead of \fB(\fIpattern\fB)\fR.

.IP "\fB--[no]unknown\fR"

.PD 0

.IP "\fB--show_unknown \fIboolean\fR"

.PD

Enables (disables) display of the postfix-generated name of 'unknown' in formated IP/hostname pairs in \fBDetailed\fR reports.

Default: enabled.

.IP "\fB--version\fR"

Print \fBpostfix-logwatch\fR version information.

.SS Level Limiters

.PP

The output of every section in the \fBDetailed\fR report is controlled by a level limiter.

The name of the level limiter variable will be output when the \fBsect_vars\fR option is set.

Level limiters are set either via command line in standalone mode with \fB--limit \fIlimiter\fB=\fIlevelspec\fR option,

or via configuration file variable \fB$postfix_\fIlimiter\fB=\fIlevelspec\fR.

Each limiter requires a \fIlevelspec\fR argument, which is described below in \fBLEVEL CONTROL\fR.

The list of level limiters is shown below.

There are several level limiters that control reject sub-sections (eg. \fBrejectbody\fR, \fBrejectsender\fR, etc.).

Because the list of reject variants is not known until runtime after \fBreject_reply_patterns\fR is seen, these reject limiters are shown below generically,

with the prefix \fB###\fR.

To use one of these reject limiters, substitute \fB###\fR with one of the reject reply codes in effect,

replacing each dot with an \fBx\fR character.

For example, using the default \fBreject_reply_patterns\fR list of "5.. 4.. Warn", three \fBrejectbody\fR variants are valid: 

\fB--limit 5xxrejectbody\fR, \fB--limit 4xxrejectbody\fR and \fB--limit warnrejectbody\fR.

As a convenience, you may entirely eliminate the \fB###\fR prefix, and instead use the bare \fBreject\fIXXX\fR option, and

all reject level limiter variations will be auto-generated based on the \fBreject_reply_patterns\fR list.

For example, the command line segment:

.nf

    ... --reject_reply_patterns "421 5.." \\

            --limit rejectrbl="1:10:"

.fi

would automatically become:

.nf

    ... --reject_reply_patterns "421 5.." \\

            --limit 421rejectrbl="1:10:" --limit 5xxrejectrbl="1:10:"

.fi

See \fBreject_reply_patterns\fR above, and comments in the configuration file \fBpostfix-logwatch.conf\fR.

.de TQ

.  br

.  ns

.  TP \\$1

..

[ THIS SECTION IS NOT YET COMPLETE ]

.PD 0

.IP "\fBAttrError"

Errors obtaining attribute data from service.

.IP "\fBBCCed"

Messages that triggered access, header_checks or body_checks BCC action. (postfix 2.6 experimental branch)

.IP "\fBBounceLocal"

.IP "\fBBounceRemote"

Local and remote bounces.

A bounce is considered a local bounce if the relay was one of none, local, virtual,

avcheck, maildrop or 127.0.0.1.

.IP "\fBByIpRejects"

Regrouping by client host IP address of all 5xx (permanent) reject variants.

.IP "\fBCommunicationError"

Postfix errors talking to one of its services.

.IP "\fBAnvil"

Anvil rate or concurrency limits.

.IP "\fBConnectionInbound"

Connections made to the \fBsmtpd\fR server.

.IP "\fBConnectionLostInbound"

Connections lost to the \fBsmtpd\fR server.

.IP "\fBConnectionLostOutbound"

Connections lost during \fBsmtp\fR communications with remote MTA.

.IP "\fBConnectToFailure"

Failures reported by \fBsmtp\fR when connecting to remote MTA.

.IP "\fBDatabaseGeneration"

Warnings noted when binary database map file requires \fBpostmap\fR update from newer source file.

.IP "\fBDeferrals"

.IP "\fBDeferred"

Message delivery deferrals.

A single \fBdeferred\fR message will have one or more \fBdeferrals\fR many times.

.IP "\fBDeliverable"

Address verification indicates recipient address is deliverable.

.IP "\fBDelivered"

Number of messages handed-off to a delivery agent such as local or virtual.

.IP "\fBDiscarded"

Messages that triggered access, header_checks or body_checks DISCARD action.

.IP "\fBDNSError"

Any one of several errors encounted during DNS lookups.

.IP "\fBEnvelopeSenderDomains"

List of sending domains.  (2 levels: envelope sender domain, localpart)

.IP "\fBEnvelopeSenders"

List of envelope senders.  (1 level: envelope sender)

.IP "\fBError"

Postfix general \fBerror\fR messages.

.IP "\fBFatalConfigError"

Fatal main.cf or master.cf configuration errors.

.IP "\fBFatalError"

Postfix general \fBfatal\fR messages.

.IP "\fBFiltered"

Messages that triggered access, header_checks or body_checks FILTER action.

.IP "\fBForwarded"

Messages forwarded by MDA for one address class to another (eg. local -> virtual).

.IP "\fBHeloError"

XXXXXXXXXXX

.IP "\fBHold"

Messages that were placed on hold by postsuper, or triggered by access, header_checks or body_checks HOLD action.

.IP "\fBHostnameValidationError"

Invalid hostname detected.

.IP "\fBHostnameVerification"

Lookup of hostname does not map back to the IP of the peer (ie. the remote system connecting to \fBsmtpd\fR).

Also known as forward-confirmed reverse DNS (FCRDNS).

When the reverse name has no DNS entry, the message "host not found, try again" is included; otherwise, it is not

(e.g. when the reverse has some IP address, but not the one Postfix expects).

.IP "\fBIllegalAddrSyntax"

Illegal syntax in an email address provided during the MAIL FROM or RCPT TO dialog.

.IP "\fBLdapError"

Any LDAP errors during LDAP lookup.

.IP "\fBMailerLoop"

An MX lookup for the best mailer to use to deliver mail would result in a sending to ourselves.

.IP "\fBMapProblem"

Problem with an access table map that needs correcting.

.IP "\fBMessageWriteError"

Postfix encountered an error when trying to create a message file somewhere in the spool directory.

.IP "\fBNumericHostname"

A hostname was found that was numeric, instead of alphabetic.

.IP "\fBPanicError"

Postfix general \fBpanic\fR messages.

.IP "\fBPixWorkaround"

Workarounds were enabled to avoid remote Cisco PIX SMTP "fixups".

.IP "\fBPolicydWeight"

Summarization of policyweight/policydweight results.

.IP "\fBPolicySpf"

Summarization of PolicySPF results.

.IP "\fBPostgrey"

Summarization of Postgrey results.

.IP "\fBPostscreen"

Summarization of 2.7's postscreen and verify services.

.IP "\fBDNSBLog"

Summarization of 2.7's dnsblog service.

.IP "\fBPrepended"

Messages that triggered header_checks or body_checks PREPEND action.

.IP "\fBProcessExit"

Postfix services that exited unexpectedly.

.IP "\fBProcessLimit"

A Postfix service has reached or exceeded the maximum number of processes allowed. 

.IP "\fBQueueWriteError"

Problems writing a Postfix queue file.

.IP "\fBRblError"

Lookup errors for RBLs.

.IP "\fBRedirected"

Messages that triggered access, header_checks or body_checks REDIRECT action.

.IP "\fB###RejectBody"

Messages that triggered body_checks REJECT action.

.IP "\fB###RejectClient"

Messages rejected by client access controls (smtpd_client_restrictions).

.IP "\fB###RejectConfigError"

Message rejected due to server configuration errors.

.IP "\fB###RejectContent"

Messages rejected by message_reject_characters.

.IP "\fB###RejectData"

Messages rejected at DATA stage in SMTP conversation (smtpd_data_restrictions). 

.IP "\fB###RejectEtrn"

Messages rejected at ETRN stage in SMTP conversation (smtpd_etrn_restrictions). 

.IP "\fB###RejectHeader"

Messages that triggered header_checks REJECT action.

.IP "\fB###RejectHelo"

Messages rejected at HELO/EHLO stage in SMTP conversation (smtpd_helo_restrictions).

.IP "\fB###RejectInsufficientSpace"

Messages rejected due to insufficient storage space.

.IP "\fB###RejectLookupFailure"

Messages rejected due to temporary DNS lookup failures.

.IP "\fB###RejectMilter"

Milter rejects.  No reject reply code is available for these rejects, but an extended 5.7.1 DSN is provided.

These rejects are forced into the generic 5xx rejects group.

If you redefine \fBreject_reply_patterns\fR such that it does not contain the pattern \fB5..\fR, milter rejects

will not be output.

.IP "\fB###RejectRbl"

Messages rejected by an RBL hit.

.IP "\fB###RejectRecip"

Messages rejected by recipient access controls (smtpd_recipient_restrictions).

.IP "\fB###RejectRelay"

Messages rejected by relay access controls.

.IP "\fB###RejectSender"

Messages rejected by sender access controls (smtpd_sender_restrictions).

.IP "\fB###RejectSize"

Messages rejected due to excessive message size.

.IP "\fB###RejectUnknownClient"

Messages rejected by unknown client access controls.

.IP "\fB###RejectUnknownReverseClient"

Messages rejected by unknown reverse client access controls.

.IP "\fB###RejectUnknownUser"

Messages rejected by unknown user access controls.

.IP "\fB###RejectUnverifiedClient"

Messages rejected by unverified client access controls.

.IP "\fB###RejectVerify"

Messages rejected dueo to address verification failures.

.IP "\fBReplaced"

Messages that triggered header_checks or body_checks REPLACE action.

.IP "\fBReturnedToSender"

Messages returned to sender due to exceeding queue lifetime (maximal_queue_lifetime).

.IP "\fBSaslAuth"

SASL authentication successes, includes SASL method, username, and sender when present.

.IP "\fBSaslAuthFail"

SASL authentication failures.

.IP "\fBSent"

Messages sent via the SMTP delivery agent.

.IP "\fBSentLmtp"

Messages sent via the LMTP delivery agent.

.IP "\fBSmtpConversationError"

Errors during the SMTP/ESMTP dialog.

.IP "\fBSmtpProtocolViolation"

Protocol violation during the SMTP/ESMTP dialog.

.IP "\fBStartupError"

Errors during Postfix server startup.

.IP "\fBTimeoutInbound"

Connections to \fBsmtpd\fR that timed out.

.IP "\fBTlsClientConnect"

TLS client connections.

.IP "\fBTlsOffered"

TLS communication offerred.

.IP "\fBTlsServerConnect"

TLS server connections.

.IP "\fBTlsUnverified"

Unverified TLS connections.

.IP "\fBUndeliverable"

Address verification indicates recipient address is undeliverable.

.IP "\fBWarn"

Messages that triggered access, header_checks or body_checks WARN action.

.IP "\fBWarnConfigError"

Warnings regarding Postfix configuration errors.

.IP "\fBWarningsOther"

Postfix general \fBwarning\fR messages.

.PD

.SH LEVEL CONTROL

.ad

.fi

The \fBDetailed\fR section of the report consists of a number of sub-sections,

each of which is controlled both globally and independently.

Two settings influence the output provided in the \fBDetailed\fR report: 

a global detail level (specified with \fB--detail\fR) which has final (big hammer)

output-limiting control over the \fBDetailed\fR section,

and sub-section specific detail settings (small hammer), which allow further limiting

of the output for a sub-section.

Each sub-section may be limited to a specific depth level, and each sub-level may be limited with top N or threshold limits.

The \fIlevelspec\fR argument to each of the level limiters listed above is used to accomplish this.

It is probably best to continue explanation of sub-level limiting with the following well-known outline-style hierarchy, and

some basic examples:

.nf

    level 0

       level 1

          level 2

             level 3

                level 4

                level 4

          level 2

             level 3

                level 4

                level 4

                level 4

             level 3

                level 4

             level 3

       level 1

          level 2

             level 3

                level 4

.fi

.PP

The simplest form of output limiting suppresses all output below a specified level.

For example, a \fIlevelspec\fR set to "2" shows only data in levels 0 through 2.

Think of this as collapsing each sub-level 2 item, thus hiding all inferior levels (3, 4, ...),

to yield:

.nf

    level 0

       level 1

          level 2

          level 2

       level 1

          level 2

.fi

.PP

Sometimes the volume of output in a section is too great, and it is useful to suppress any data that does not exceed a certain threshold value.

Consider a dictionary spam attack, which produces very lengthy lists of hit-once recipient email or IP addresses.

Each sub-level in the hierarchy can be threshold-limited by setting the \fIlevelspec\fR appropriately.

Setting \fIlevelspec\fR to the value "2::5" will suppress any data at level 2 that does not exceed a hit count of 5.

.PP

Perhaps producing a top N list, such as top 10 senders, is desired.

A \fIlevelspec\fR of "3:10:" limits level 3 data to only the top 10 hits.

.PP

With those simple examples out of the way, a \fIlevelspec\fR is defined as a whitespace- or comma-separated list of one or more of the following:

.IP "\fIl\fR"

Specifies the maximum level to be output for this sub-section, with a range from 0 to 10.

if \fIl\fR is 0, no levels will be output, effectively disabling the sub-section

(level 0 data is already provided in the Summary report, so level 1 is considered the first useful level in the \fBDetailed\fR report).

Higher values will produce output up to and including the specified level.

.IP "\fIl\fB.\fIn\fR"

Same as above, with the addition that \fIn\fR limits this section's level 1 output to

the top \fIn\fR items.

The value for \fIn\fR can be any integer greater than 1.

(This form of limiting has less utility than the syntax shown below. It is provided for

backwards compatibility; users are encouraged to use the syntax below).

.IP "\fIl\fB:\fIn\fB:\fIt\fR"

This triplet specifies level \fIl\fR, top \fIn\fR, and minimum threshold \fIt\fR.

Each of the values are integers, with \fIl\fR being the level limiter as described above, \fIn\fR being

a top \fIn\fR limiter for the level \fIl\fR, and \fIt\fR being the threshold limiter for level \fIl\fR.

When both \fIn\fR and \fIt\fR are specified, \fIn\fR has priority, allowing top \fIn\fR lists (regardless of

threshold value).

If the value of \fIl\fR is omitted, the specified values for \fIn\fR and/or \fIt\fR are used for

all levels available in the sub-section.

This permits a simple form of wildcarding (eg. place minimum threshold limits on all levels).

However, specific limiters always override wildcard limiters.

The first form of level limiter may be included in \fIlevelspec\fR to restrict output, regardless of how many triplets are present.

.PP

All three forms of limiters are effective only when \fBpostfix-logwatch\fR's detail level is 5

or greater (the \fBDetailed\fR section is not activated until detail is at least 5).

.PP

See the \fBEXAMPLES\fR section for usage scenarios.

.SH CONFIGURATION FILE

.ad

\fBPostfix-logwatch\fR can read configuration settings from a configuration file.

Essentially, any command line option can be placed into a configuration file, and

these settings are read upon startup.

Because \fBpostfix-logwatch\fR can run either standalone or within Logwatch,

to minimize confusion, \fBpostfix-logwatch\fR inherits Logwatch's configuration

file syntax requirements and conventions.

These are:

.IP \(bu 4'. 

White space lines are ignored.

.IP \(bu 4'. 

Lines beginning with \fB#\fR are ignored

.IP \(bu 4'. 

Settings are of the form:

.nf

        \fIoption\fB = \fIvalue\fR

.fi

.IP \(bu 4'. 

Spaces or tabs on either side of the \fB=\fR character are ignored.

.IP \(bu 4'. 

Any \fIvalue\fR protected in double quotes will be case-preserved.

.IP \(bu 4'. 

All other content is reduced to lowercase (non-preserving, case insensitive).

.IP \(bu 4'. 

All \fBpostfix-logwatch\fR configuration settings must be prefixed with "\fB$postfix_\fR" or

\fBpostfix-logwatch\fR will ignore them.

.IP \(bu 4'. 

When running under Logwatch, any values not prefixed with "\fB$postfix_\fR" are

consumed by Logwatch; it only passes to \fBpostfix-logwatch\fR (via environment variable)

settings it considers valid.

.IP \(bu 4'. 

The values \fBTrue\fR and \fBYes\fR are converted to 1, and \fBFalse\fR and \fBNo\fR are converted to 0.

.IP \(bu 4'. 

Order of settings is not preserved within a configuration file (since settings are passed

by Logwatch via environment variables, which have no defined order).

.PP

To include a command line option in a configuration file,

prefix the command line option name with the word "\fB$postfix_\fR".

The following configuration file setting and command line option are equivalent:

.nf

        \fB$postfix_Line_Style = Truncate\fR

        \fB--line_style Truncate\fR

.fi

Level limiters are also prefixed with \fB$postfix_\fR, but on the command line are specified with the \fB--limit\fR option:

.nf

        \fB$postfix_Sent = 2\fR

        \fB--limit Sent=2\fR

.fi

The order of command line options and configuration file processing occurs as follows:

1) The default configuration file is read if it exists and no \fB--config_file\fR was specified on a command line.

2) Configuration files are read and processed in the order found on the command line.

3) Command line options override any options already set either via command line or from any configuration file.

Command line options are interpreted when they are seen on the command line, and later options will override previously set options.

The notable exception is with limiter variables, which are interpreted in the order found, but only after all other options have been processed.

This allows \fB--reject_reply_patterns\fR to determine the dynamic list of the various reject limiters.

See also \fB--reject_reply_patterns\fR.

.SH "EXIT STATUS"

.na

.nf

.ad

.fi

The \fBpostfix-logwatch\fR utility exits with a status code of 0, unless an error

occurred, in which case a non-zero exit status is returned.

.SH "EXAMPLES"

.na

.nf

.ad

.fi

.SS Running Standalone

\fBNote:\fR \fBpostfix-logwatch\fR reads its log data from one or more named Postfix log files, or from STDIN.

For brevity, where required, the examples below use the word \fIfile\fR as the command line

argument meaning \fI/path/to/postfix.log\fR.

Obviously you will need to substitute \fIfile\fR with the appropriate path.

.nf

.PP

To run \fBpostfix-logwatch\fR in standalone mode, simply run:

.nf

.RS 4

.PP

\fBpostfix-logwatch \fIfile\fR

.RE 0

.nf

.PP

A complete list of options and basic usage is available via:

.nf

.RS 4

.PP

\fBpostfix-logwatch --help\fR

.RE 0

.nf

.PP

To print a summary only report of Postfix log data:

.nf

.RS 4

.PP

\fBpostfix-logwatch --detail 1 \fIfile\fR

.RE 0

.fi

.PP

To produce a summary report and a one-level detail report for May 25th:

.nf

.RS 4

.PP

\fBgrep 'May 25' \fIfile\fB | postfix-logwatch --detail 5\fR

.RE 0

.fi

.PP

To produce only a top 10 list of Sent email domains, the summary report and detailed reports

are first disabled.

Since commands line options are read and enabled left-to-right,

the Sent section is re-enabled to level 1 with a level 1 top 10 limiter:

.nf

.RS 4

.PP

\fBpostfix-logwatch --nosummary --nodetail --limit sent='1 1:10:' \fIfile\fR

.RE 0

.fi

.PP

The following command and its sample output shows a more complex level limiter example.

The command gives the top 3 Sent email addresses from the top 5 domains,

in addition, all level 3 items with a hit count of 2 or less are suppressed (in the Sent sub-section,

this happens to be email's Original To address).

Ellipses indicate top N or threshold-limited data:

.nf

.RS 4

.PP

\fBpostfix-logwatch --nosummary --nodetail \\

        --limit sent '1:5: 2:3: 3::2' \fIfile\fR

.nf

1762   Sent via SMTP -----------------------------------

 352      example.com

 310         joe

 255            joe.bob@virtdomain.example.com

   7            info@virtdomain.example.com

  21         pooryoda3

  11         hot93uh

             ...

 244      sample.net

  97         buzz

  26         leroyjones

  14         sally

             ...

 152      example.net

  40         jim_jameson

  23         sam_sampson

  19         paul_paulson

             ...

  83      sample.us

  44         root

  39         jenny1

  69      dom3.example.us

  10         kay

   7         ron

   6         mrsmith

             ...

          ...

.fi

.RE 0

.fi

.PP

The next command uses both \fBreject_reply_patterns\fR and level limiters to see 421 RBL rejects,

threshold-limiting level 2 output to hits greater than 5 (level 2 in the Reject RBL sub-section

is the client's IP address / hostname pair).

This makes for a very nice RBL offenders list, shown in the sample output

(note the use of the unambiguous, abbreviated command line option reject_reply_pat):

.nf

.RS 4

.PP

\fBpostfix-logwatch --reject_reply_pat '421 4.. 5.. Warn' \\

        --nosummary --nodetail --limit 421rejectrbl='2 2::5' \fIfile\fR

.nf

300   421 Reject RBL ---------------------------------------

243      zen.spamhaus.org=127.0.0.2

106         10.0.0.129       129.0.0.example.com

 41         192.168.10.70    hostx10.sample.net

 40         192.168.42.39    hostz42.sample.net

 15         10.1.1.152       dsl-10-1-1-152.example.us

 14         10.10.10.122     mail122.sample.com

  7         192.168.3.44     smalltime-spammer.example.com

            ...

 48      zen.spamhaus.org=127.0.0.4

 17         10.29.124.92     10-29-124-92.adsl-static.sample.us

            ...

  8      zen.spamhaus.org=127.0.0.11

            ...

  1      zen.spamhaus.org=127.0.0.10

            ...

.fi

.RE 4

.SS Running within Logwatch

\fBNote:\fR Logwatch versions prior to 7.3.6, unless configured otherwise, required the \fB--print\fR option to print to STDOUT instead of sending reports via email.

Since version 7.3.6, STDOUT is the default output destination, and the \fB--print\fR option has been replaced

by \fB--output stdout\fR. Check your configuration to determine where report output will be directed, and add the appropriate option to the commands below.

.PP

To print a summary report for today's Postfix log data:

.nf

.RS 4

.PP

\fBlogwatch --service postfix --range today --detail 1\fR

.RE 0

.nf

.PP

To print a report for today's Postfix log data, with one level

of detail in the \fBDetailed\fR section:

.nf

.RS 4

.PP

\fBlogwatch --service postfix --range today --detail 5\fR

.RE 0

.fi

.PP

To print a report for yesterday, with two levels of detail in the \fBDetailed\fR section:

.nf

.RS 4

.PP

\fBlogwatch --service postfix --range yesterday --detail 6\fR

.RE 0

.fi

.PP

To print a report from Dec 12th through Dec 14th, with four levels of detail in the \fBDetailed\fR section:

.nf

.RS 4

.PP

\fBlogwatch --service postfix --range \\

        'between 12/12 and 12/14' --detail 8\fR

.RE 0

.PP

To print a report for today, with all levels of detail:

.nf

.RS 4

.PP

\fBlogwatch --service postfix --range today --detail 10\fR

.RE 0

.PP

Same as above, but leaves long lines uncut:

.nf

.RS 4

.PP

\fBlogwatch --service postfix --range today --detail 11\fR

.RE 0

.SH "ENVIRONMENT"

.na

.nf

.ad

.fi

The \fBpostfix-logwatch\fR program uses the following (automatically set) environment

variables when running under Logwatch:

.IP \fBLOGWATCH_DETAIL_LEVEL\fR

This is the detail level specified with the Logwatch command line argument \fB--detail\fR

or the \fBDetail\fR setting in the ...conf/services/postfix.conf configuration file.

.IP \fBLOGWATCH_DEBUG\fR

This is the debug level specified with the Logwatch command line argument \fB--debug\fR.

.IP \fBpostfix_\fIxxx\fR

The Logwatch program passes all settings \fBpostfix_\fIxxx\fR in the configuration file ...conf/services/postfix.conf

to the \fBpostfix\fR filter (which is actually named .../scripts/services/postfix) via environment variable.

.SH "FILES"

.na

.nf

.SS Standalone mode

.IP "/usr/local/bin/postfix-logwatch"

The \fBpostfix-logwatch\fR program

.IP "/usr/local/etc/postfix-logwatch.conf"

The \fBpostfix-logwatch\fR configuration file in standalone mode

.SS Logwatch mode

.IP "/etc/logwatch/scripts/services/postfix"

The Logwatch \fBpostfix\fR filter

.IP "/etc/logwatch/conf/services/postfix.conf"

The Logwatch \fBpostfix\fR filter configuration file

.SH "SEE ALSO"

.na

.nf

logwatch(8), system log analyzer and reporter

.SH "README FILES"

.na

.ad

.nf

README, an overview of \fBpostfix-logwatch\fR

Changes, the version change list history

Bugs, a list of the current bugs or other inadequacies

Makefile, the rudimentary installer

LICENSE, the usage and redistribution licensing terms

.SH "LICENSE"

.na

.nf

.ad

Covered under the included MIT/X-Consortium License:

http://www.opensource.org/licenses/mit-license.php