[Logwatch-Devel] LogWatch Sendmail Script (fwd)
Jim O'Halloran
Jim@kendle.com.au
Wed, 29 Jan 2003 17:17:25 +1030
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C2C762.49337EE0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C2C762.49337EE0"
------_=_NextPart_001_01C2C762.49337EE0
Content-Type: text/plain;
charset="windows-1252"
Kirk,
I've put together the attached patch, which should do what you're looking
for. The output appears as follows....
Unknown users:
allen@awvater.com.au
from [202.27.217.203] 4 time(s).
ashley@awvater.com.au
from awvate1.lnk.telstra.net [139.130.107.32] 1 time(s).
from mail.chariot.net.au [203.87.95.38] 1 time(s).
from msp-04.mspgroup.com.au [203.38.225.2] 2 time(s).
The relay= field and the User Unknown message are actually in two seperate
log entries. The patched script gets around this by creating an associative
array containing the relay host keyed by the sendmail Queue ID for every
message passing through the server. When later compiling the report, we
look up the relay host in the array and summarise the results. There is
probably an easier way to do this, but my perl knowledge is a little
limited, so its the best I was able to come up with. It does mean we can
still generate the whole report with only a single pass through the log.
I've tested this on my own logs and it seems to work fine.
Jim.
-----Original Message-----
From: Kirk Bauer [mailto:kirk@kaybee.org]
Sent: Wednesday, 29 January 2003 14:39
To: logwatch-devel@kaybee.org
Subject: [Logwatch-Devel] LogWatch Sendmail Script (fwd)
Anybody want to tackle this?
--
Kirk Bauer <kirk@kaybee.org>
http://linux.kaybee.org | www.autorpm.org | www.logwatch.org
---------- Forwarded message ----------
Date: Tue, 28 Jan 2003 22:57:07 -0500
From: Ammar T. Al-Sayegh <alsayegh@purdue.edu>
To: kirk@kaybee.org
Subject: LogWatch Sendmail Script
Hi!
I am using LogWatch to monitor my server, which I
must say is one of the most useful monitoring tools
I found so far.
The log messages contain a sendmail section for
Unknown Users. The section shows the addresses
for the unknown users that receive emails, but
doesn't show the IP numbers of the relays that
send these emails. I have to look them up by
hand in the maillog. Is it possible to set the
sendmail LogWatch script to include the senders
relay next to the email address of the known
user?
-ammar
_______________________________________________
Logwatch-Devel mailing list
Logwatch-Devel@logwatch.org
http://list.logwatch.org/lists/listinfo/logwatch-devel
------_=_NextPart_001_01C2C762.49337EE0
Content-Type: text/html;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dwindows-1252">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2448.0">
<TITLE>RE: [Logwatch-Devel] LogWatch Sendmail Script (fwd)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Kirk,</FONT>
</P>
<P><FONT SIZE=3D2>I've put together the attached patch, which should do =
what you're looking for. The output appears as follows....</FONT>
</P>
<P><FONT SIZE=3D2>Unknown users:</FONT>
</P>
<P><FONT SIZE=3D2> allen@awvater.com.au</FONT>
<BR><FONT SIZE=3D2> from =
[202.27.217.203] 4 time(s).</FONT>
</P>
<P><FONT SIZE=3D2> ashley@awvater.com.au</FONT>
<BR><FONT SIZE=3D2> from =
awvate1.lnk.telstra.net [139.130.107.32] 1 =
time(s).</FONT>
<BR><FONT SIZE=3D2> from =
mail.chariot.net.au [203.87.95.38] 1 time(s).</FONT>
<BR><FONT SIZE=3D2> from =
msp-04.mspgroup.com.au [203.38.225.2] 2 =
time(s).</FONT>
</P>
<P><FONT SIZE=3D2>The relay=3D field and the User Unknown message are =
actually in two seperate log entries. The patched script gets =
around this by creating an associative array containing the relay host =
keyed by the sendmail Queue ID for every message passing through the =
server. When later compiling the report, we look up the relay =
host in the array and summarise the results. There is probably an =
easier way to do this, but my perl knowledge is a little limited, so =
its the best I was able to come up with. It does mean we can =
still generate the whole report with only a single pass through the =
log. I've tested this on my own logs and it seems to work =
fine.</FONT></P>
<P><FONT SIZE=3D2>Jim.</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Kirk Bauer [<A =
HREF=3D"mailto:kirk@kaybee.org">mailto:kirk@kaybee.org</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Wednesday, 29 January 2003 14:39</FONT>
<BR><FONT SIZE=3D2>To: logwatch-devel@kaybee.org</FONT>
<BR><FONT SIZE=3D2>Subject: [Logwatch-Devel] LogWatch Sendmail Script =
(fwd)</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Anybody want to tackle this?</FONT>
</P>
<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Kirk Bauer <kirk@kaybee.org></FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://linux.kaybee.org" =
TARGET=3D"_blank">http://linux.kaybee.org</A> | www.autorpm.org | =
www.logwatch.org</FONT>
</P>
<P><FONT SIZE=3D2>---------- Forwarded message ----------</FONT>
<BR><FONT SIZE=3D2>Date: Tue, 28 Jan 2003 22:57:07 -0500</FONT>
<BR><FONT SIZE=3D2>From: Ammar T. Al-Sayegh =
<alsayegh@purdue.edu></FONT>
<BR><FONT SIZE=3D2>To: kirk@kaybee.org</FONT>
<BR><FONT SIZE=3D2>Subject: LogWatch Sendmail Script</FONT>
</P>
<P><FONT SIZE=3D2>Hi!</FONT>
</P>
<P><FONT SIZE=3D2>I am using LogWatch to monitor my server, which =
I</FONT>
<BR><FONT SIZE=3D2>must say is one of the most useful monitoring =
tools</FONT>
<BR><FONT SIZE=3D2>I found so far.</FONT>
</P>
<P><FONT SIZE=3D2>The log messages contain a sendmail section =
for</FONT>
<BR><FONT SIZE=3D2>Unknown Users. The section shows the =
addresses</FONT>
<BR><FONT SIZE=3D2>for the unknown users that receive emails, =
but</FONT>
<BR><FONT SIZE=3D2>doesn't show the IP numbers of the relays =
that</FONT>
<BR><FONT SIZE=3D2>send these emails. I have to look them up by</FONT>
<BR><FONT SIZE=3D2>hand in the maillog. Is it possible to set =
the</FONT>
<BR><FONT SIZE=3D2>sendmail LogWatch script to include the =
senders</FONT>
<BR><FONT SIZE=3D2>relay next to the email address of the known</FONT>
<BR><FONT SIZE=3D2>user?</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>-ammar</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>_______________________________________________</FONT>=
<BR><FONT SIZE=3D2>Logwatch-Devel mailing list</FONT>
<BR><FONT SIZE=3D2>Logwatch-Devel@logwatch.org</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://list.logwatch.org/lists/listinfo/logwatch-devel" =
TARGET=3D"_blank">http://list.logwatch.org/lists/listinfo/logwatch-devel=
</A></FONT>
</P>
<P><FONT FACE=3D"Arial" SIZE=3D2 COLOR=3D"#000000"></FONT>
</BODY>
</HTML>
------_=_NextPart_001_01C2C762.49337EE0--
------_=_NextPart_000_01C2C762.49337EE0
Content-Type: application/octet-stream;
name="sendmail-unknown.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="sendmail-unknown.patch"
--- sendmail.43 Wed Jan 29 15:01:13 2003=0A=
+++ sendmail Wed Jan 29 16:50:57 2003=0A=
@@ -22,6 +22,7 @@=0A=
my %notLocal;=0A=
=0A=
while (defined($ThisLine =3D <STDIN>)) {=0A=
+ ($QueueID) =3D ($ThisLine =3D~ m/^([a-zA-Z0-9]+): / );=0A=
$ThisLine =3D~ s/^[a-zA-Z0-9]+: //;=0A=
if ( ( $ThisLine =3D~ m/^to=3D.*stat=3D/ ) or=0A=
( $ThisLine =3D~ m/^alias database [^ ]* (auto)?rebuilt by/ ) =
or =0A=
@@ -35,16 +36,18 @@=0A=
( $ThisLine =3D~ m/: Service unavailable$/) or =0A=
#( $ThisLine =3D~ m/did not issue MAIL\/EXPN\/VRFY\/ETRN =
during connection/ ) or =0A=
( $ThisLine =3D~ m/Broken pipe|Connection (reset|timed out)/ =
) or=0A=
- ( $ThisLine =3D~ m/^clone [a-zA-Z0-9]+, owner=3D/ ) or=0A=
- ( $ThisLine =3D~ m/^from=3D.*nrcpts=3D0.*$/ ) ) { =0A=
+ ( $ThisLine =3D~ m/^clone [a-zA-Z0-9]+, owner=3D/ ) ) {=0A=
# We don't care about these=0A=
- } elsif ( ($Bytes) =3D ($ThisLine =3D~ =
/^from=3D.*size=3D([0-9]+).*$/) ) {=0A=
- $MsgsSent++;=0A=
- $BytesTransferred +=3D $Bytes;=0A=
+ } elsif ( ($Bytes, $NumRcpts, $RelayHost) =3D ($ThisLine =3D~ =
/^from=3D.*size=3D([0-9]+).*nrcpts=3D([0-9]+).*relay=3D(\[[0-9\.]+\]|[^ =
]* \[[0-9\.]+\]|[^ ]+).*$/) ) {=0A=
+ if ($NumRcpts > 0) {=0A=
+ $MsgsSent++;=0A=
+ $BytesTransferred +=3D $Bytes;=0A=
+ };=0A=
+ chomp($Relays{$QueueID} =3D $RelayHost);=0A=
} elsif ( $ThisLine =3D~ m/X-Virus-Scanned: by amavisd-milter/) =
{=0A=
$Amavis++;=0A=
} elsif ( ($User) =3D ($ThisLine =3D~ /^<([^ ]*)>... User =
unknown$/) ) {=0A=
- $UnknownUsers{$User}++;=0A=
+ $UnknownUsers{$User}{$QueueID}++;=0A=
} elsif ( ($Host) =3D ($ThisLine =3D~ /\(Name server: ([^ ]+): host =
not found\)/)) {=0A=
$UnknownHosts{$Host}++;=0A=
} elsif ( ($Domain) =3D ($ThisLine =3D~ /Domain of sender address =
([^ ]+) does not resolve/)) {=0A=
@@ -167,9 +170,17 @@=0A=
}=0A=
=0A=
if (keys %UnknownUsers) {=0A=
+ foreach $Usr (sort keys %UnknownUsers) {=0A=
+ foreach $QueueID (sort keys %{ $UnknownUsers{$Usr} }) {=0A=
+ $SortedUsers{$Usr}{$Relays{$QueueID}}++;=0A=
+ }=0A=
+ }=0A=
print "\n\nUnknown users:\n";=0A=
- foreach $ThisOne (sort keys %UnknownUsers) {=0A=
- print " " . $ThisOne . ": " . $UnknownUsers{$ThisOne} . " =
Times(s)\n";=0A=
+ foreach $Usr (sort keys %SortedUsers) {=0A=
+ print "\n $Usr\n";=0A=
+ foreach $RelayHost (sort keys %{ $SortedUsers{$Usr} }) {=0A=
+ print " from $RelayHost =
$SortedUsers{$Usr}{$RelayHost} time(s).\n";=0A=
+ }=0A=
}=0A=
}=0A=
=0A=
------_=_NextPart_000_01C2C762.49337EE0--