[Logwatch] Re: [Logwatch-Devel] Postfix filter not matching certain log entries

Bob Hutchinson hutchlists at midwales.com
Mon Dec 13 03:25:04 MST 2004


On Monday 13 December 2004 09:48, Jerome Welsh wrote:
> Hi there,
>
> For a while now my logwatch has produced copious amounts of "unregognized
> warning" and "unmatched entries" entries for postfix. I have looked around
> the internet and the logwatch mailing lists and found nothing helpful.
>
> Here are some samples:
>
> Unrecognized warning:
>     10.86.7.196.blackholes.mail-abuse.org: RBL lookup error: Host or domain
> name not found. Name service error for
> name=10.86.7.196.blackholes.mail-abuse.org type=A: Host not found, try
> again : 1 Time(s) 10.86.7.196.sbl.spamhaus.org: RBL lookup error: Host or
> domain name not found. Name service error for
> name=10.86.7.196.sbl.spamhaus.org type=A: Host not found, try again : 1
> Time(s) ...

10.86.7.196.sbl.spamhaus.org does not exist, you need to go through your 
postfix rbl configuration.

This is an example of logwatch doing its job ;-)

>
> **Unmatched Entries**
>
> NOQUEUE: reject: RCPT from
> wbar6.dal1-4-13-053-096.dsl-verizon.net[4.13.53.96]: 554 Service
> unavailable; Client host [4.13.53.96] blocked using dnsbl.njabl.org;
> from=<Velazquez at commtouch.com> to=<dereck at evalunet.com> proto=SMTP
> helo=<emailattachmentserver.com> NOQUEUE: reject: RCPT from
> unknown[165.194.70.109]: 554 Service unavailable; Client host
> [165.194.70.109] blocked using list.dsbl.org;
> http://dsbl.org/listing?165.194.70.109;
> from=<nell.carroll_fm at ccsg.tau.ac.il> to=<adrian at evalunet.co.za>
> proto=ESMTP helo=<gmcc.ab.ca> ...
>
> All the unrecognized entries are of the above 2 formats.

You need to look at the original log entries and find out why they are not 
being picked up by the regular expressions below. For instance the word 
'reason' does not appear above and might be why this is not working

Or post the relevant log entries here so someone with more knowledge of regex 
can spot the problem, and check it against other people's postfix logs

>
> The section of the filter script that I think should deal with these
> entries is as follows: ---snip---
>    } elsif ( ($Host,$Site,$Reason) = ($ThisLine =~ /reject: RCPT from ([^
> ]*\[[^ ]*\]): 554 Service unavailable; (?:Client host )?\[[^ ]*\] blocked
> using ([^ ]*), reason: (.*);/)) { $Temp = "$Host : $Reason";
>       $RejectRBL{$Site}{$Temp}++;
>       $RejectedRBL++;
>    } elsif ( ($Host,$Site) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^
> ]*\]): 554 Service unavailable; (?:Client host )?\[[^ ]*\] blocked using
> ([^ ]*);/)) { $RejectRBL{$Site}{$Host}++;
>       $RejectedRBL++;
>    } elsif ( ($Host,$Site,$Reason) = ($ThisLine =~ /warning: ([^ ]*): RBL
> lookup error: Name service error for \d+\.\d+\.\d+\.\d+\.([^ ]*): (.*)$/))
> { $Temp = "$Host : $Reason";
>       $RBLError{$Site}{$Temp}++;
>       $ErrorRBL++;
> ---snip---
>
> I don't know Perl (I think that's the script language) so I can't entirely
> see why the unmatched entries occur, but I can see why the "RBL lookup
> error" warnings don't match. ("RBL lookup error: Name service error for"
> certainly won't match "RBL lookup error: Host or domain name not found.
> Name service error for")
>
> I am using logwatch 5.2.2-0 and I even checked out the latest logwatch cvs
> code and the above lines aren't different from 5.2.2 that I can see. I'm
> using postfix 1.1.12-1 (standard RedHat RPM).
>
> The strange thing is that it started to do this a month or more back,
> possably after I upgraded logwatch using the package-updater 'yum' (I don't
> know what version logwatch was before). I'm fairly sure I previously got
> entries from logwatch summarising the blocked mails, which I would get if
> those entries actually matched.
>
> As far as I can tell this is not a configuration problem on my end. Surely
> its not because of my postfix being too 'old' is it? I know there's a new
> version (2.1) available but I'm not in a position to upgrade (and besides,
> it's working fine).
>
> Can anyone shed any light on this at all?
>
> Thanks,
> /Jerome/

-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------


More information about the Logwatch mailing list