[Logwatch] RE: Logwatch Digest, Vol 8, Issue 2

shadowplay.net shadowplay at shadowplay.net
Sun Nov 7 22:10:46 MST 2004



yeah the default for qmail is to run multilog...
you can however set up you qmail to run splogger whitch logs to 
the syslog mail system... 

however this would break things like... 
mrtg looking at your multilog output... etc.. 

just so you are aware... 

kenneth gf brown 
ceo shadowplay.net


> -----Original Message-----
> From: logwatch-bounces at logwatch.org 
> [mailto:logwatch-bounces at logwatch.org] On Behalf Of 
> logwatch-request at logwatch.org
> Sent: November 7, 2004 13:00
> To: logwatch at logwatch.org
> Subject: Logwatch Digest, Vol 8, Issue 2
> 
> 
> Send Logwatch mailing list submissions to
> 	logwatch at logwatch.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www2.list.logwatch.org:81/lists/listinfo/logwatch
> or, via email, send a message with subject or body 'help' to
> 	logwatch-request at logwatch.org
> 
> You can reach the person managing the list at
> 	logwatch-owner at logwatch.org
> 
> When replying, please edit your Subject line so it is more 
> specific than "Re: Contents of Logwatch digest..."
> 
> 
> Today's Topics:
> 
>    1. qmail logs? (AleksCee)
>    2. Re: qmail logs? (Mike Tremaine)
>    3. Re: qmail logs? (AleksCee)
>    4. Re: qmail logs? (Mike Tremaine)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 07 Nov 2004 17:45:08 +0100
> From: "AleksCee" <AleksCee at gmx.de>
> Subject: [Logwatch] qmail logs?
> To: logwatch at logwatch.org
> Message-ID: <418E5F24.10712.1A19AAD at localhost>
> Content-Type: text/plain; charset=US-ASCII
> 
> Hello!
> 
> I'm new at the mailinglist... and I use logwatch since 3 Month - It's 
> a very usefull tool and I was found an hacker-try thanks to logwatch.
> 
> But I would like to scan my qmail-Messages too - the default config 
> of the qmail write the logs with an tai64n-TimeStamp like 
> "@4000002342342342..." have anyone of you an script for logwatch to 
> handel this files?
> 
> THX, Alex - and sorry about my english.
> 
> -- 
> Bitte kein TOFU!
> Infos: http://palms-net.de/links/go_url.php?id=49
> 
> Jeden Erfolg, den man erzielt, schafft uns einen Feind.
> Man muss mittelmaessig sein, um beliebt zu sein. (Oskar Wilde)
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Sun, 07 Nov 2004 09:35:28 -0800
> From: Mike Tremaine <mgt at stellarcore.net>
> Subject: Re: [Logwatch] qmail logs?
> To: logwatch at logwatch.org
> Message-ID: <1099848927.2675.22.camel at dwarfstar.stellarcore.net>
> Content-Type: text/plain
> 
> On Sun, 2004-11-07 at 08:45, AleksCee wrote:
> > Hello!
> > 
> > I'm new at the mailinglist... and I use logwatch since 3 
> Month - It's
> > a very usefull tool and I was found an hacker-try thanks to 
> logwatch.
> > 
> > But I would like to scan my qmail-Messages too - the default config
> > of the qmail write the logs with an tai64n-TimeStamp like 
> > "@4000002342342342..." have anyone of you an script for logwatch to 
> > handel this files?
> 
> 
> Alex,
> 
>  There is a qmail filter in logwatch. I have no idea how good it is
> since I've never run qmail. But it should be giving you some output.
> 
> To check if it is working first check the conf file
> 
> /etc/log.d/conf/services/qmail.conf
> 
> Qmail is set to use maillog by default
> 
> # Which logfile group...
> LogFile = maillog
> 
> These settings are defined in 
> 
> /etc/log.d/conf/logfiles/maillog.conf
> 
> You can have multiple lines here like
> 
> LogFile = /var/log/qmaillogs
> LogFile = maillog
> 
> Once you have the configs pointed at your logfile you should 
> be able to
> run
> 
> logwatch.pl --service qmail --print
> 
> And get just a report on qmail. If the output doesn;t work 
> with the logs
> that are made then someone needs to look at this service. If you post
> some raw logs that would help.
> 
> 
> Good Luck!
> 
> 
> 
> 
> 
> -- 
> Mike Tremaine
> mgt at stellarcore.net
> http://www.stellarcore.net
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Sun, 07 Nov 2004 19:06:02 +0100
> From: "AleksCee" <AleksCee at gmx.de>
> Subject: Re: [Logwatch] qmail logs?
> To: logwatch at logwatch.org
> Message-ID: <418E721A.15182.1EBAB9D at localhost>
> Content-Type: text/plain; charset=US-ASCII
> 
> Hallo Mike Tremaine!
> 
> Du hast am Sonntag, 7. November 2004
>  um 9:35 folgendes geschrieben:
> 
> > Alex,
> > 
> >  There is a qmail filter in logwatch. I have no idea how good it is
> > since I've never run qmail. But it should be giving you some output.
> > 
> > To check if it is working first check the conf file
> 
> The Log-Files I have configuere - the problem seems the time-
> format.... logwatch don't find the date which is looking for.... :-(
> 
> > Once you have the configs pointed at your logfile you 
> should be able to
> > run
> > 
> > logwatch.pl --service qmail --print
> > 
> > And get just a report on qmail. If the output doesn;t work 
> with the logs
> > that are made then someone needs to look at this service. 
> If you post
> > some raw logs that would help.
> 
> The Files lock like that:
> 
> @40000000418d88d31a250fd4 new msg 1507432
> @40000000418d88d31a252b2c info msg 1507432: bytes 1684 from 
> <??????@?????> qp 18851 uid 60000
> @40000000418d88d31a72512c starting delivery 3232: msg 1507432 
> to remote ????@????
> @40000000418d88d31a726c84 status: local 1/10 remote 1/20
> @40000000418d88d31a72706c delivery 3231: success: did_0+1+0/qp_18851/
> 
> 
> But logwatch search only for dates like apache-logs and normal 
> dd.mm.yyyy-Format....
> 
> thx, Alex
> 
> -- 
> Bitte kein TOFU!
> Infos: http://palms-net.de/links/go_url.php?id=49
> 
> Drei Wuensche
> -die Gelassenheit, alles hinzunehmen, was nicht zu aendern ist
> -die Kraft, zu aendern, was nicht laenger zu ertragen ist
> -und die Weisheit, das eine vom anderen zu unterscheiden.
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Sun, 07 Nov 2004 10:33:00 -0800
> From: Mike Tremaine <mgt at stellarcore.net>
> Subject: Re: [Logwatch] qmail logs?
> To: logwatch at logwatch.org
> Message-ID: <1099852380.2675.31.camel at dwarfstar.stellarcore.net>
> Content-Type: text/plain
> 
> On Sun, 2004-11-07 at 10:06, AleksCee wrote:
> 
> > The Log-Files I have configuere - the problem seems the time-
> > format.... logwatch don't find the date which is looking for.... :-(
> > 
> > The Files lock like that:
> > 
> > @40000000418d88d31a250fd4 new msg 1507432
> > @40000000418d88d31a252b2c info msg 1507432: bytes 1684 from 
> > <??????@?????> qp 18851 uid 60000
> > @40000000418d88d31a72512c starting delivery 3232: msg 
> 1507432 to remote ????@????
> > @40000000418d88d31a726c84 status: local 1/10 remote 1/20
> > @40000000418d88d31a72706c delivery 3231: success: 
> did_0+1+0/qp_18851/
> > 
> > 
> > But logwatch search only for dates like apache-logs and normal 
> > dd.mm.yyyy-Format....
> > 
> > thx, Alex
> 
> Obviously there is some trick to setting this up right.  I read this
> somewhat "sharp" review of qmail logging.
> 
> http://www.loganalysis.org/sections/syslog/syslog-replacements
/saxe-multilog.html

Which seems to suggest that you may be able to configure qmail to use
syslog or convert the logs after the fact with tai64nlocal..

You might try "logwatch.pl --range All --service qmail --print" to see
if you can get anything at all [that should ignore the date]. But since
the timestamp is so alien to logwatch I suspect that will fail also.

If you run the log through tai64nlocal first and then logwatch you might
get it to work. In this case make a new file entry in qmail.conf which
points at the output of the conversion script.

This is my best guess, Kirk or someone else who has run qmail may have
better suggestions.



-- 
Mike Tremaine
mgt at stellarcore.net
http://www.stellarcore.net



------------------------------

_______________________________________________
Logwatch mailing list
Logwatch at logwatch.org
http://www2.list.logwatch.org:81/lists/listinfo/logwatch


End of Logwatch Digest, Vol 8, Issue 2
**************************************


__________ NOD32 1.917 (20041106) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com




More information about the Logwatch mailing list