./PaxHeaders.19046/logwatch-7.4.20000644000000000000000000000013212664334617013170 xustar0030 mtime=1456585103.239363765 30 atime=1456586568.748190978 30 ctime=1456586568.748190978 ./logwatch-7.4.2/0000755000175000001440000000000012664334617014341 5ustar00generalusers00000000000000./logwatch-7.4.2/PaxHeaders.19046/override.conf.50000644000000000000000000000013212664334617016076 xustar0030 mtime=1456585103.143364225 30 atime=1456586568.748190978 30 ctime=1456586568.748190978 ./logwatch-7.4.2/override.conf.50000644000175000001440000000003112664334617017164 0ustar00generalusers00000000000000.so man5/logwatch.conf.5 ./logwatch-7.4.2/PaxHeaders.19046/scripts0000644000000000000000000000013212664334617014657 xustar0030 mtime=1456585103.219363861 30 atime=1456586568.768190878 30 ctime=1456586568.768190878 ./logwatch-7.4.2/scripts/0000755000175000001440000000000012664334617016030 5ustar00generalusers00000000000000./logwatch-7.4.2/scripts/PaxHeaders.19046/services0000644000000000000000000000013212664334617016502 xustar0030 mtime=1456585103.203363937 30 atime=1456586568.792190759 30 ctime=1456586568.792190759 ./logwatch-7.4.2/scripts/services/0000755000175000001440000000000012664334617017653 5ustar00generalusers00000000000000./logwatch-7.4.2/scripts/services/PaxHeaders.19046/pam0000644000000000000000000000013212664334617017257 xustar0030 mtime=1456585103.195363976 30 atime=1456586568.780190819 30 ctime=1456586568.780190819 ./logwatch-7.4.2/scripts/services/pam0000755000175000001440000000361512664334617020363 0ustar00generalusers00000000000000 ########################################################################## # $Id: pam 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## ##################################################### ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; while (defined($ThisLine = )) { if ( ( $ThisLine =~ /^pam_get_user: no username obtained$/ ) or ( $ThisLine =~ /^pam_end: NULL pam handle passed/ ) ) { # We don't care about these } elsif ( $ThisLine =~ s/^FAILED LOGIN SESSION FROM ([^ ]+) FOR .*$/$1/ ) { $FailedLogins{$ThisLine}++; } else { # Report any unmatched entries... push @OtherList,$ThisLine; } } if ( (keys %FailedLogins) and ($Detail >= 10) ) { print "\nFailed Login Sessions:\n"; foreach $ThisOne (keys %FailedLogins) { print " " . $FailedLogins{$ThisOne} . " from " . $ThisOne; } } if ($#OtherList >= 0) { print "\n**Unmatched Entries**\n"; print @OtherList; } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/up2date0000644000000000000000000000013212664334617020046 xustar0030 mtime=1456585103.175364072 30 atime=1456586568.792190759 30 ctime=1456586568.792190759 ./logwatch-7.4.2/scripts/services/up2date0000755000175000001440000001150612664334617021150 0ustar00generalusers00000000000000 ########################################################################## # $Id: up2date 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## ######################################################## # This was written and is maintained by: # Eric Moret # # Please send all comments, suggestions, bug reports, # etc, to eric.moret@epita.fr. ######################################################## ####################################################### ## Copyright (c) 2008 Eric Moret ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; #$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside up2date Filter \n\n"; $DebugCounter = 1; } while (defined($ThisLine = )) { if ( $Debug >= 5 ) { print STDERR "DEBUG($DebugCounter): $ThisLine"; $DebugCounter++; } if ( ( $ThisLine =~ /^updating login info$/ ) or ( $ThisLine =~ /^updateLoginInfo\(\) login info$/ ) or ( $ThisLine =~ /^Opening rpmdb in \/var\/lib\/rpm\/ with option .$/ ) or ( $ThisLine =~ /^successfully retrieved authentication token from up2date server$/ ) or ( $ThisLine =~ /^(getA|a)vailablePackageList from network$/ ) or ( $ThisLine =~ /^getAdvisoryInfo for / ) or ( $ThisLine =~ /^logging into up2date server$/ ) or ( $ThisLine =~ /^A socket error occurred/ ) or ( $ThisLine =~ /^new up2date run started/ ) or ( $ThisLine =~ /^Creating rollback packages\.\.\./ ) or ( $ThisLine =~ /^Updating transaction list/ ) or ( $ThisLine =~ /^A protocol error occurred/ ) or ( $ThisLine =~ /^Error communicating with server\.\s+The message was:$/ ) or ( $ThisLine =~ /^Updating package profile/) or ( $ThisLine =~ /^Unable to import repomd/) or ( $ThisLine =~ /^deleting \/var\/spool\/up2date\// ) or ( $ThisLine =~ /^solving dep for: \[('.*')*\]/) or ( $ThisLine =~ /^Adding [^ ]* to bootloader config/) or ( $ThisLine =~ /^Modifying bootloader config to include the new kernel info/) or ( $ThisLine =~ /rhn_register $/) or ( $ThisLine =~ /rhn_register Registered login info/) or ( $ThisLine =~ /rhn_register Wrote system id to disk/) or ( $ThisLine =~ /rhn_register Sent package list./) or ( $ThisLine =~ /rhn_register updating login info/) or ( $ThisLine =~ /rhn_register Sent hardware profile./) or ( $ThisLine =~ /rhn_register logging into up2date server/) or ( $ThisLine =~ /rhn_register successfully retrieved authentication token from up2date server/) or ( $ThisLine =~ /rhn_register An exception was raised causing login to fail. This is usually correct. Exception information:/) or ( $ThisLine =~ /^Running elilo with the new configuration/) ) { # We don't care about these } elsif ( $ThisLine =~ s/^installing packages: ([^ ]+)/$1/ ) { $PackageInstalled{$ThisLine}++; } elsif ( $ThisLine =~ s/^Adding packages to package profile: ([^ ]+)/$1/ ) { $PackageAddedToProfile{$ThisLine}++; } elsif ( $ThisLine =~ s/^Removing packages from package profile: ([^ ]+)/$1/ ) { $PackageRemovedFromProfile{$ThisLine}++; } elsif ( $ThisLine =~ /rhn_register Registered system./) { $RHNRegistration++; } else { # Report any unmatched entries... push @OtherList,$ThisLine; } } if (keys %PackageInstalled) { print "\nPackage Installed:\n"; foreach $ThisOne (keys %PackageInstalled) { print " " . $ThisOne; } } if (keys %PackageAddedToProfile) { print "\nPackage Added To Profile:\n"; foreach $ThisOne (keys %PackageAddedToProfile) { print " " . $ThisOne; } } if (keys %PackageRemovedFromProfile) { print "\nPackage Removed From Profile:\n"; foreach $ThisOne (keys %PackageRemovedFromProfile) { print " ". $ThisOne; } } if ($RHNRegistration) { print "\nSystem registred to rhn " . $RHNRegistration . " time(s)\n"; } if ($#OtherList >= 0) { print "\n**Unmatched Entries**\n"; print @OtherList; } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/mysql0000644000000000000000000000013212664334617017647 xustar0030 mtime=1456585103.203363937 30 atime=1456586568.776190839 30 ctime=1456586568.776190839 ./logwatch-7.4.2/scripts/services/mysql0000644000175000001440000001100512664334617020740 0ustar00generalusers00000000000000# # Processes all messages and summarizes them # Each message is given with a timestamp and RMS # ######################################################## ## Copyright (c) 2006 by Jeremias Reith ## Modified 2009 by Michael Baierl ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; use Logwatch ':dates'; use Time::Local; use POSIX qw(strftime); my $date_format = '%y%m%d %H:%M:%S'; my $filter = TimeFilter($date_format); my $detail = exists $ENV{'LOGWATCH_DETAIL_LEVEL'} ? $ENV{'LOGWATCH_DETAIL_LEVEL'} : 0; # we do not use any Date:: package (or strptime) as they are probably not available my %month2num = ( Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5, Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11 ); # array of message categories (we do not use a hash to keep the order) # first element: catorory name # second element: matching regexp ($1 should contain the message) # third element: anonymous hash ref (stores message counts) my @message_categories = (['Errors', qr/\[ERROR\] (.*)$/o, {}], ['Note', qr/\[Note\] (.*)$/o, {}], ['Warnings', qr/\[Warning] (.*)$/o, {}], ['Other', qr/(.*)$/o, {}]); # counting messages while(<>) { my $line = $_; # skipping messages that are not within the requested range next unless $line =~ /^($filter)/o; $1 =~ /(\d\d)(\d\d)(\d\d)\s+(\d+):(\d+):(\d+)/; my $time; { # timelocal is quite chatty local $SIG{'__WARN__'} = sub {}; $time = timelocal($6, $5, $4, $3, $2-1, $1); } # Count lines with increasing number as one: # [Warning] Aborted connection 107194 to db: ... $line =~ s/(Aborted connection) \d+ (to db)/$1 $2/; foreach my $cur_cat (@message_categories) { if($line =~ /$cur_cat->[1]/) { my $msgs = $cur_cat->[2]; $msgs->{$1} = {count => '0', first_occurrence => $time, sum => 0, sqrsum => 0} unless exists $msgs->{$1}; $msgs->{$1}->{'count'}++; # summing up timestamps and squares of timestamps # in order to calculate the rms # using first occurrence of message as offset in calculation to # prevent an integer overflow $msgs->{$1}->{'sum'} += $time - $msgs->{$1}->{'first_occurrence'}; $msgs->{$1}->{'sqrsum'} += ($time - $msgs->{$1}->{'first_occurrence'}) ** 2; last; } } } # generating summary foreach my $cur_cat (@message_categories) { # skipping non-requested message types next unless keys %{$cur_cat->[2]}; my ($name, undef, $msgs) = @{$cur_cat}; print $name, ":\n"; my $last_count = 0; # sorting messages by count my @sorted_msgs = sort { $msgs->{$b}->{'count'} <=> $msgs->{$a}->{'count'} } keys %{$msgs}; foreach my $msg (@sorted_msgs) { # grouping messages by number of occurrence print "\n", $msgs->{$msg}->{'count'}, " times:\n" unless $last_count == $msgs->{$msg}->{'count'}; my $rms = 0; # printing timestamp print '['; if($msgs->{$msg}->{'count'} > 1) { # calculating rms $rms = int(sqrt( ($msgs->{$msg}->{'count'} * $msgs->{$msg}->{'sqrsum'} - $msgs->{$msg}->{'sum'}) / ($msgs->{$msg}->{'count'} * ($msgs->{$msg}->{'count'} - 1)))); print strftime($date_format, localtime($msgs->{$msg}->{'first_occurrence'}+int($rms/2))); print ' +/-'; # printing rms if($rms > 86400) { print int($rms/86400) , ' day(s)'; } elsif($rms > 3600) { print int($rms/3600) , ' hour(s)'; } elsif($rms > 60) { print int($rms/60) , ' minute(s)'; } else { print $rms, ' seconds'; } } else { # we have got this message a single time print strftime($date_format, localtime($msgs->{$msg}->{'first_occurrence'})); } print '] ', $msg, "\n"; $last_count = $msgs->{$msg}->{'count'}; } print "\n"; } # vi: shiftwidth=3 tabstop=3 et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/sssd0000644000000000000000000000013212664334617017456 xustar0030 mtime=1456585103.203363937 30 atime=1456586568.788190779 30 ctime=1456586568.788190779 ./logwatch-7.4.2/scripts/services/sssd0000755000175000001440000000467712664334617020573 0ustar00generalusers00000000000000######################################################## ## Copyright (c) 2014 Orion Poplawski ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Errors; my %Starts; my %Stops; my %OtherList; # Lines are of the form: # sssd[service]: while (defined(my $ThisLine = )) { chomp($ThisLine); # Strip off and record the service, set to Daemon if none $ThisLine =~ s/sssd\[([^:]+)\]: //; my $Service = defined($1) ? $1 : "Daemon"; if ($ThisLine =~ /^Starting up/) { $Starts{$Service}++; } elsif ($ThisLine =~ /^Shutting down/) { $Stops{$Service}++; } elsif ($ThisLine =~ /error/i) { $Errors{$Service}->{$ThisLine}++; } else { $OtherList{"$Service: $ThisLine"}++; } } if (keys %Errors) { print "\nSSSD ERRORS:\n"; foreach my $Service (sort {$a cmp $b} keys %Errors) { print " $Service:\n"; foreach my $Error (sort {$a cmp $b} keys %{$Errors{$Service}}) { print " $Error: " . $Errors{$Service}->{$Error} . " Time(s)\n"; } } } if (keys %Starts and $Detail) { print "\nSSSD Services Started:\n"; foreach my $Service (sort {$a cmp $b} keys %Starts) { print " $Service: " . $Starts{$Service} . " Time(s)\n"; } } if (keys %Stops and $Detail) { print "\nSSSD Services Stopped:\n"; foreach my $Service (sort {$a cmp $b} keys %Stops) { print " $Service: " . $Stops{$Service} . " Time(s)\n"; } } if (keys %OtherList) { print "\n\n**Unmatched Entries**\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/xntpd0000644000000000000000000000013212664334617017637 xustar0030 mtime=1456585103.199363957 30 atime=1456586568.792190759 30 ctime=1456586568.792190759 ./logwatch-7.4.2/scripts/services/xntpd0000644000175000001440000002117512664334617020741 0ustar00generalusers00000000000000 ########################################################################## # $Id: xntpd 251 2014-09-25 18:30:37Z opoplawski $ ########################################################################## ######################################################## # This was written and is maintained by: # David Baldwin # # Heavily based on sshd script # # Please send all comments, suggestions, bug reports, # etc, to david.baldwin@anu.edu.au. ######################################################## ####################################################### ## Copyright (c) 2008 David Baldwin ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; use Logwatch ':all'; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $DebugCounter = 0; my $Starts = 0; my $Kills = 0; my $SyncLost = 0; my (@TimeReset,%Interfaces,%Syncs,%TwoInst,%Errors,%OtherList); my %ConfErrs; my %Operations; # No sense in running if 'xntpd' doesn't even exist on this system... unless (( -f "/usr/sbin/ntpd" ) or ( -f "/usr/local/sbin/ntpd") or ( -f "/usr/lib/inet/xntpd") or ( -f "/usr/lib/inet/ntpd" ) ) { if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Exiting XNTPD Filter - no ntpd binary on system\n\n"; } exit (0); } if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside XNTPD Filter \n\n"; $DebugCounter = 1; } while (defined(my $ThisLine = )) { if ( $Debug >= 5 ) { print STDERR "DEBUG($DebugCounter): $ThisLine"; $DebugCounter++; } chomp($ThisLine); if ( ($ThisLine =~ m/tickadj = /) or # startup ($ThisLine =~ m/precision = /) or # startup ($ThisLine =~ m/ (succeeded|failed)/) or # startup ($ThisLine =~ m/sendto\(\S+\): Success/) or # startup ($ThisLine =~ m/kernel time (discipline|sync) status/) or # startup ($ThisLine =~ m/kernel time sync (dis|en)abled /) or # startup ($ThisLine =~ m/frequency initialized/) or # startup ($ThisLine =~ m/using kernel phase-lock loop/) or # startup ($ThisLine =~ m/0\.0\.0\.0 [[:xdigit:]]{4} [[:xdigit:]]{2} /) or # startup ($ThisLine =~ m/select([^\)]) error: Interrupted system call/) or ($ThisLine =~ m/signal_no_reset: signal \d+ had flags \d+/) or ($ThisLine =~ /Deleting interface \#[0-9]+ [^,]*, [^,]*, interface stats: received=.*, sent=.*, dropped=.*, active_time=.* secs/) or ($ThisLine =~ /Invalid argument/) or ($ThisLine =~ /Listening on interface .* Disabled/) or ($ThisLine =~ /Listen and drop on /) or ($ThisLine =~ /Listening on routing socket on/) or ($ThisLine =~ /.* interface .* -> \(null\)/) or ($ThisLine =~ /Deferring DNS for/) or ($ThisLine =~ /ntp_io: estimated max descriptors: \d*, initial socket boundary: \d*/) or ($ThisLine =~ /peers refreshed$/) or ($ThisLine =~ /restrict: error in address/) or ($ThisLine =~ /syntax error in .+ line \d+, column \d+$/) ) { # Ignore these } elsif ($ThisLine =~ m/ntpd [\d\-\.\w@]+ ... ... .. ..:..:.. /) { $Starts++; } elsif ($ThisLine =~ m/ntpd exiting on signal/) { $Kills++; } elsif ($ThisLine =~ m/synchronisation lost/) { $SyncLost++; } elsif ( my (undef,$TimeStep) = ($ThisLine =~ /time reset(| \(step\)) ([^ ]+) s$/ )) { push @TimeReset, $TimeStep; } elsif ( my (undef,$TimeStep) = ($ThisLine =~ /(step|adjust) time server [^ ]+ offset ([^ ]+) sec$/ )) { push @TimeReset, $TimeStep; } elsif ( my ($TimeStep) = ($ThisLine =~ /adjusting local clock by ([^ ]+)s$/ )) { # Jacob Joseph (12/8/06) push @TimeReset, $TimeStep; # MEv start no leadin to line } elsif ( my (undef,$TimeStep) = ($ThisLine =~ /(offset) ([^ ]+) sec/ )) { push @TimeReset, $TimeStep; # MEv end no leadin to line } elsif ( my ($ListenOn) = ($ThisLine =~ /Listening on interface(?: #\d+)? (.*)(?: Enabled)?/ )) { $Interfaces{$ListenOn}++; } elsif ( my ($ListenOn) = ($ThisLine =~ /Listen normally on \d+ (.*)/ )) { $Interfaces{$ListenOn}++; } elsif ( my ($SyncTo,$Stratum) = ($ThisLine =~ /synchronized to ([^ ]+), stratum[ =]([^ ]+)/ )) { my $name = $SyncTo; if ($Detail > 5 && $SyncTo =~ m/^[\d.]+$/) { $name = LookupIP($SyncTo); } $name .= " stratum " . $Stratum; $Syncs{$name}++; } elsif ( my ($Host) = ($ThisLine =~ /two instances of default interface for ([^ ]+) in hash table$/ )) { if ($Debug >= 5) { print STDERR "DEBUG: Found -$1 two instances of default interface\n"; } my $name = LookupIP($Host); $TwoInst{$name}++; } elsif ( my ($Error) = ($ThisLine =~ /(no server(s reachable| suitable for synchronization found))/ )) { $Errors{$Error}++; } elsif ( my ($Error) = ($ThisLine =~ /([Cc]an't find host \S+|no servers can be used, exiting)/ )) { $Errors{$Error}++; } elsif ( my ($Error) = ($ThisLine =~ /(sendto\(\S+\): Network is unreachable)/ )) { $Errors{$Error}++; } elsif ( my ($Error) = ($ThisLine =~ /(getaddrinfo: "\S+" invalid host address, ignored)/ )) { $Errors{$Error}++; } elsif ( my ($Error) = ($ThisLine =~ /(frequency error \d+ PPM exceeds tolerance \d+ PPM)/ )) { $Errors{$Error}++; } elsif ( my ($ConfErr) = ($ThisLine =~ /configure: (keyword "[^"]*" unknown, line ignored)/ )) { $ConfErrs{$ConfErr}++; } elsif ( my ($ConfErr) = ($ThisLine =~ /line \d+ column \d+ syntax error, (.+)$/ )) { $ConfErrs{$ConfErr}++; } elsif ( my ($StepTime) = ($ThisLine =~ /(.*:) Operation not permitted/) ) { $Operations{$StepTime}++ } else { # Report any unmatched entries... $OtherList{$ThisLine} += 1; } } ########################################################### if ($Kills) { print "\nXNTPD Killed: " . $Kills . " Time(s)\n"; } if ($Starts) { print "\nXNTPD Started: " . $Starts . " Time(s)\n"; } if ($SyncLost) { print "\nSync lost: " . $SyncLost . " Time(s)\n"; } if (@TimeReset > 0) { if ($Detail > 5) { print "\nTime Reset\n"; print map " time stepped $_\n",@TimeReset; } my $t = 0; $t += $_ foreach @TimeReset; printf "\nTime Reset ".(@TimeReset)." times (total: %.6f s average: %.6f s)\n", $t, $t/(@TimeReset); } if (keys %Interfaces) { my $t = 0; my $lt = 0; print "\nListening on interfaces:\n" if ($Detail > 5); foreach my $i (keys %Interfaces) { print " $i - $Interfaces{$i} times\n" if ($Detail > 5); unless ($i =~ m/^(wildcard|v[46]wildcard|lo)/) { $lt++; } $t++; } print "\nTotal interfaces: $t (non-local: $lt)\n"; } if (keys %Syncs) { my $t = 0; my $ht = 0; print "\nSynchronized to:\n" if ($Detail > 5); foreach my $h (keys %Syncs) { $ht++; $t += $Syncs{$h}; print " $h - $Syncs{$h} times\n" if ($Detail > 5); } print "\nTotal synchronizations $t (hosts: $ht)\n"; } if (keys %TwoInst) { print "\nTwo instances error\n"; foreach my $h (keys %TwoInst) { print " $h - $TwoInst{$h} times\n"; } } if (keys %Errors) { print "\nErrors\n"; print " $_: $Errors{$_} time(s)\n" foreach sort keys %Errors; } if (keys %ConfErrs) { print "\nErrors in configuration file:\n"; foreach my $k (keys %ConfErrs) { print " $k ". $ConfErrs{$k} . " time(s)\n"; } } if (keys %Operations) { print "\nOperations not permitted\n"; foreach my $o (keys %Operations) { print " $o ". $Operations{$o} . " time(s)\n"; } print "\n The clock on a VPS is inherited from the clock on the\n"; print " hardware node, therefore the ntp-service must be run on\n"; print " the hardware node, and not the VPS.\n"; } if (keys %OtherList) { print "\n**Unmatched Entries**\n"; print " $_: $OtherList{$_} time(s)\n" foreach keys %OtherList; } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/pound0000644000000000000000000000012612664334617017632 xustar0030 mtime=1456585103.187364015 28 atime=1456586568.7841908 28 ctime=1456586568.7841908 ./logwatch-7.4.2/scripts/services/pound0000755000175000001440000000705612664334617020736 0ustar00generalusers00000000000000########################################################################## # $Id: pound 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## ######################################################## # This was written and is maintained by: # luuk - luuk@planet.nl # # Please send all comments, suggestions, bug reports, # etc, to luuk@planet.nl. # ######################################################## ####################################################### ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### $Debug = $ENV{'LOGWATCH_DEBUG'}; $DoLookup = $ENV{'pound_ip_lookup'}; $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; $DoLookup = 1; sub LookupIP { my ($name, $a1, $a2,$a3,$a4,$PackedAddr,$Addr); $Addr = $_[0]; ($a1,$a2,$a3,$a4) = split /\./,$Addr; $PackedAddr = pack('C4',$a1,$a2,$a3,$a4); if ($DoLookup) { if ($name = gethostbyaddr ($PackedAddr,2)) { return ($name . " (" . $Addr . ")"); } else { return ($Addr); } } else { return ($Addr); } } if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside Pound Filter \n\n"; } while (defined($ThisLine = )) { chomp($ThisLine); if ($ThisLine =~ /error read from ([\d|\.]+): Succes/) { $error{'read'}{$1}++; } elsif ($ThisLine =~ /([\d|\.]+) \w+ \S+ \S+ - \S+ 301 Unauthorized/) { $error{'unauthorized'}{$1}++; } elsif ($ThisLine =~ /([\d|\.]+) \w+ \/exchange\/([\w|\.]+)\/.* \S+/) { $user{$1}{$2}++; } elsif ($ThisLine =~ /([\d|\.]+) \w+ \/.* (\d\d\d .*?)$/) { $tmphost = $1; $tmpcode = $2; $ip{$tmphost}{'total'}++; $ip{$tmphost}{$tmpcode}++; } else { # Report any unmatched entries... $OtherList{$ThisLine}++; } } if ( ( $Detail >= 5 ) and (keys %user) ) { print "\nUsage by user:\n"; foreach $host (keys %user) { $rhost = LookupIP($host); print " $rhost:\n"; foreach $usr (keys %{$user{$host}}) { print " $usr: $user{$host}{$usr}\n"; } } } if ( ( $Detail >= 10 ) and (keys %ip) ) { print "\nUsage by host:\n"; foreach $host (keys %ip) { $rhost = LookupIP($host); print " $rhost: $ip{$host}{'total'}\n"; foreach $code (keys %{$ip{$host}}) { print " $code: $ip{$host}{$code}\n" if ($code ne 'total'); } } } if ( ( $Detail >= 5 ) and (keys %error) ) { print "\nError read from - Succes message:\n"; foreach $host (keys %{$error{'read'}}) { $rhost = LookupIP($host); print " $rhost: $error{'read'}{$host} \n"; } } if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/audit0000644000000000000000000000013212664334617017610 xustar0030 mtime=1456585103.159364149 30 atime=1456586568.768190878 30 ctime=1456586568.768190878 ./logwatch-7.4.2/scripts/services/audit0000644000175000001440000003716712664334617020722 0ustar00generalusers00000000000000 ########################################################################## # $Id: audit 328 2016-02-20 21:59:52Z stefjakobs $ ########################################################################## # $Log: audit,v $ # Revision 1.15 2009/02/20 17:59:47 mike # Patch from Ivan Varekova -mgt # # Revision 1.14 2008/05/04 14:15:39 mike # Parsing of logw lines fedora bug #440534 -mgt # # Revision 1.13 2008/03/25 14:41:58 kirk # updated copyright to Ron Kuris # # Revision 1.12 2008/03/24 23:31:26 kirk # added copyright/license notice to each script # # Revision 1.11 2007/07/18 18:22:45 bjorn # Additional filtering, by Ivana Varekova. # # Revision 1.10 2007/02/16 03:25:17 bjorn # Don't test for selinux, and filter "Started dispatcher", by Ivana Varekova. # # Revision 1.9 2006/12/20 15:25:09 bjorn # Additional filtering, by Ivana Varekova. # # Revision 1.8 2006/09/15 15:40:58 bjorn # Additional filtering by Ivana Varekova. # # Revision 1.7 2006/08/23 22:54:04 bjorn # Filtering additional informational messages, by Marcela Maslanova. # # Revision 1.6 2006/03/20 20:42:57 bjorn # Additional filtering, by Ivana Varekova. # # Revision 1.5 2005/12/06 02:36:35 bjorn # Report low disk space, by Ivana Varekova. # # Revision 1.4 2005/10/26 05:52:12 bjorn # Filtering modifications by Ivana Varekova # # Revision 1.3 2005/10/01 19:09:07 bjorn # Extensive modifications by Ivana Varekova # # Revision 1.2 2005/06/07 18:43:32 bjorn # Limiting number of unmatched statement # # Revision 1.1 2005/05/04 15:56:13 bjorn # Audit (for selinux) submitted by Ron Kuris # ########################################################################## ######################################################## # selinux audit log summaries # # This was written and is maintained by: # Ron Kuris # # Please send all comments, suggestions, bug reports, # etc, to logwatch-devel@lists.sourceforge.net ######################################################## ######################################################## ## (c) 2006,2008 Ron Kuris ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; use Logwatch ':all'; my (%denials, %grants, %loads); my @OtherList; my $othercount = 0; my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0); my $Detail = ($ENV{'LOGWATCH_DETAIL_LEVEL'} || 0); my $NumberOfInits = 0; my $NumberOfDStarts = 0; my $NumberOfDStartsPid = 0; my $NumberOfDStops = 0; my $NumberOfDdStarts = 0; my $NumberOfDdStops = 0; my $NumberOfAllowedMessages = 0; my $NumberOfLostMessages = 0; my %InvalidContext = (); my %BugLog = (); my $UELimit = 100; my $ThisLine; my %Warning = (); my %AuditctlStatus = (); print STDERR "\n\nDEBUG: Inside audit filter\n\n" if ( $Debug >= 5 ); while ($ThisLine = ) { chomp($ThisLine); # Remove timestamp if present $ThisLine =~ s/^\[\s*\d+\.\d+\]\s*//; if (( $ThisLine =~ /initializing netlink (socket|subsys) \(disabled\)/) or ( $ThisLine =~ /audit_pid=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/) or ( $ThisLine =~ /(arch=[0-9]+ )?syscall=[0-9]+ (success=(no|yes) )?exit=[0-9-]+( a[0-3]=[0-9a-f]+)* items=[0-9]+ (ppid=[0-9]+ )?pid=[0-9]+ (loginuid=[0-9-]+ )?(auid=[0-9]+ )?uid=[0-9]+ gid=[0-9]+ euid=[0-9]+ suid=[0-9]+ fsuid=[0-9]+ egid=[0-9]+ sgid=[0-9]+ fsgid=[0-9]+/) or ( $ThisLine =~ /Audit daemon rotating log files/) or ( $ThisLine =~ /audit_backlog_limit=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/) or ( $ThisLine =~ /SELinux: unrecognized netlink message type=[0-9]+ for sclass=[0-9]+/) or ( $ThisLine =~ /audit\([0-9.]+:[0-9]+\): saddr=[0-9]+/) or ( $ThisLine =~ /nargs=[0-9]+ a0=[0-9a-f]+ a1=[0-9a-f]+ a2=[0-9a-f]+ a3=[0-9a-f]+ a4=[0-9a-f]+ a5=[0-9a-f]+/) or ( $ThisLine =~ /^audit\([0-9.]+:[0-9]+\): ( ?(path|cwd|item|name|flags)=["\/A-Za-z0-9]*)*$/) or ( $ThisLine =~ /: enforcing=[0-9]+ old_enforcing=[0-9]+ auid=[0-9]+/) or ( $ThisLine =~ /: policy loaded auid=[0-9]+/) or ( $ThisLine =~ /: user pid=[0-9]+ uid=[0-9]+ auid=[0-9]+ subj=system_u:system_r:system_dbusd_t:[0-9a-z:.\-]+ msg=/) or ( $ThisLine =~ /audit\([0-9.]+:[0-9]+\): (selinux=[0-9]+|auid=[0-9]+|prom=[0-9]+|old_prom=[0-9]+|dev=[^ ]+|ses=[0-9]+| )+$/) or ( $ThisLine =~ /auditd[ ]+S [0-9A-F]+ [0-9]+ [0-9]+[ ]+[0-9]([ ]*[0-9]+[ ]*|[ ]*)[0-9]+ [0-9]+ \(NOTLB\)/) or ( $ThisLine =~ /Started dispatcher: \/sbin\/audispd pid: [0-9]+/) or ( $ThisLine =~ /audit\([0-9.]*:[0-9]*\): bool=.* val=.* old_val=.* auid=[0-9]*/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): audit_enabled=[0-9]* old=[0-9]* auid=[0-9]* ses=[0-9]*/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): auid=[0-9]* ses=[0-9]* subj=system_u:system_r:.*:s0 op=.* key=.* list=[0-9]* res=[0-9]*/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=0 uid=0 auid=[0-9]* ses=[0-9]* subj=system_u:system_r:.*:s0 .* res=success/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=1 uid=0 auid=[0-9]* ses=[0-9]* subj=system_u:system_r:init_t:s0 .* res=success/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 auid=[0-9]* ses=[0-9]*$/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 auid=[0-9]* ses=[0-9]* subj=.*res=success/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 old auid=[0-9]* new auid=[0-9]+ old ses=[0-9]* new ses=[0-9]+ res=1$/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 subj=.* old-auid=[0-9]* auid=[0-9]+ old-ses=[0-9]* ses=[0-9]+ res=1$/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): cwd=".*"/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): user/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): proctitle=/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): table=/) or ( $ThisLine =~ /audit_printk_skb: [0-9]* callbacks suppressed/) or ( $ThisLine =~ /item=[0-9] name="\S*" inode=[0-9]+ dev=\S* mode=[0-9]* ouid=[0-9]* ogid=[0-9]* rdev=[0-9:]* obj=\S*/) or ( $ThisLine =~ /^auditctl(?:\[[0-9]+\])?: No rules$/ ) ) { # Ignore these entries } elsif ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/) { $NumberOfInits++; } elsif ( $ThisLine =~ /Init complete, audit pid set to: [0-9]+/) { $NumberOfDStartsPid++; } elsif ( $ThisLine =~ /Init complete, auditd [0-9,.]+ listening for events/) { $NumberOfDStarts++; } elsif ( $ThisLine =~ /The audit daemon is exiting./) { $NumberOfDStops++; } elsif ( $ThisLine =~ /audit_lost=[0-9]+ (audit_backlog=[0-9]+ )?audit_rate_limit=[0-9]+ audit_backlog_limit=[0-9]+$/) { $NumberOfLostMessages++; } elsif ( $ThisLine =~ /auditd startup succeeded/) { $NumberOfDdStarts++; } elsif ( $ThisLine =~ /auditd shutdown succeeded/) { $NumberOfDdStops++; } elsif (( $ThisLine =~ /netlink socket too busy/) or ( $ThisLine =~ /Error sending signal_info request \(Invalid argument\)/) or ( $ThisLine =~ /major=[0-9]+ name_count=[0-9]+: freeing multiple contexts \([1-2]\)/)) { $ThisLine =~ s/audit\(:[0-9]+\): //; $BugLog{$ThisLine}++; } elsif (( $ThisLine =~ /(Audit daemon is low on disk space for logging.*)/) or ( $ThisLine =~ /(Audit daemon has no space left.*)/) or ( $ThisLine =~ /(Audit daemon is suspending logging due to.*)/)) { $Warning{$1}++; } elsif ( my ($status) = ( $ThisLine =~ /AUDIT_STATUS: (.*)/ ) ) { $AuditctlStatus{$status}++; } elsif ( my ($status) = ( $ThisLine =~ /^auditctl(?:\[[0-9]+\])?: (.*)/ ) ) { $AuditctlStatus{$status}++; } elsif ( $ThisLine =~ /audit\([0-9]+\.[0-9]+:[0-9]+\): apparmor=/) { # AppArmor if ( $ThisLine =~ /apparmor="STATUS" operation="profile_(load|replace)" name="([^"]+)"/ ) { # type=1400 audit(1314853473.168:33616): apparmor="STATUS" operation="profile_replace" name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=26566 comm="apparmor_parser" $loads{$2}++; } elsif ( $ThisLine =~ /apparmor="DENIED" operation="([^"]+)" parent=\d+ profile="([^"]+)" name="([^"]+)" pid=\d+ comm="([^"]+)"/ ) { # type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33 # type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0 $denials{$1.' '.$3.' ('.$2.' via '.$4 . ')'}++; } elsif ( $ThisLine =~ /apparmor="ALLOWED" operation="([^"]+)" (info="([^"]+)" )?(error=[+-]?\d+ )?(parent=\d+ )?profile="([^"]+)" (name="([^"]+)" )?pid=\d+ comm="([^"]+)"/ ) { # type=1400 audit(1369519203.141:259049): apparmor="ALLOWED" operation="exec" parent=3733 profile="/usr/sbin/dovecot//null-1c//null-1d" name="/usr/lib/dovecot/pop3-login" pid=24634 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1c//null-1d//null-d12" # type=1400 audit(1369627891.522:447576): apparmor="ALLOWED" operation="capable" parent=1 profile="/usr/sbin/dovecot//null-1c//null-1d" pid=3733 comm="dovecot" capability=5 capname="kill" # type=1400 audit(1369823965.682:824587): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - deleted entry" error=-2 parent=1 profile="/usr/sbin/dovecot//null-1c//null-1d" name="/var/lib/dovecot/.temp.3733.d786c1fcaaa73248" pid=3733 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 # type=1400 audit(1410503892.382:55490): apparmor="ALLOWED" operation="open" profile="/usr/lib/dovecot/imap" name="/root/mails/.Drafts/dovecot.index.log" pid=6305 comm="imap" requested_mask="rw" denied_mask="rw" fsuid=1003 ouid=1003 $NumberOfAllowedMessages++; } else { $othercount++; $ThisLine =~ s/^\s*//; if ($othercount < $UELimit+1) { push @OtherList, $ThisLine; } } } elsif ( $Detail > 9 ) { if ( $ThisLine =~ /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { $denials{$2.' '.$3.' ('.$1.$4 . ')'}++; } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { $grants{$2.' '.$3.' ('.$1.$4 . ')'}++; } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { $InvalidContext{$4." running as ".$2." acting on ".$3." \nshould transit to invalid ".$1}++; } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { $InvalidContext{"context: ".$1}++; } else { $othercount++; $ThisLine =~ s/^\s*//; if ($othercount < $UELimit+1) { push @OtherList, $ThisLine; } } } elsif ( $Detail > 4 ) { if ( $ThisLine =~ /avc:\s*denied\s*{\s*[^}]+.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { $denials{$1.' '.$2.' ('.$3 . ')'}++; } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*[^}]+}.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { $grants{$1.' '.$2.' ('.$3 . ')'}++; } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) { $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++; } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { $InvalidContext{"context: ".$1}++; } else { $othercount++; $ThisLine =~ s/^\s*//; if ($othercount < $UELimit+1) { push @OtherList, $ThisLine; } } } else { if ( $ThisLine =~ /avc:\s*denied\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) { $denials{$1.' '.$2.' ('.$3 . ')'}++; } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) { $grants{$1.' '.$2.' ('.$3 . ')'}++; } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) { $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++; } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { $InvalidContext{"context: ".$1}++; } else { $othercount++; $ThisLine =~ s/^\s*//; if ($othercount < $UELimit+1) { push @OtherList, $ThisLine; } } } } if ( %Warning) { foreach my $key (keys %Warning) { print " Warning: $key: ". $Warning{$key}. " times\n"; } } if ( keys %denials ) { print "\n\n*** Denials ***\n"; foreach my $key (sort keys %denials) { print " $key: ". $denials{$key} . " times\n"; } } if ( keys %grants ) { print "\n\n*** Grants ***\n"; foreach my $key (sort keys %grants) { print " $key: ". $grants{$key} . " times\n"; } } if ( keys %InvalidContext) { print "\n\n*** Invalid Context ***\n"; foreach my $key (sort keys %InvalidContext) { print " $key: ". $InvalidContext{$key} . " times\n"; } } if ( keys %loads ) { print "\n\n*** Loads ***\n"; foreach my $key (sort keys %loads) { print " $key: ". $loads{$key} . " times\n"; } } if ($Detail and $NumberOfDStarts+$NumberOfDStartsPid) { print "\n Number of audit daemon starts: ",$NumberOfDStarts+$NumberOfDStartsPid," \n"; } if (($Detail >9) and ($NumberOfDStartsPid)) { print " starts with pid change: $NumberOfDStartsPid \n" } if ($Detail and $NumberOfDStops) { print "\n Number of audit daemon stops: $NumberOfDStops \n"; } if ($Detail and keys(%AuditctlStatus)) { print "\n Auditctl status:\n"; foreach my $key (sort keys %AuditctlStatus) { print " $key: ". $AuditctlStatus{$key} . " times\n"; } } if ($NumberOfAllowedMessages) { print "\n Number of allowed messages: $NumberOfAllowedMessages\n"; } if ($NumberOfLostMessages) { print "\n Number of lost messages: $NumberOfLostMessages\n"; } if ($Detail>9) { if ($NumberOfInits) { print "\n Number of audit initializations: $NumberOfInits \n"; } if ($NumberOfDdStarts) { print "\n Number of auditd daemon starts: $NumberOfDdStarts \n"; } if ($NumberOfDdStops) { print "\n Number of auditd daemon stops: $NumberOfDdStops \n"; } } if ( %BugLog) { print "\n*** Logs which could mean a bug ***\n"; foreach my $Entry (keys %BugLog) { print " $Entry\n"; } } if ( $#OtherList >= 0 ) { print "\n**Unmatched Entries** "; if ($othercount > $UELimit) { print "(Only first $UELimit out of $othercount are printed)"; } print "\n "; print join("\n ", @OtherList); print "\n"; } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/qmail-pop3ds0000644000000000000000000000012612664334617021016 xustar0030 mtime=1456585103.195363976 28 atime=1456586568.7841908 28 ctime=1456586568.7841908 ./logwatch-7.4.2/scripts/services/qmail-pop3ds0000755000175000001440000001001412664334617022106 0ustar00generalusers00000000000000########################################################################## # $Id: qmail-pop3ds 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## # $Log: qmail-pop3ds,v $ # Revision 1.3 2008/06/30 23:07:51 kirk # fixed copyright holders for files where I know who they should be # # Revision 1.2 2008/03/24 23:31:26 kirk # added copyright/license notice to each script # # Revision 1.1 2005/09/07 00:37:59 bjorn # New qmail multilog files written by Bob Hutchinson # ########################################################################## ####################################################### ## Copyright (c) 2008 Bob Hutchinson ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'}; $QmailDetail = $ENV{'qmail_high_detail'}; $QmailThreshold = $ENV{'threshold'}; $ToThreshold = $ENV{'to_threshold'}; $FromThreshold = $ENV{'from_threshold'}; while (defined($ThisLine = )) { if ( ( $ThisLine =~ /status: / ) or ( $ThisLine =~ /end (\d+) status \d+/ ) or ( $ThisLine =~ / LOG5/ ) or ( $ThisLine =~ /qmail-popup/ ) ) { # We don't care about these } elsif ( ($pid1,$RemoteServer) = ( $ThisLine =~ /pid (\d+) from (.*)/ ) ) { $From{$RemoteServer}++; $TotalFrom++; } elsif ( ($pid2,$LocalServer) = ( $ThisLine =~ /ok (\d+) \d+:(.*):995\s+.*/ ) ) { $To{$LocalServer}++; $TotalTo++; } elsif ( ($Warning) = ( $ThisLine =~ /warning: (.*)/i ) ) { $Warnings{$Warning}++; } else { # Report any unmatched entries... push @OtherList,$ThisLine; } } if ($QmailDetail >= 1) { if ($QmailThreshold > 0) { if (($FromThreshold < 0) or ($FromThreshold eq '')) { $FromThreshold = $QmailThreshold; } if (($ToThreshold < 0) or ($ToThreshold eq '')) { $ToThreshold = $QmailThreshold; } } if (($FromThreshold < 0) or ($FromThreshold eq '')) { $FromThreshold = 0; } if (($ToThreshold < 0) or ($ToThreshold eq '')) { $ToThreshold = 0; } if ( (keys %From) ) { print "\nConnections from (Threshold of " . $FromThreshold . "):\n"; $threshold_reached=0; foreach $Line (sort {$From{$b} <=> $From{$a}} keys %From) { if ($From{$Line} >= $FromThreshold) { $threshold_reached=1; print "\t" . $Line . " - ". $From{$Line} . " Time(s)\n"; } } if ($threshold_reached < 1) { print "\t" . "None found above the threshold\n"; } } if ( (keys %To) ) { print "\nConnections to (Threshold of " . $ToThreshold . "):\n"; $threshold_reached=0; foreach $Line (sort {$To{$b} <=> $To{$a}} keys %To) { if ($To{$Line} >= $ToThreshold) { $threshold_reached=1; print "\t" . $Line . " - ". $To{$Line} . " Time(s)\n"; } } if ($threshold_reached < 1) { print "\t" . "None found above the threshold\n"; } } } if ($TotalFrom or $TotalTo) { print "\nTotals:\n"; print "\tRemote connections $TotalFrom\n"; print "\tLocal connections $TotalTo\n"; } if ( (keys %Warnings) ) { print "\nWarnings:\n"; foreach $Line (sort {$Warnings{$b} <=> $Warnings{$a}} keys %Warnings) { print "\t" . $Line . " - ". $Warnings{$Line} . " Time(s)\n"; } } if (($#OtherList >= 0) and (not $IngoreUnmatched)){ print "\n**Unmatched Entries**\n"; print @OtherList; } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/iptables0000644000000000000000000000013212664334617020305 xustar0030 mtime=1456585103.159364149 30 atime=1456586568.776190839 30 ctime=1456586568.776190839 ./logwatch-7.4.2/scripts/services/iptables0000755000175000001440000003576312664334617021422 0ustar00generalusers00000000000000########################################################################## # $Id: iptables 175 2013-11-08 17:05:21Z opoplawski $ ########################################################################## # $Log: iptables,v $ # Revision 1.9 2009/06/05 14:06:07 mike # Added IPF patch from Don Wilder/Mark Dalton -mgt # # Revision 1.8 2008/03/24 23:31:26 kirk # added copyright/license notice to each script # # Revision 1.7 2007/02/16 03:27:05 bjorn # Remove explicit invocation of perl executable, by Ivana Varekova. # # Revision 1.6 2007/01/29 18:40:29 bjorn # Handle timestamp generated in Ubuntu, suggested by MrC. # # Revision 1.5 2006/08/23 22:47:29 bjorn # Corrected icmp type reporting, by Allen Kistler. # # Revision 1.4 2006/07/11 15:59:56 bjorn # Allow sorting by either source or target, by Michel Messerschmidt. # # Revision 1.3 2006/01/16 18:40:31 kirk # fixed name to Logwatch (how I like it now) # # Revision 1.2 2005/12/06 02:35:43 bjorn # Report icmp type properly, by Allen Kistler. # # Revision 1.1 2005/07/25 22:17:31 bjorn # Moved iptables (and ipchains, ipfwadm) code to its own service (iptables). # ########################################################################## # iptables, ipchains, and ipfwadm script for Logwatch. # Ipfwadm and ipchains are deprecated, but is included # here for backwards compatibility. # # This script was extracted from the kernel script, # which processed netfilter (iptables, ipchains, and # ipfwadm) statements until kernel script Revision 1.29. # # Visit the Logwatch website at # http://www.logwatch.org ########################################################################## ##################################################### ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use Logwatch ':ip'; $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; $MinFilter = $ENV{'iptables_host_min_count'} || 0; $DoLookup = $ENV{'iptables_ip_lookup'}; $DoLookup = $DoLookup; # keep -w happy $ListByHost = $ENV{'iptables_list_by_host'} || 0; $ListByService = $ENV{'iptables_list_by_service'} || 0; # Keep old behaviour if nothing is configured $ListByHost = 1 unless ($ListByService); $MaxFlood = 10; $MaxNum =0; sub lookupService { my ($port, $proto, $service); ($port, $proto) = ($_[0], $_[1]); if ($service = getservbyport ($port, $proto)) { return($service); } else { return($port); } } sub lookupProtocol { my ($proto, $name); $proto = $_[0]; if ($name = getprotobynumber ($proto)) { return($name); } else { return($proto); } } sub lookupAction { my ($chain, $actionType); $chain = $_[0]; # choose an action type if ( $chain =~ /reject/i ) { $actionType = "Rejected"; } elsif ( $chain =~ /drop/i ) { $actionType = "Dropped"; } elsif ( $chain =~ /deny/i ) { $actionType = "Denied"; } elsif ( $chain =~ /denied/i ) { $actionType = "Denied"; } elsif ( $chain =~ /accept/i ) { $actionType = "Accepted"; } else { $actionType = "Logged"; } return $actionType; } # SORT COMPARISONS sub compStr { return $a cmp $b; } sub compNum { return $a <=> $b; } while (defined($ThisLine = )) { chomp($ThisLine); next if ($ThisLine eq ''); # the format for ulogd/ulogd.syslogmenu and messages differ in that # the earlier has no service name after the date. So RemoveHeaders # doesn't work. Therefore, we extract it here: $ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[\s*\d+\.\d+\] )?//; # IPCHAINS if( ($TU,$from,$port,$on) = ( $ThisLine =~ /IP fw-in deny \w+ (\w+) ([^:]+):\d+ ([^:]+):(\d+) / ) ){ if($MaxNum < ++$TCPscan{$TU}{$from}) { $MaxNum = $TCPscan{$TU}{$from} } $port=0; } elsif ( ($chain,$action,$if,$proto,$fromip,$toip,$toport) = ( $ThisLine =~ /^Packet log: ([^ ]+) (\w+) (\w+) PROTO=(\d+) ([\d|\.]+):\d+ ([\d|\.]+):(\d+)/ ) ) { $actionType = lookupAction($action); $ipt{$actionType}{$if}{$fromip}{$toip}{$toport}{$proto}{"$chain,$if"}++; $ipt2{$actionType}{$if}{$toport}{$proto}{$fromip}{$toip}{"$chain,$if"}++; } # IPTABLES elsif (($chain,$ifin,$ifout,$fromip,$toip,$proto,$rest) = ($ThisLine =~ /^(.*?)\s*IN=([\w\.\-]*).*?OUT=([\w\.\-]*).*?SRC=([\w\.:]+).*?DST=([\w\.:]+).*?PROTO=(\w+)(.*)/ )) { # get a destination port number (or icmp type) if there is one if (! ( ($toport) = ( $rest =~ /TYPE=(\w+)/ ) ) ) { if (! ( ($toport) = ( $rest =~ /DPT=(\w+)/ ) ) ) { $toport = 0; } } # get the action type $actionType = lookupAction($chain); # determine the dominant interface if ($ifin =~ /\w+/ && $ifout =~ /\w+/) { $interface = $ifin; } elsif ($ifin =~ /\w+/) { $interface = $ifin; $ifout = "none"; } else { $interface = $ifout; $ifin = "none"; } if ($chain eq "") { $chain_info = ""; } else { $chain_info = "(" . $chain . ") "; } # add the packet # $ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{"$chain,$ifin,$ifout"}++; $ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{$chain_info}++; $ipt2{$actionType}{$interface}{$toport}{$proto}{$fromip}{$toip}{$chain_info}++; } # IPF elsif (($repcnt,$if,$chain,$fromip,$fromport,$toip,$toport,$proto,$rest,$inout) = ($ThisLine =~ /^.*\d{2,2}:\d{2,2}:\d{2,2}\.\d{6,6}\s*(?:(\d{1,})x)*\s*(\w*)\s*@[-]*\d{1,}:[-]*\d{1,}\s*(\w*)\s*([\w\.:]+\w),*(\d*)\s*->\s*([\w\.:]+\w),*(\d*)\s*PR\s*(\w*)\s*(.*((IN|OUT)).*)/)) { if ($chain eq 'b') { $actionType = "drop"; } elsif ($chain eq 'p') { $actionType = "accept"; } if ($repcnt eq '') { $repcnt = 1; } while ($repcnt >= 1) { $ipt{$actionType}{$if}{$fromip}{$toip}{$toport}{$proto}{"$actionType,$if"}++; $ipt2{$actionType}{$if}{$toport}{$proto}{$fromip}{$toip}{"$actionType,$if"}++; $repcnt = $repcnt - 1; } } } # IPCHAINS if (keys %TCPscan and $MaxNum>$MaxFlood) { print "\nWarning: ipfwadm scan detected on:\n"; foreach $ThisOne (sort compStr keys %TCPscan) { print " " . $ThisOne . " from:\n"; foreach $Next (sort compStr keys %{$TCPscan{$ThisOne}}) { $TCPscan{$ThisOne}{$Next}>$MaxFlood && print " " . LookupIP($Next). ": $TCPscan{$ThisOne}{$Next} Time(s)\n"; } } } if ((keys %ipt2) and $ListByService) { foreach my $actionType (sort compStr keys %ipt2) { foreach my $interface (sort compStr keys %{$ipt2{$actionType}}) { my $outputMain = ''; my $interfaceCount = 0; foreach my $toport (sort compNum keys %{$ipt2{$actionType}{$interface}}) { foreach my $proto (sort compStr keys %{$ipt2{$actionType}{$interface}{$toport}}) { my $outputSection = ''; my $portCount = 0; my $hostCount = 0; undef %hostList; my %host_list = (); my $protocol; # determine the protocol if ( $proto =~ /^\d+$/ ) { $protocol = lookupProtocol($proto); } else { $protocol = lc($proto); } # determine the name of the service my $service = lookupService($toport,$protocol); foreach my $fromip (sort SortIP keys %{$ipt2{$actionType}{$interface}{$toport}{$proto}}) { my $fromHostCount = 0; my $from = LookupIP($fromip); my $outputDetails = ""; foreach my $toip (sort SortIP keys %{$ipt2{$actionType}{$interface}{$toport}{$proto}{$fromip}}) { my $toHostCount = 0; my $to = LookupIP($toip); foreach my $details (sort keys %{$ipt2{$actionType}{$interface}{$toport}{$proto}{$fromip}{$toip}}) { my $packetCount = $ipt2{$actionType}{$interface}{$toport}{$proto}{$fromip}{$toip}{$details}; $toHostCount += $packetCount; if ( $Detail > 9 and ( $outputDetails !~ /\Q$details\E/ ) ) { $outputDetails .= $details . ", "; } } $fromHostCount += $toHostCount; } if ( $Detail > 9 ) { chop $outputDetails; chop $outputDetails; push @{$hostList{"$fromHostCount"}}, $from . " " . $outputDetails; } else { push @{$hostList{"$fromHostCount"}}, $from; } $portCount += $fromHostCount; $hostCount++; } $interfaceCount += $portCount; if ($Detail > 5 ) { $outputMain .= sprintf(" To port %d/%s (%s) - ". "%d packet%s from %d host%s\n", $toport, $protocol, ( $service =~ /^\d+$/ ) ? "?" : $service, $portCount, ( $portCount > 1 ) ? "s" : " ", $hostCount, ( $hostCount > 1 ) ? "s" : " " ); foreach my $hc (sort { $b <=> $a } keys %hostList) { foreach my $h (@{$hostList{"$hc"}}) { $outputMain .= sprintf(" %6d packet%s from %s\n", $hc, ( $hc > 1 ) ? "s" : " ", $h); } } } elsif ($Detail > 3 ) { my $topHostCount; ($topHostCount, undef) = sort { $b <=> $a } keys %hostList; my $topHost = ${$hostList{"$topHostCount"}}[0]; $outputMain .= sprintf( " To port %5d/%s - %5d packet%s ". "from %4d host%s (%d from %s)\n", $toport, $protocol, $portCount, ( $portCount > 1 ) ? "s" : " ", $hostCount, ( $hostCount > 1 ) ? "s" : " ", $topHostCount, $topHost ); } else { $outputMain .= sprintf(" To port %5d/%s - %5d packet%s ". "from %4d host%s\n", $toport, $protocol, $portCount, ( $portCount > 1 ) ? "s" : " ", $hostCount, ( $hostCount > 1 ) ? "s" : " " ); } } } print "Listed by target ports:"; print "\n$actionType $interfaceCount " . ( ( $interfaceCount > 1 ) ? "packets" : "packet" ) . " on interface $interface\n"; print $outputMain; } } } # IPCHAINS / IPTABLES if ((keys %ipt) and $ListByHost) { foreach $actionType (sort compStr keys %ipt) { foreach $interface (sort compStr keys %{$ipt{$actionType}}) { $outputMain = ''; $interfaceCount = 0; foreach $fromip (sort SortIP keys %{$ipt{$actionType}{$interface}}) { $outputSection = ''; $fromHostCount = 0; $from = LookupIP($fromip); undef %port_list; foreach $toip (sort SortIP keys %{$ipt{$actionType}{$interface}{$fromip}}) { $toHostCount = 0; $to = LookupIP($toip); $outputServices = ''; foreach $toport (sort compNum keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}}) { foreach $proto (sort compStr keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}}) { # determine the protocol if ( $proto =~ /^\d+$/ ) { $protocol = lookupProtocol($proto); } else { $protocol = lc($proto); } # determine the name of the service $service = lookupService($toport,$protocol); foreach $details (sort keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}}) { $packetCount = $ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{$details}; $toHostCount += $packetCount; if ( $Detail > 0 ) { $outputServices .= " Service: $service ($protocol/$toport) $details- $packetCount " . ( ( $packetCount > 1 ) ? "packets\n" : "packet\n" ); } else { ${ $port_list{ $protocol } }{$toport}++; } } } } $fromHostCount += $toHostCount; if ( $Detail > 0 ) { $outputSection .= " To $to - $toHostCount " . ( ( $toHostCount > 1 ) ? "packets\n" : "packet\n" ); } $outputSection .= $outputServices; } $interfaceCount += $fromHostCount; if ($fromHostCount >= $MinFilter) { if ($Detail > 0 ) { $outputMain .= " From $from - $fromHostCount " . ( ( $fromHostCount > 1 ) ? "packets\n" : "packet\n" ); } else { $outputMain .= " From $from - $fromHostCount " . ( ($fromHostCount > 1) ? "packets" : "packet" ) . " to " ; foreach $protocol ( keys %port_list ) { if ( $#{ keys %{$port_list { $protocol } } } > 10 ) { $outputMain .= $#{ $port_list{ $protocol } } ." $protocol ports"; } else { $outputMain .= "$protocol(" . join(",", sort compNum keys %{ $port_list{ $protocol } } ) . ") " ; } } $outputMain .="\n"; } } $outputMain .= $outputSection; } print "\nListed by source hosts:"; print "\n$actionType $interfaceCount " . ( ( $interfaceCount > 1 ) ? "packets" : "packet" ) . " on interface $interface\n"; print $outputMain; } } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/imapd0000644000000000000000000000013212664334617017574 xustar0030 mtime=1456585103.171364091 30 atime=1456586568.776190839 30 ctime=1456586568.776190839 ./logwatch-7.4.2/scripts/services/imapd0000644000175000001440000002626012664334617020676 0ustar00generalusers00000000000000########################################################################## # $Id: imapd 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## ######################################################## # The imap script was written by: # Pawe³ Go³aszewski ######################################################## ##################################################### ## Copyright (c) 2008 Pawe³ Go³aszewski ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### my $Debug = $ENV{'LOGWATCH_DEBUG'}; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'}; if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG \n\n"; } while (defined($ThisLine = )) { if ( ($ThisLine =~ /^Initializing */) or ($ThisLine =~ /^spgetpwnam: can't find user: */) or ($ThisLine =~ /^couriertls: read: Connection reset by peer/ ) or # timeouts are reported in some other scripts - maybe it should be here too? ($ThisLine =~ /^couriertls: read: Connection timed out/ ) or ($ThisLine =~ /^LOGOUT, ip=\[.*\], rcvd=\d+, sent=\d+$/) or ($ThisLine =~ /^Disconnected, ip=\[.*\]/) or # uw-imapd ($ThisLine =~ /^Moved \d+ bytes of new mail to.*$/) or ($ThisLine =~ /^Unexpected client disconnect, while reading line.*$/) ) { # Don't care about these... } elsif ( ($User, $Host) = ( $ThisLine =~ /^Login user=(.*?) host=(.*\[.*\])$/ ) ) { $Login{$User}{$Host}++; } elsif ( ($User, $Host) = ( $ThisLine =~ /^LOGIN, user=(.*?), ip=\[([^ ,]+)\](?:, port=\[\d+\])?, protocol=IMAP$/o ) ) { $Login{$User}{$Host}++; } elsif ( ($User,$Host) = ( $ThisLine =~ /^Authenticated user=(.*) host=(.*\[.*\]).*$/ ) ) { $Login{$User}{$Host}++; } elsif ( ($User,$Host) = ( $ThisLine =~ /^Preauthenticated user=(.*) host=(.*)$/ ) ) { $Login{$User}{$Host}++; } elsif ( ($Host) = ( $ThisLine =~ /^imap service init from (.*)$/ ) ) { $ConnectionNonSSL{$Host}++; $Connection{$Host}++; } elsif ( ($Host) = ( $ThisLine =~ /^imaps SSL service init from (.*)$/ ) ) { $ConnectionSSL{$Host}++; $Connection{$Host}++; } elsif ( ($Host) = ( $ThisLine =~ /^Connection, ip=\[(.*)\]$/o ) ) { $Connection{$Host}++; # } elsif ( ($User,$Downloaded,$DownloadSize,$Left,$LeftSize) = ( $ThisLine =~ /^Stats: (.*?) (.*?) (.*?) (.*?) (.*?)$/) ) { # $DownloadedMessages{$User} += $Downloaded; # $DownloadedMessagesSize{$User} += $DownloadSize; # $MessagesLeft{$User} = $Left; # $MboxSize{$User} = $LeftSize; # } elsif ( ($User,$Host) = ( $ThisLine =~ /^authentication failed for user (.*?) - (.*)/ ) ) { # $LoginFailed{"$Host ($User)"}++; } elsif ( ($User, $Host) = ( $ThisLine =~ /^Logout user=(.*?) host=(.*\[.*\])$/) ) { $Logout{$User}{$Host}++; $Logout2{$User}++; # More generic pattern for uw-imapd } elsif ( ($User, $Host) = ( $ThisLine =~ /^Logout user=(.*?) host=(.*)$/) ) { $Logout{$User}{$Host}++; $Logout2{$User}++; } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[([^ ,]+)\](?:, port=\[\d+\])?, headers=(\d+), body=(\d+)/o ) ) { $Logout{$User}{$Host}++; $Logout2{$User}++; $DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2; if ( ( $ThisLine =~ /, starttls=1/o ) ) { $ConnectionSSL{$Host}++; } else { $Connection{$Host}++; } } elsif ( ($User,$Host) = ( $ThisLine =~ /^Autologout user=(.*) host=(.*\[.*\])$/ ) ) { $AutoLogout{$User}{$Host}++; $Logout{$User}{$Host}++; $Logout2{$User}++; } elsif ( ($Reason,$User,$Host) = ( $ThisLine =~ /^Killed (.*) user=(.*) host=(.*\[.*\])$/ ) ) { $Logout{$User}{$Host}++; $Logout2{$User}++; $KilledSession{$User}{$Reason}++; } elsif ( (($User,$Host) = ( $ThisLine =~ /^Broken pipe, while reading line user=(.*) host=(.*\[.*\])$/ )) or (($User,$Host) = ( $ThisLine =~ /^Command stream end of file, while reading line user=(.*) host=(.*\[.*\])$/ )) or (($User,$Host) = ( $ThisLine =~ /^Connection (?:reset by peer|timed out), while reading line user=(.*) host=(.*\[.*\])$/ )) or (($User,$Host) = ( $ThisLine =~ /^No route to host, while reading line user=(.*) host=(.*\[.*\])$/ )) or (($User,$Host) = ( $ThisLine =~ /^Unexpected client disconnect, while reading line user=(.*) host=(.*\[.*\])$/ )) ) { $Logout{$User}{$Host}++; $Logout2{$User}++; $SocketErrors{$Host}++; } else { # Report any unmatched entries... # remove PID from named messages $ThisLine =~ s/^(client [.0-9]+)\S+/$1/; chomp($ThisLine); $OtherList{$ThisLine}++; } $LastLine = $ThisLine; } ################################################ if ( ( $Detail >= 0 ) and (keys %LoginFailed)) { print "\n\n[IMAPd] Login failures:". "\n=========================". "\n Host (user) | # ". "\n------------------------------------------------------------- | -----------"; $ConnCount = 0; foreach $Host (sort keys %LoginFailed) { $Conns = $LoginFailed{$Host}; $HostLength = length($Host); $HostSpaceLength = 61 - $HostLength; $CountLength = length("$Conns"); $CountSpaceLength = 12 - $CountLength; print "\n" ." " x $HostSpaceLength . $Host . " |" . " " x $CountSpaceLength . $Conns . ""; $ConnCount += $Conns; } $CountLength = length("$ConnCount"); $CountSpaceLength = 75 - $CountLength; print "\n" . "-" x 75; print "\n" . " " x $CountSpaceLength . "$ConnCount\n\n\n"; } if ( ( $Detail >= 5 ) and (keys %Connection)) { print "\n[IMAPd] Connections:". "\n=========================". "\n Host | Connections | SSL | Total ". "\n-------------------------------------- | ----------- | -------- | ---------"; $ConnCount = 0; $SSLConn = 0; $TotalConn = 0; foreach $Host (sort keys %Connection) { $Total = $Connection{$Host}; if (defined ($ConnectionNonSSL{$Host})) { $Conns = $ConnectionNonSSL{$Host}; } else { $Conns = 0; } if (defined ($ConnectionSSL{$Host})) { $SSL = $ConnectionSSL{$Host}; } else { $SSL = 0; } $HostLength = length($Host); $HostSpaceLength = 38 - $HostLength; $CountLength = length("$Conns"); $CountSpaceLength = 12 - $CountLength; $SSLLength = length("$SSL"); $SSLSpaceLength = 9 - $SSLLength; $TotalLenght = length("$Total"); $TotalSpaceLength = 10 - $TotalLenght; print "\n" ." " x $HostSpaceLength . $Host . " |" . " " x $CountSpaceLength . $Conns . " |" . " " x $SSLSpaceLength . $SSL . " |" . " " x $TotalSpaceLength . $Total; $NonSSLCount += $Conns; $SSLCount += $SSL; $TotalCount += $Total; } $NonSSLLength = length("$NonSSLCount"); $NonSSLSpaceLength = 52 - $NonSSLLength; $SSLLength = length("$SSLCount"); $SSLSpaceLength = 9 - $SSLLength; $TotalLength = length("$TotalCount"); $totalSpaceLength = 10 - $TotalLength; print "\n" . "-" x 75; print "\n" . " " x $NonSSLSpaceLength . $NonSSLCount . " |" . " " x $SSLSpaceLength . $SSLCount . " |" . " " x $totalSpaceLength . $TotalCount . "\n\n\n"; } if (keys %Logout2) { print "\n[IMAPd] Logout stats:". "\n====================". "\n User | Logouts | Downloaded | Mbox Size". "\n--------------------------------------- | ------- | ---------- | ----------"; $ConnCount = 0; $SizeAll = 0; $DownAll = 0; foreach $User (sort keys %Logout2) { $Conns = $Logout2{$User}; $UserLength = length($User); $UserSpaceLength = 39 - $UserLength; $CountLength = length("$Conns"); $CountSpaceLength = 8 - $CountLength; $Down = $DownloadedMessagesSize{$User}; if (! defined $Down) { $Down = 0; #Hack } $DownSpaceLength = 11 - length($Down); #$Size = $MboxSize{$User}; $Size = 0; #Hack $SizeSpaceLength = 11 - length($Size); print "\n" ." " x $UserSpaceLength . $User . " |" . " " x $CountSpaceLength . $Conns . " |" . " " x $DownSpaceLength . $Down . " |" . " " x $SizeSpaceLength . $Size; $ConnCount += $Conns; $SizeAll += $Size; $DownAll += $Down; } $CountLength = length("$ConnCount"); $CountSpaceLength = 49 - $CountLength; $DownLength = length($DownAll); $DownSpaceLength = 11 - $DownLength; $SizeLength = length($SizeAll); $SizeSpaceLength = 11 - $SizeLength; print "\n" . "-" x 75; print "\n" . " " x $CountSpaceLength . "$ConnCount" . " |" . " " x $DownSpaceLength . $DownAll . " |" . " " x $SizeSpaceLength . $SizeAll . "\n\n\n"; } if ( ( $Detail >= 10 ) and (keys %Login)) { print "\n[IMAPd] Successful Logins:\n"; $LoginCount = 0; foreach my $User (sort keys %Login) { print " User $User: \n"; $UserCount = 0; foreach $Host (keys %{$Login{$User}}) { $HostCount = $Login{$User}{$Host}; print " From $Host: $HostCount Time(s)\n"; $UserCount += $HostCount; } $LoginCount += $UserCount; print " Total $UserCount Time(s)\n"; print "\n"; } print "Total $LoginCount successful logins\n\n"; } if ( ( $Detail >= 10 ) and (keys %AutoLogout)) { print "\nAutologout:\n"; foreach $User (sort {$a cmp $b} keys %AutoLogout) { print " $User:\n"; foreach $Host (sort {$a cmp $b} keys %{$AutoLogout{$User}}) { print " $Host: $AutoLogout{$User}{$Host} Time(s)\n"; } } } if ( ( $Detail >= 10 ) and (keys %KilledSession)) { print "\nKilled IMAP sessions:\n"; foreach $User (sort {$a cmp $b} keys %KilledSession) { print " $User:\n"; foreach $Reason (sort {$a cmp $b} keys %{$KilledSession{$User}}) { print " $Reason: $KilledSession{$User}{$Reason} Time(s)\n"; } } } if ( ( $Detail >= 10 ) and (keys %SocketErrors)) { print "\nSocket Errors in connections with:\n"; foreach $Host (sort {$a cmp $b} keys %SocketErrors) { print " $Host: $SocketErrors{$Host} Time(s)\n"; } } if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/postfix0000644000000000000000000000012612664334617020201 xustar0030 mtime=1456585103.155364168 28 atime=1456586568.7841908 28 ctime=1456586568.7841908 ./logwatch-7.4.2/scripts/services/postfix0000755000175000001440000074171012664334617021307 0ustar00generalusers00000000000000#!/usr/bin/perl ########################################################################## # Postfix-logwatch: written and maintained by: # # Mike "MrC" Cappella # http://logreporters.sourceforge.net/ # # Please send all comments, suggestions, bug reports regarding this # program/module to the email address above. I will respond as quickly # as possible. [MrC] # # Questions regarding the logwatch program itself should be directed to # the logwatch project at: # http://sourceforge.net/projects/logwatch/support # ####################################################### ### All work since Dec 12, 2006 (logwatch CVS revision 1.28) ### Copyright (c) 2006-2012 Mike Cappella ### ### Covered under the included MIT/X-Consortium License: ### http://www.opensource.org/licenses/mit-license.php ### All modifications and contributions by other persons to ### this script are assumed to have been donated to the ### Logwatch project and thus assume the above copyright ### and licensing terms. If you want to make contributions ### under your own copyright or a different license this ### must be explicitly stated in the contribution an the ### Logwatch project reserves the right to not accept such ### contributions. If you have made significant ### contributions to this script and want to claim ### copyright please contact logwatch-devel@lists.sourceforge.net. ########################################################## ########################################################################## # The original postfix logwatch filter was written by # Kenneth Porter, and has had many contributors over the years. # # CVS log removed: see Changes file for postfix-logwatch at # http://logreporters.sourceforge.net/ # or included with the standalone postfix-logwatch distribution ########################################################################## ########################################################################## # # Test data included via inline comments starting with "#TD" # #use Devel::Size qw(size total_size); package Logreporters; use 5.008; use strict; use warnings; no warnings "uninitialized"; use re 'taint'; our $Version = '1.40.03'; our $progname_prefix = 'postfix'; # Specifies the default configuration file for use in standalone mode. my $config_file = "/usr/local/etc/${progname_prefix}-logwatch.conf"; # support postfix long (2.9+) or short queue ids my $re_QID_s = qr/[A-Z\d]+/; my $re_QID_l = qr/(?:NOQUEUE|[bcdfghjklmnpqrstvwxyzBCDFGHJKLMNPQRSTVWXYZ\d]+)/; our $re_QID; our $re_DSN = qr/(?:(?:\d{3})?(?: ?\d\.\d\.\d)?)/; our $re_DDD = qr/(?:(?:conn_use=\d+ )?delay=-?[\d.]+(?:, delays=[\d\/.]+)?(?:, dsn=[\d.]+)?)/; #MODULE: ../Logreporters/Utils.pm package Logreporters::Utils; use 5.008; use strict; use re 'taint'; use warnings; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.003'; @ISA = qw(Exporter); @EXPORT = qw(&formathost &get_percentiles &get_percentiles2 &get_frequencies &commify &unitize &get_usable_sectvars &add_section &begin_section_group &end_section_group &get_version &unique_list); @EXPORT_OK = qw(&gen_test_log); } use subs qw (@EXPORT @EXPORT_OK); # Formats IP and hostname for even column spacing # sub formathost($ $) { # $_[0] : hostip # $_[1] : hostname; if (! $Logreporters::Config::Opts{'unknown'} and $_[1] eq 'unknown') { return $_[0]; } return sprintf "%-$Logreporters::Config::Opts{'ipaddr_width'}s %s", $_[0] eq '' ? '*unknown' : $_[0], $_[1] eq '' ? '*unknown' : lc $_[1]; } # Add a new section to the end of a section table # sub add_section($$$$$;$) { my $sref = shift; die "Improperly specified Section entry: $_[0]" if !defined $_[3]; my $entry = { CLASS => 'DATA', NAME => $_[0], DETAIL => $_[1], FMT => $_[2], TITLE => $_[3], }; $entry->{'DIVISOR'} = $_[4] if defined $_[4]; push @$sref, $entry; } { my $group_level = 0; # Begin a new section group. Groups can nest. # sub begin_section_group($;@) { my $sref = shift; my $group_name = shift; my $entry = { CLASS => 'GROUP_BEGIN', NAME => $group_name, LEVEL => ++$group_level, HEADERS => [ @_ ], }; push @$sref, $entry; } # Ends a section group. # sub end_section_group($;@) { my $sref = shift; my $group_name = shift; my $entry = { CLASS => 'GROUP_END', NAME => $group_name, LEVEL => --$group_level, FOOTERS => [ @_ ], }; push @$sref, $entry; } } # Generate and return a list of section table entries or # limiter key names, skipping any formatting entries. # If 'namesonly' is set, limiter key names are returned, # otherwise an array of section array records is returned. sub get_usable_sectvars(\@ $) { my ($sectref,$namesonly) = @_; my (@sect_list, %unique_names); foreach my $sref (@$sectref) { #print "get_usable_sectvars: $sref->{NAME}\n"; next unless $sref->{CLASS} eq 'DATA'; if ($namesonly) { $unique_names{$sref->{NAME}} = 1; } else { push @sect_list, $sref; } } # return list of unique names if ($namesonly) { return keys %unique_names; } return @sect_list; } # Print program and version info, preceeded by an optional string, and exit. # sub get_version() { print STDOUT "@_\n" if ($_[0]); print STDOUT "$Logreporters::progname: $Logreporters::Version\n"; exit 0; } # Returns a list of percentile values given a # sorted array of numeric values. Uses the formula: # # r = 1 + (p(n-1)/100) = i + d (Excel method) # # r = rank # p = desired percentile # n = number of items # i = integer part # d = decimal part # # Arg1 is an array ref to the sorted series # Arg2 is a list of percentiles to use sub get_percentiles(\@ @) { my ($aref,@plist) = @_; my ($n, $last, $r, $d, $i, @vals, $Yp); $last = $#$aref; $n = $last + 1; #printf "%6d" x $n . "\n", @{$aref}; #printf "n: %4d, last: %d\n", $n, $last; foreach my $p (@plist) { $r = 1 + ($p * ($n - 1) / 100.0); $i = int ($r); # integer part # domain: $i = 1 .. n if ($i == $n) { $Yp = $aref->[$last]; } elsif ($i == 0) { $Yp = $aref->[0]; print "CAN'T HAPPEN: $Yp\n"; } else { $d = $r - $i; # decimal part #p = Y[i] + d(Y[i+1] - Y[i]), but since we're 0 based, use i=i-1 $Yp = $aref->[$i-1] + ($d * ($aref->[$i] - $aref->[$i-1])); } #printf "\np(%6.2f), r: %6.2f, i: %6d, d: %6.2f, Yp: %6d", $p, $r, $i, $d, $Yp; push @vals, $Yp; } return @vals; } sub get_num_scores($) { my $scoretab_r = shift; my $totalscores = 0; for (my $i = 0; $i < @$scoretab_r; $i += 2) { $totalscores += $scoretab_r->[$i+1] } return $totalscores; } # scoretab # # (score1, n1), (score2, n2), ... (scoreN, nN) # $i $i+1 # # scores are 0 based (0 = 1st score) sub get_nth_score($ $) { my ($scoretab_r, $n) = @_; my $i = 0; my $n_cur_scores = 0; #print "Byscore (", .5 * @$scoretab_r, "): "; for (my $i = 0; $i < $#$scoretab_r / 2; $i++) { printf "%9s (%d) ", $scoretab_r->[$i], $scoretab_r->[$i+1]; } ; print "\n"; while ($i < $#$scoretab_r) { #print "Samples_seen: $n_cur_scores\n"; $n_cur_scores += $scoretab_r->[$i+1]; if ($n_cur_scores >= $n) { #printf "range: %s %s %s\n", $i >= 2 ? $scoretab_r->[$i - 2] : '', $scoretab_r->[$i], $i+2 > $#$scoretab_r ? '' : $scoretab_r->[$i + 2]; #printf "n: $n, i: %8d, n_cur_scores: %8d, score: %d x %d hits\n", $i, $n_cur_scores, $scoretab_r->[$i], $scoretab_r->[$i+1]; return $scoretab_r->[$i]; } $i += 2; } print "returning last score $scoretab_r->[$i]\n"; return $scoretab_r->[$i]; } sub get_percentiles2(\@ @) { my ($scoretab_r, @plist) = @_; my ($n, $last, $r, $d, $i, @vals, $Yp); #$last = $#$scoretab_r - 1; $n = get_num_scores($scoretab_r); #printf "\n%6d" x $n . "\n", @{$scoretab_r}; #printf "\n\tn: %4d, @$scoretab_r\n", $n; foreach my $p (@plist) { ###print "\nPERCENTILE: $p\n"; $r = 1 + ($p * ($n - 1) / 100.0); $i = int ($r); # integer part if ($i == $n) { #print "last:\n"; #$Yp = $scoretab_r->[$last]; $Yp = get_nth_score($scoretab_r, $n); } elsif ($i == 0) { #$Yp = $scoretab_r->[0]; print "1st: CAN'T HAPPEN\n"; $Yp = get_nth_score($scoretab_r, 1); } else { $d = $r - $i; # decimal part #p = Y[i] + d(Y[i+1] - Y[i]), but since we're 0 based, use i=i-1 my $ithvalprev = get_nth_score($scoretab_r, $i); my $ithval = get_nth_score($scoretab_r, $i+1); $Yp = $ithvalprev + ($d * ($ithval - $ithvalprev)); } #printf "p(%6.2f), r: %6.2f, i: %6d, d: %6.2f, Yp: %6d\n", $p, $r, $i, $d, $Yp; push @vals, $Yp; } return @vals; } # Returns a list of frequency distributions given an incrementally sorted # set of sorted scores, and an incrementally sorted list of buckets # # Arg1 is an array ref to the sorted series # Arg2 is a list of frequency buckets to use sub get_frequencies(\@ @) { my ($aref,@blist) = @_; my @vals = ( 0 ) x (@blist); my @sorted_blist = sort { $a <=> $b } @blist; my $bucket_index = 0; OUTER: foreach my $score (@$aref) { #print "Score: $score\n"; for my $i ($bucket_index .. @sorted_blist - 1) { #print "\tTrying Bucket[$i]: $sorted_blist[$i]\n"; if ($score > $sorted_blist[$i]) { $bucket_index++; } else { #printf "\t\tinto Bucket[%d]\n", $bucket_index; $vals[$bucket_index]++; next OUTER; } } #printf "\t\tinto Bucket[%d]\n", $bucket_index - 1; $vals[$bucket_index - 1]++; } return @vals; } # Inserts commas in numbers for easier readability # sub commify ($) { return undef if ! defined ($_[0]); my $text = reverse $_[0]; $text =~ s/(\d\d\d)(?=\d)(?!\d*\.)/$1,/g; return scalar reverse $text; } # Unitize a number, and return appropriate printf formatting string # sub unitize($ $) { my ($num, $fmt) = @_; my $kilobyte = 2**10; my $megabyte = 2**20; my $gigabyte = 2**30; my $terabyte = 2**40; if ($num >= $terabyte) { $num /= $terabyte; $fmt .= '.3fT'; } elsif ($num >= $gigabyte) { $num /= $gigabyte; $fmt .= '.3fG'; } elsif ($num >= $megabyte) { $num /= $megabyte; $fmt .= '.3fM'; } elsif ($num >= $kilobyte) { $num /= $kilobyte; $fmt .= '.3fK'; } else { $fmt .= 'd '; } return ($num, $fmt); } # Returns a sublist of the supplied list of elements in an unchanged order, # where only the first occurrence of each defined element is retained # and duplicates removed # # Borrowed from amavis 2.6.2 # sub unique_list(@) { my ($r) = @_ == 1 && ref($_[0]) ? $_[0] : \@_; # accept list, or a list ref my (%seen); my (@unique) = grep { defined($_) && !$seen{$_}++ } @$r; return @unique; } # Generate a test maillog file from the '#TD' test data lines # The test data file is placed in /var/tmp/maillog.autogen # # arg1: "postfix" or "amavis" # arg2: path to postfix-logwatch or amavis-logwatch from which to read '#TD' data # # Postfix TD syntax: # TD() log entry # sub gen_test_log($) { my $scriptpath = shift; my $toolname = $Logreporters::progname_prefix; my $datafile = "/var/tmp/maillog-${toolname}.autogen"; die "gen_test_log: invalid toolname $toolname" if ($toolname !~ /^(postfix|amavis)$/); eval { require Sys::Hostname; require Fcntl; } or die "Unable to create test data file: required module(s) not found\n$@"; my $syslogtime = localtime; $syslogtime =~ s/^....(.*) \d{4}$/$1/; my ($hostname) = split /\./, Sys::Hostname::hostname(); # # avoid -T issues # delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; my $flags = &Fcntl::O_CREAT|&Fcntl::O_WRONLY|&Fcntl::O_TRUNC; sysopen(FH, $datafile, $flags) or die "Can't create test data file: $!"; print "Generating test log data file from $scriptpath: $datafile\n"; my $id; @ARGV = ($scriptpath); if ($toolname eq 'postfix') { my %services = ( DEF => 'smtpd', bQ => 'bounce', cN => 'cleanup', cQ => 'cleanup', lQ => 'local', m => 'master', p => 'pickup', pQ => 'pickup', ppQ => 'pipe', pfw => 'postfwd', pg => 'postgrey', pgQ => 'postgrey', ps => 'postsuper', qQ => 'qmgr', s => 'smtp', sQ => 'smtp', sd => 'smtpd', sdN => 'smtpd', sdQ => 'smtpd', spf => 'policy-spf', vN => 'virtual', vQ => 'virtual', ); $id = 'postfix/smtp[12345]'; while (<>) { if (/^\s*#TD([a-zA-Z]*[NQ]?)(\d+)?(?:\(([^)]+)\))? (.*)$/) { my ($service,$count,$qid,$line) = ($1, $2, $3, $4); #print "SERVICE: %s, QID: %s, COUNT: %s, line: %s\n", $service, $qid, $count, $line; if ($service eq '') { $service = 'DEF'; } die ("No such service: \"$service\": line \"$_\"") if (!exists $services{$service}); $id = $services{$service} . '[123]'; $id = 'postfix/' . $id unless $services{$service} eq 'postgrey'; #print "searching for service: \"$service\"\n\tFound $id\n"; if ($service =~ /N$/) { $id .= ': NOQUEUE'; } elsif ($service =~ /Q$/) { $id .= $qid ? $qid : ': DEADBEEF'; } $line =~ s/ +/ /g; $line =~ s/^ //g; #print "$syslogtime $hostname $id: \"$line\"\n" x ($count ? $count : 1); print FH "$syslogtime $hostname $id: $line\n" x ($count ? $count : 1); } } } else { #amavis my %services = ( DEF => 'amavis', dcc => 'dccproc', ); while (<>) { if (/^\s*#TD([a-z]*)(\d+)? (.*)$/) { my ($service,$count,$line) = ($1, $2, $3); if ($service eq '') { $service = 'DEF'; } die ("No such service: \"$service\": line \"$_\"") if (!exists $services{$service}); $id = $services{$service} . '[123]:'; if ($services{$service} eq 'amavis') { $id .= ' (9999-99)'; } print FH "$syslogtime $hostname $id $line\n" x ($count ? $count : 1) } } } close FH or die "Can't close $datafile: $!"; } 1; #MODULE: ../Logreporters/Config.pm package Logreporters::Config; use 5.008; use strict; use re 'taint'; use warnings; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.002'; @ISA = qw(Exporter); @EXPORT = qw(&init_run_mode &add_option &get_options &init_cmdline &get_vars_from_file &process_limiters &process_debug_opts &init_getopts_table_common &zero_opts @Optspec %Opts %Configvars @Limiters %line_styles $fw1 $fw2 $sep1 $sep2 &D_CONFIG &D_ARGS &D_VARS &D_TREE &D_SECT &D_UNMATCHED &D_TEST &D_ALL ); } use subs @EXPORT; our @Optspec = (); # options table used by Getopts our %Opts = (); # program-wide options our %Configvars = (); # configuration file variables our @Limiters; # Report separator characters and widths our ($fw1,$fw2) = (22, 10); our ($sep1,$sep2) = ('=', '-'); use Getopt::Long; BEGIN { import Logreporters::Utils qw(&get_usable_sectvars); } our %line_styles = ( truncate => 0, wrap => 1, full => 2, ); sub init_run_mode($); sub confighash_to_cmdline(\%); sub get_vars_from_file(\% $); sub process_limiters(\@); sub add_option(@); sub get_options($); sub init_getopts_table_common(@); sub set_supplemental_reports($$); # debug constants sub D_CONFIG () { 1<<0 } sub D_ARGS () { 1<<1 } sub D_VARS () { 1<<2 } sub D_TREE () { 1<<3 } sub D_SECT () { 1<<4 } sub D_UNMATCHED () { 1<<5 } sub D_TEST () { 1<<30 } sub D_ALL () { 1<<31 } my %debug_words = ( config => D_CONFIG, args => D_ARGS, vars => D_VARS, tree => D_TREE, sect => D_SECT, unmatched => D_UNMATCHED, test => D_TEST, all => 0xffffffff, ); # Clears %Opts hash and initializes basic running mode options in # %Opts hash by setting keys: 'standalone', 'detail', and 'debug'. # Call early. # sub init_run_mode($) { my $config_file = shift; $Opts{'debug'} = 0; # Logwatch passes a filter's options via environment variables. # When running standalone (w/out logwatch), use command line options $Opts{'standalone'} = exists ($ENV{LOGWATCH_DETAIL_LEVEL}) ? 0 : 1; # Show summary section by default $Opts{'summary'} = 1; if ($Opts{'standalone'}) { process_debug_opts($ENV{'LOGREPORTERS_DEBUG'}) if exists ($ENV{'LOGREPORTERS_DEBUG'}); } else { $Opts{'detail'} = $ENV{'LOGWATCH_DETAIL_LEVEL'}; # XXX #process_debug_opts($ENV{'LOGWATCH_DEBUG'}) if exists ($ENV{'LOGWATCH_DEBUG'}); } # first process --debug, --help, and --version options add_option ('debug=s', sub { process_debug_opts($_[1]); 1}); add_option ('version', sub { &Logreporters::Utils::get_version(); 1;}); get_options(1); # now process --config_file, so that all config file vars are read first add_option ('config_file|f=s', sub { get_vars_from_file(%Configvars, $_[1]); 1;}); get_options(1); # if no config file vars were read if ($Opts{'standalone'} and ! keys(%Configvars) and -f $config_file) { print "Using default config file: $config_file\n" if $Opts{'debug'} & D_CONFIG; get_vars_from_file(%Configvars, $config_file); } } sub get_options($) { my $pass_through = shift; #$SIG{__WARN__} = sub { print "*** $_[0]*** options error\n" }; # ensure we're called after %Opts is initialized die "get_options: program error: %Opts is emtpy" unless exists $Opts{'debug'}; my $p = new Getopt::Long::Parser; if ($pass_through) { $p->configure(qw(pass_through permute)); } else { $p->configure(qw(no_pass_through no_permute)); } #$p->configure(qw(debug)); if ($Opts{'debug'} & D_ARGS) { print "\nget_options($pass_through): enter\n"; printf "\tARGV(%d): ", scalar @ARGV; print @ARGV, "\n"; print "\t$_ ", defined $Opts{$_} ? "=> $Opts{$_}\n" : "\n" foreach sort keys %Opts; } if ($p->getoptions(\%Opts, @Optspec) == 0) { print STDERR "Use ${Logreporters::progname} --help for options\n"; exit 1; } if ($Opts{'debug'} & D_ARGS) { print "\t$_ ", defined $Opts{$_} ? "=> $Opts{$_}\n" : "\n" foreach sort keys %Opts; printf "\tARGV(%d): ", scalar @ARGV; print @ARGV, "\n"; print "get_options: exit\n"; } } sub add_option(@) { push @Optspec, @_; } # untaint string, borrowed from amavisd-new sub untaint($) { no re 'taint'; my ($str); if (defined($_[0])) { local($1); # avoid Perl taint bug: tainted global $1 propagates taintedness $str = $1 if $_[0] =~ /^(.*)$/; } return $str; } sub init_getopts_table_common(@) { my @supplemental_reports = @_; print "init_getopts_table_common: enter\n" if $Opts{'debug'} & D_ARGS; add_option ('help', sub { print STDOUT Logreporters::usage(undef); exit 0 }); add_option ('gen_test_log=s', sub { Logreporters::Utils::gen_test_log($_[1]); exit 0; }); add_option ('detail=i'); add_option ('nodetail', sub { # __none__ will set all limiters to 0 in process_limiters # since they are not known (Sections table is not yet built). push @Limiters, '__none__'; # 0 = disable supplemental_reports set_supplemental_reports(0, \@supplemental_reports); }); add_option ('max_report_width=i'); add_option ('summary!'); add_option ('show_summary=i', sub { $Opts{'summary'} = $_[1]; 1; }); # untaint ipaddr_width for use w/sprintf() in Perl v5.10 add_option ('ipaddr_width=i', sub { $Opts{'ipaddr_width'} = untaint ($_[1]); 1; }); add_option ('sect_vars!'); add_option ('show_sect_vars=i', sub { $Opts{'sect_vars'} = $_[1]; 1; }); add_option ('syslog_name=s'); add_option ('wrap', sub { $Opts{'line_style'} = $line_styles{$_[0]}; 1; }); add_option ('full', sub { $Opts{'line_style'} = $line_styles{$_[0]}; 1; }); add_option ('truncate', sub { $Opts{'line_style'} = $line_styles{$_[0]}; 1; }); add_option ('line_style=s', sub { my $style = lc($_[1]); my @list = grep (/^$style/, keys %line_styles); if (! @list) { print STDERR "Invalid line_style argument \"$_[1]\"\n"; print STDERR "Option line_style argument must be one of \"wrap\", \"full\", or \"truncate\".\n"; print STDERR "Use $Logreporters::progname --help for options\n"; exit 1; } $Opts{'line_style'} = $line_styles{lc($list[0])}; 1; }); add_option ('limit|l=s', sub { my ($limiter,$lspec) = split(/=/, $_[1]); if (!defined $lspec) { printf STDERR "Limiter \"%s\" requires value (ex. --limit %s=10)\n", $_[1],$_[1]; exit 2; } foreach my $val (split(/(?:\s+|\s*,\s*)/, $lspec)) { if ($val !~ /^\d+$/ and $val !~ /^(\d*)\.(\d+)$/ and $val !~ /^::(\d+)$/ and $val !~ /^:(\d+):(\d+)?$/ and $val !~ /^(\d+):(\d+)?:(\d+)?$/) { printf STDERR "Limiter value \"$val\" invalid in \"$limiter=$lspec\"\n"; exit 2; } } push @Limiters, lc $_[1]; }); print "init_getopts_table_common: exit\n" if $Opts{'debug'} & D_ARGS; } sub get_option_names() { my (@ret, @tmp); foreach (@Optspec) { if (ref($_) eq '') { # process only the option names my $spec = $_; $spec =~ s/=.*$//; $spec =~ s/([^|]+)\!$/$1|no$1/g; @tmp = split /[|]/, $spec; #print "PUSHING: @tmp\n"; push @ret, @tmp; } } return @ret; } # Set values for the configuration variables passed via hashref. # Variables are of the form ${progname_prefix}_KEYNAME. # # Because logwatch lowercases all config file entries, KEYNAME is # case-insensitive. # sub init_cmdline() { my ($href, $configvar, $value, $var); # logwatch passes all config vars via environment variables $href = $Opts{'standalone'} ? \%Configvars : \%ENV; # XXX: this is cheeze: need a list of valid limiters, but since # the Sections table is not built yet, we don't know what is # a limiter and what is an option, as there is no distinction in # variable names in the config file (perhaps this should be changed). my @valid_option_names = get_option_names(); die "Options table not yet set" if ! scalar @valid_option_names; print "confighash_to_cmdline: @valid_option_names\n" if $Opts{'debug'} & D_ARGS; my @cmdline = (); while (($configvar, $value) = each %$href) { if ($configvar =~ s/^${Logreporters::progname_prefix}_//o) { # distinguish level limiters from general options # would be easier if limiters had a unique prefix $configvar = lc $configvar; my $ret = grep (/^$configvar$/i, @valid_option_names); if ($ret == 0) { print "\tLIMITER($ret): $configvar = $value\n" if $Opts{'debug'} & D_ARGS; push @cmdline, '-l', "$configvar" . "=$value"; } else { print "\tOPTION($ret): $configvar = $value\n" if $Opts{'debug'} & D_ARGS; unshift @cmdline, $value if defined ($value); unshift @cmdline, "--$configvar"; } } } unshift @ARGV, @cmdline; } # Obtains the variables from a logwatch-style .conf file, for use # in standalone mode. Returns an ENV-style hash of key/value pairs. # sub get_vars_from_file(\% $) { my ($href, $file) = @_; my ($var, $val); print "get_vars_from_file: enter: processing file: $file\n" if $Opts{'debug'} & D_CONFIG; my $message = undef; my $ret = stat ($file); if ($ret == 0) { $message = $!; } elsif (! -r _) { $message = "Permission denied"; } elsif ( -d _) { $message = "Is a directory"; } elsif (! -f _) { $message = "Not a regular file"; } if ($message) { print STDERR "Configuration file \"$file\": $message\n"; exit 2; } my $prog = $Logreporters::progname_prefix; open FILE, '<', "$file" or die "unable to open configuration file $file: $!"; while () { chomp; next if (/^\s*$/); # ignore all whitespace lines next if (/^\*/); # ignore logwatch's *Service lines next if (/^\s*#/); # ignore comment lines if (/^\s*\$(${prog}_[^=\s]+)\s*=\s*"?([^"]+)"?$/o) { ($var,$val) = ($1,$2); if ($val =~ /^(?:no|false)$/i) { $val = 0; } elsif ($val =~ /^(?:yes|true)$/i) { $val = 1; } elsif ($val eq '') { $var =~ s/${prog}_/${prog}_no/; $val = undef; } print "\t\"$var\" => \"$val\"\n" if $Opts{'debug'} & D_CONFIG; $href->{$var} = $val; } } close FILE or die "failed to close configuration handle for $file: $!"; print "get_vars_from_file: exit\n" if $Opts{'debug'} & D_CONFIG; } sub process_limiters(\@) { my ($sectref) = @_; my ($limiter, $var, $val, @errors); my @l = get_usable_sectvars(@$sectref, 1); if ($Opts{'debug'} & D_VARS) { print "process_limiters: enter\n"; print "\tLIMITERS: @Limiters\n"; } while ($limiter = shift @Limiters) { my @matched = (); printf "\t%-30s ",$limiter if $Opts{'debug'} & D_VARS; # disable all limiters when limiter is __none__: see 'nodetail' cmdline option if ($limiter eq '__none__') { $Opts{$_} = 0 foreach @l; next; } ($var,$val) = split /=/, $limiter; if ($val eq '') { push @errors, "Limiter \"$var\" requires value (ex. --limit limiter=10)"; next; } # try exact match first, then abbreviated match next if (scalar (@matched = grep(/^$var$/, @l)) == 1 or scalar (@matched = grep(/^$var/, @l)) == 1) { $limiter = $matched[0]; # unabbreviate limiter print "MATCH: $var: $limiter => $val\n" if $Opts{'debug'} & D_VARS; # XXX move limiters into section hash entry... $Opts{$limiter} = $val; next; } print "matched=", scalar @matched, ": @matched\n" if $Opts{'debug'} & D_VARS; push @errors, "Limiter \"$var\" is " . (scalar @matched == 0 ? "invalid" : "ambiguous: @matched"); } print "\n" if $Opts{'debug'} & D_VARS; if (@errors) { print STDERR "$_\n" foreach @errors; exit 2; } # Set the default value of 10 for each section if no limiter exists. # This allows output for each section should there be no configuration # file or missing limiter within the configuration file. foreach (@l) { $Opts{$_} = 10 unless exists $Opts{$_}; } # Enable collection for each section if a limiter is non-zero. foreach (@l) { #print "L is: $_\n"; #print "DETAIL: $Opts{'detail'}, OPTS: $Opts{$_}\n"; $Logreporters::TreeData::Collecting{$_} = (($Opts{'detail'} >= 5) && $Opts{$_}) ? 1 : 0; } #print "OPTS: \n"; map { print "$_ => $Opts{$_}\n"} keys %Opts; #print "COLLECTING: \n"; map { print "$_ => $Logreporters::TreeData::Collecting{$_}\n"} keys %Logreporters::TreeData::Collecting; } # Enable/disable supplemental reports # arg1: 0=off, 1=on # arg2,...: list of supplemental report keywords sub set_supplemental_reports($$) { my ($onoff,$aref) = @_; $Opts{$_} = $onoff foreach (@$aref); } sub process_debug_opts($) { my $optstring = shift; my @errors = (); foreach (split(/\s*,\s*/, $optstring)) { my $word = lc $_; my @matched = grep (/^$word/, keys %debug_words); if (scalar @matched == 1) { $Opts{'debug'} |= $debug_words{$matched[0]}; next; } if (scalar @matched == 0) { push @errors, "Unknown debug keyword \"$word\""; } else { # > 1 push @errors, "Ambiguous debug keyword abbreviation \"$word\": (matches: @matched)"; } } if (@errors) { print STDERR "$_\n" foreach @errors; print STDERR "Debug keywords: ", join (' ', sort keys %debug_words), "\n"; exit 2; } } # Zero the options controlling level specs and those # any others passed via Opts key. # # Zero the options controlling level specs in the # Detailed section, and set all other report options # to disabled. This makes it easy via command line to # disable the entire summary section, and then re-enable # one or more sections for specific reports. # # eg. progname --nodetail --limit forwarded=2 # sub zero_opts ($ @) { my $sectref = shift; # remaining args: list of Opts keys to zero map { $Opts{$_} = 0; print "zero_opts: $_ => 0\n" if $Opts{'debug'} & D_VARS;} @_; map { $Opts{$_} = 0 } get_usable_sectvars(@$sectref, 1); } 1; #MODULE: ../Logreporters/TreeData.pm package Logreporters::TreeData; use 5.008; use strict; use re 'taint'; use warnings; no warnings "uninitialized"; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.001'; @ISA = qw(Exporter); @EXPORT = qw(%Totals %Counts %Collecting $END_KEY); @EXPORT_OK = qw(&printTree &buildTree); } use subs @EXPORT_OK; BEGIN { import Logreporters::Config qw(%line_styles); } # Totals and Counts are the log line accumulator hashes. # Totals: maintains per-section grand total tallies for use in Summary section # Counts: is a multi-level hash, which maintains per-level key totals. our (%Totals, %Counts); # The Collecting hash determines which sections will be captured in # the Counts hash. Counts are collected only if a section is enabled, # and this hash obviates the need to test both existence and # non-zero-ness of the Opts{'keyname'} (either of which cause capture). # XXX The Opts hash could be used .... our %Collecting = (); sub buildTree(\% $ $ $ $ $); sub printTree($ $ $ $ $); =pod [ a:b:c, ... ] which would be interpreted as follows: a = show level a detail b = show at most b items at this level c = minimun count that will be shown =cut sub printTree($ $ $ $ $) { my ($treeref, $lspecsref, $line_style, $max_report_width, $debug) = @_; my ($entry, $line); my $cutlength = $max_report_width - 3; my $topn = 0; foreach $entry (sort bycount @$treeref) { ref($entry) ne "HASH" and die "Unexpected entry in tree: $entry\n"; #print "LEVEL: $entry->{LEVEL}, TOTAL: $entry->{TOTAL}, HASH: $entry, DATA: $entry->{DATA}\n"; # Once the top N lines have been printed, we're done if ($lspecsref->[$entry->{LEVEL}]{topn}) { if ($topn++ >= $lspecsref->[$entry->{LEVEL}]{topn} ) { print ' ', ' ' x ($entry->{LEVEL} + 3), "...\n" unless ($debug) and do { $line = ' ' . ' ' x ($entry->{LEVEL} + 3) . '...'; printf "%-130s L%d: topn reached(%d)\n", $line, $entry->{LEVEL} + 1, $lspecsref->[$entry->{LEVEL}]{topn}; }; last; } } # Once the item's count falls below the given threshold, we're done at this level # unless a top N is specified, as threshold has lower priority than top N elsif ($lspecsref->[$entry->{LEVEL}]{threshold}) { if ($entry->{TOTAL} <= $lspecsref->[$entry->{LEVEL}]{threshold}) { print ' ', ' ' x ($entry->{LEVEL} + 3), "...\n" unless ($debug) and do { $line = ' ' . (' ' x ($entry->{LEVEL} + 3)) . '...'; printf "%-130s L%d: threshold reached(%d)\n", $line, $entry->{LEVEL} + 1, $lspecsref->[$entry->{LEVEL}]{threshold}; }; last; } } $line = sprintf "%8d%s%s", $entry->{TOTAL}, ' ' x ($entry->{LEVEL} + 2), $entry->{DATA}; if ($debug) { printf "%-130s %-60s\n", $line, $entry->{DEBUG}; } # line_style full, or lines < max_report_width #printf "MAX: $max_report_width, LEN: %d, CUTLEN $cutlength\n", length($line); if ($line_style == $line_styles{'full'} or length($line) <= $max_report_width) { print $line, "\n"; } elsif ($line_style == $line_styles{'truncate'}) { print substr ($line,0,$cutlength), '...', "\n"; } elsif ($line_style == $line_styles{'wrap'}) { my $leader = ' ' x 8 . ' ' x ($entry->{LEVEL} + 2); print substr ($line, 0, $max_report_width, ''), "\n"; while (length($line)) { print $leader, substr ($line, 0, $max_report_width - length($leader), ''), "\n"; } } else { die ('unexpected line style'); } printTree ($entry->{CHILDREF}, $lspecsref, $line_style, $max_report_width, $debug) if (exists $entry->{CHILDREF}); } } my $re_IP_strict = qr/\b(25[0-5]|2[0-4]\d|[01]?\d{1,2})\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})\b/; # XXX optimize this using packed default sorting. Analysis shows speed isn't an issue though sub bycount { # Sort by totals, then IP address if one exists, and finally by data as a string local $SIG{__WARN__} = sub { print "*** PLEASE REPORT:\n*** $_[0]*** Unexpected: \"$a->{DATA}\", \"$b->{DATA}\"\n" }; $b->{TOTAL} <=> $a->{TOTAL} || pack('C4' => $a->{DATA} =~ /^$re_IP_strict/o) cmp pack('C4' => $b->{DATA} =~ /^$re_IP_strict/o) || $a->{DATA} cmp $b->{DATA} } # # Builds a tree of REC structures from the multi-key %Counts hashes # # Parameters: # Hash: A multi-key hash, with keys being used as category headings, and leaf data # being tallies for that set of keys # Level: This current recursion level. Call with 0. # # Returns: # Listref: A listref, where each item in the list is a rec record, described as: # DATA: a string: a heading, or log data # TOTAL: an integer: which is the subtotal of this item's children # LEVEL: an integer > 0: representing this entry's level in the tree # CHILDREF: a listref: references a list consisting of this node's children # Total: The cummulative total of items found for a given invocation # # Use the special key variable $END_KEY, which is "\a\a" (two ASCII bell's) to end a, # nested hash early, or the empty string '' may be used as the last key. our $END_KEY = "\a\a"; sub buildTree(\% $ $ $ $ $) { my ($href, $max_level_section, $levspecref, $max_level_global, $recurs_level, $show_unique, $debug) = @_; my ($subtotal, $childList, $rec); my @treeList = (); my $total = 0; foreach my $item (sort keys %$href) { if (ref($href->{$item}) eq "HASH") { #print " " x ($recurs_level * 4), "HASH: LEVEL $recurs_level: Item: $item, type: \"", ref($href->{$item}), "\"\n"; ($subtotal, $childList) = buildTree (%{$href->{$item}}, $max_level_section, $levspecref, $max_level_global, $recurs_level + 1, $debug); if ($recurs_level < $max_level_global and $recurs_level < $max_level_section) { # me + children $rec = { DATA => $item, TOTAL => $subtotal, LEVEL => $recurs_level, CHILDREF => $childList, }; if ($debug) { $rec->{DEBUG} = sprintf "L%d: levelspecs: %2d/%2d/%2d/%2d, Count: %10d", $recurs_level + 1, $max_level_global, $max_level_section, $levspecref->[$recurs_level]{topn}, $levspecref->[$recurs_level]{threshold}, $subtotal; } push (@treeList, $rec); } } else { if ($item ne '' and $item ne $END_KEY and $recurs_level < $max_level_global and $recurs_level < $max_level_section) { $rec = { DATA => $item, TOTAL => $href->{$item}, LEVEL => $recurs_level, #CHILDREF => undef, }; if ($debug) { $rec->{DEBUG} = sprintf "L%d: levelspecs: %2d/%2d/%2d/%2d, Count: %10d", $recurs_level, $max_level_global, $max_level_section, $levspecref->[$recurs_level]{topn}, $levspecref->[$recurs_level]{threshold}, $href->{$item}; } push (@treeList, $rec); } $subtotal = $href->{$item}; } $total += $subtotal; } #print " " x ($recurs_level * 4), "LEVEL $recurs_level: Returning from recurs_level $recurs_level\n"; return ($total, \@treeList); } 1; #MODULE: ../Logreporters/RegEx.pm package Logreporters::RegEx; use 5.008; use strict; use re 'taint'; use warnings; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.000'; @ISA = qw(Exporter); # @EXPORT = qw($re_IP); @EXPORT_OK = qw(); } # IPv4 and IPv6 # See syntax in RFC 2821 IPv6-address-literal, # eg. IPv6:2001:630:d0:f102:230:48ff:fe77:96e #our $re_IP = '(?:(?:::(?:ffff:|FFFF:)?)?(?:\d{1,3}\.){3}\d{1,3}|(?:(?:IPv6:)?[\da-fA-F]{0,4}:){2}(?:[\da-fA-F]{0,4}:){0,5}[\da-fA-F]{0,4})'; # Modified from "dartware" case at http://forums.dartware.com/viewtopic.php?t=452# #our $re_IP = qr/(?:(?:(?:(?:[\da-f]{1,4}:){7}(?:[\da-f]{1,4}|:))|(?:(?:[\da-f]{1,4}:){6}(?::[\da-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(?:(?:[\da-f]{1,4}:){5}(?:(?:(?::[\da-f]{1,4}){1,2})|:(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(?:(?:[\da-f]{1,4}:){4}(?:(?:(?::[\da-f]{1,4}){1,3})|(?:(?::[\da-f]{1,4})?:(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(?:(?:[\da-f]{1,4}:){3}(?:(?:(?::[\da-f]{1,4}){1,4})|(?:(?::[\da-f]{1,4}){0,2}:(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(?:(?:[\da-f]{1,4}:){2}(?:(?:(?::[\da-f]{1,4}){1,5})|(?:(?::[\da-f]{1,4}){0,3}:(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(?:(?:[\da-f]{1,4}:){1}(?:(?:(?::[\da-f]{1,4}){1,6})|(?:(?::[\da-f]{1,4}){0,4}:(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(?::(?:(?:(?::[\da-f]{1,4}){1,7})|(?:(?::[\da-f]{1,4}){0,5}:(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(?:%.+)?)|(?:(?:\d{1,3}\.){3}(?:\d{1,3}))/i; # IPv4 only #our $re_IP = qr/(?:\d{1,3}\.){3}(?:\d{1,3})/; 1; #MODULE: ../Logreporters/Reports.pm package Logreporters::Reports; use 5.008; use strict; use re 'taint'; use warnings; no warnings "uninitialized"; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.002'; @ISA = qw(Exporter); @EXPORT = qw(&inc_unmatched &print_unmatched_report &print_percentiles_report2 &print_summary_report &print_detail_report); @EXPORT_OK = qw(); } use subs @EXPORT_OK; BEGIN { import Logreporters::Config qw(%Opts $fw1 $fw2 $sep1 $sep2 &D_UNMATCHED &D_TREE); import Logreporters::Utils qw(&commify &unitize &get_percentiles &get_percentiles2); import Logreporters::TreeData qw(%Totals %Counts &buildTree &printTree); } my (%unmatched_list); our $origline; # unmodified log line, for error reporting and debug sub inc_unmatched($) { my ($id) = @_; $unmatched_list{$origline}++; print "UNMATCHED($id): \"$origline\"\n" if $Opts{'debug'} & D_UNMATCHED; } # Print unmatched lines # sub print_unmatched_report() { return unless (keys %unmatched_list); print "\n\n**Unmatched Entries**\n"; foreach my $line (sort {$unmatched_list{$b}<=>$unmatched_list{$a} } keys %unmatched_list) { printf "%8d %s\n", $unmatched_list{$line}, $line; } } =pod ****** Summary ******************************************************** 2 Miscellaneous warnings 20621 Total messages scanned ---------------- 100.00% 662.993M Total bytes scanned 695,198,092 ======== ================================================ 19664 Ham ----------------------------------- 95.36% 19630 Clean passed 95.19% 34 Bad header passed 0.16% 942 Spam ---------------------------------- 4.57% 514 Spam blocked 2.49% 428 Spam discarded (no quarantine) 2.08% 15 Malware ------------------------------- 0.07% 15 Malware blocked 0.07% 1978 SpamAssassin bypassed 18 Released from quarantine 1982 Whitelisted 3 Blacklisted 12 MIME error 51 Bad header (debug supplemental) 28 Extra code modules loaded at runtime =cut # Prints the Summary report section # sub print_summary_report (\@) { my ($sections) = @_; my ($keyname,$cur_level); my @lines; my $expand_header_footer = sub { my $line = undef; foreach my $horf (@_) { # print blank line if keyname is newline if ($horf eq "\n") { $line .= "\n"; } elsif (my ($sepchar) = ($horf =~ /^(.)$/o)) { $line .= sprintf "%s %s\n", $sepchar x 8, $sepchar x 50; } else { die "print_summary_report: unsupported header or footer type \"$horf\""; } } return $line; }; if ($Opts{'detail'} >= 5) { my $header = "****** Summary "; print $header, '*' x ($Opts{'max_report_width'} - length $header), "\n\n"; } my @headers; foreach my $sref (@$sections) { # headers and separators die "Unexpected Section $sref" if (ref($sref) ne 'HASH'); # Start of a new section group. # Expand and save headers to output at end of section group. if ($sref->{CLASS} eq 'GROUP_BEGIN') { $cur_level = $sref->{LEVEL}; $headers[$cur_level] = &$expand_header_footer(@{$sref->{HEADERS}}); } elsif ($sref->{CLASS} eq 'GROUP_END') { my $prev_level = $sref->{LEVEL}; # If this section had lines to output, tack on headers and footers, # removing extraneous newlines. if ($lines[$cur_level]) { # squish multiple blank lines if ($headers[$cur_level] and substr($headers[$cur_level],0,1) eq "\n") { if ( ! defined $lines[$prev_level][-1] or $lines[$prev_level][-1] eq "\n") { $headers[$cur_level] =~ s/^\n+//; } } push @{$lines[$prev_level]}, $headers[$cur_level] if $headers[$cur_level]; push @{$lines[$prev_level]}, @{$lines[$cur_level]}; my $f = &$expand_header_footer(@{$sref->{FOOTERS}}); push @{$lines[$prev_level]}, $f if $f; $lines[$cur_level] = undef; } $headers[$cur_level] = undef; $cur_level = $prev_level; } elsif ($sref->{CLASS} eq 'DATA') { # Totals data $keyname = $sref->{NAME}; if ($Totals{$keyname} > 0) { my ($numfmt, $desc, $divisor) = ($sref->{FMT}, $sref->{TITLE}, $sref->{DIVISOR}); my $fmt = '%8'; my $extra = ' %25s'; my $total = $Totals{$keyname}; # Z format provides unitized or unaltered totals, as appropriate if ($numfmt eq 'Z') { ($total, $fmt) = unitize ($total, $fmt); } else { $fmt .= "$numfmt "; } if ($divisor and $$divisor) { # XXX generalize this if (ref ($desc) eq 'ARRAY') { $desc = @$desc[0] . ' ' . @$desc[1] x (42 - 2 - length(@$desc[0])); } push @{$lines[$cur_level]}, sprintf "$fmt %-42s %6.2f%%\n", $total, $desc, $$divisor == $Totals{$keyname} ? 100.00 : $Totals{$keyname} * 100 / $$divisor; } else { push @{$lines[$cur_level]}, sprintf "$fmt %-23s $extra\n", $total, $desc, commify ($Totals{$keyname}); } } } else { die "print_summary_report: unexpected control..."; } } print @{$lines[0]}; print "\n"; } # Prints the Detail report section # # Note: side affect; deletes each key in Totals/Counts # after printout. Only the first instance of a key in # the Section table will result in Detail output. sub print_detail_report (\@) { my ($sections) = @_; my $header_printed = 0; return unless (keys %Counts); #use Devel::Size qw(size total_size); foreach my $sref ( @$sections ) { next unless $sref->{CLASS} eq 'DATA'; # only print detail for this section if DETAIL is enabled # and there is something in $Counts{$keyname} next unless $sref->{DETAIL}; next unless exists $Counts{$sref->{NAME}}; my $keyname = $sref->{NAME}; my $max_level = undef; my $print_this_key = 0; my @levelspecs = (); clear_level_specs($max_level, \@levelspecs); if (exists $Opts{$keyname}) { $max_level = create_level_specs($Opts{$keyname}, $Opts{'detail'}, \@levelspecs); $print_this_key = 1 if ($max_level); } else { $print_this_key = 1; } #print_level_specs($max_level,\@levelspecs); # at detail 5, print level 1, detail 6: level 2, ... #print STDERR "building: $keyname\n"; my ($count, $treeref) = buildTree (%{$Counts{$keyname}}, defined ($max_level) ? $max_level : 11, \@levelspecs, $Opts{'detail'} - 4, 0, $Opts{'debug'} & D_TREE); if ($count > 0) { if ($print_this_key) { my $desc = $sref->{TITLE}; $desc =~ s/^\s+//; if (! $header_printed) { my $header = "****** Detail ($max_level) "; print $header, '*' x ($Opts{'max_report_width'} - length $header), "\n"; $header_printed = 1; } printf "\n%8d %s %s\n", $count, $desc, $Opts{'sect_vars'} ? ('-' x ($Opts{'max_report_width'} - 18 - length($desc) - length($keyname))) . " [ $keyname ] -" : '-' x ($Opts{'max_report_width'} - 12 - length($desc)) } printTree ($treeref, \@levelspecs, $Opts{'line_style'}, $Opts{'max_report_width'}, $Opts{'debug'} & D_TREE); } #print STDERR "Total size Counts: ", total_size(\%Counts), "\n"; #print STDERR "Total size Totals: ", total_size(\%Totals), "\n"; $treeref = undef; $Totals{$keyname} = undef; delete $Totals{$keyname}; delete $Counts{$keyname}; } #print "\n"; } =pod Print out a standard percentiles report === Delivery Delays Percentiles =============================================================== 0% 25% 50% 75% 90% 95% 98% 100% ----------------------------------------------------------------------------------------------- Before qmgr 0.01 0.70 1.40 45483.70 72773.08 81869.54 87327.42 90966.00 In qmgr 0.00 0.00 0.00 0.01 0.01 0.01 0.01 0.01 Conn setup 0.00 0.00 0.00 0.85 1.36 1.53 1.63 1.70 Transmission 0.03 0.47 0.92 1.61 2.02 2.16 2.24 2.30 Total 0.05 1.18 2.30 45486.15 72776.46 81873.23 87331.29 90970.00 =============================================================================================== === Postgrey Delays Percentiles =========================================================== 0% 25% 50% 75% 90% 95% 98% 100% ------------------------------------------------------------------------------------------- Postgrey 727.00 727.00 727.00 727.00 727.00 727.00 727.00 727.00 =========================================================================================== tableref: data table: ref to array of arrays, first cell is label, subsequent cells are data title: table's title percentiles_str: string of space or comma separated integers, which are the percentiles calculated and output as table column data =cut sub print_percentiles_report2($$$) { my ($tableref, $title, $percentiles_str) = @_; return unless @$tableref; my $myfw2 = $fw2 - 1; my @percents = split /[ ,]/, $percentiles_str; # Calc y label width from the hash's keys. Each key is padded with the # string "#: ", # where # is a single-digit sort index. my $y_label_max_width = 0; for (@$tableref) { $y_label_max_width = length($_->[0]) if (length($_->[0]) > $y_label_max_width); } # Titles row my $col_titles_str = sprintf "%-${y_label_max_width}s" . "%${myfw2}s%%" x @percents , ' ', @percents; my $table_width = length($col_titles_str); # Table header row my $table_header_str = sprintf "%s %s ", $sep1 x 3, $title; $table_header_str .= $sep1 x ($table_width - length($table_header_str)); print "\n", $table_header_str; print "\n", $col_titles_str; print "\n", $sep2 x $table_width; my (@p, @coldata, @xformed); foreach (@$tableref) { my ($title, $ref) = ($_->[0], $_->[1]); #xxx my @sorted = sort { $a <=> $b } @{$_->[1]}; my @byscore = (); for my $bucket (sort { $a <=> $b } keys %$ref) { #print "Key: $title: Bucket: $bucket = $ref->{$bucket}\n"; # pairs: bucket (i.e. key), tally push @byscore, $bucket, $ref->{$bucket}; } my @p = get_percentiles2 (@byscore, @percents); printf "\n%-${y_label_max_width}s" . "%${fw2}.2f" x scalar (@p), $title, @p; } =pod foreach (@percents) { #printf "\n%-${y_label_max_width}s" . "%${fw2}.2f" x scalar (@p), substr($title,3), @p; printf "\n%3d%%", $title; foreach my $val (@{shift @xformed}) { my $unit; if ($val > 1000) { $unit = 's'; $val /= 1000; } else { $unit = ''; } printf "%${fw3}.2f%-2s", $val, $unit; } } =cut print "\n", $sep1 x $table_width, "\n"; } sub clear_level_specs($ $) { my ($max_level,$lspecsref) = @_; #print "Zeroing $max_level rows of levelspecs\n"; $max_level = 0 if (not defined $max_level); for my $x (0..$max_level) { $lspecsref->[$x]{topn} = undef; $lspecsref->[$x]{threshold} = undef; } } # topn = 0 means don't limit # threshold = 0 means no min threshold sub create_level_specs($ $ $) { my ($optkey,$gdetail,$lspecref) = @_; return 0 if ($optkey eq "0"); my $max_level = $gdetail; # default to global detail level my (@specsP1, @specsP2, @specsP3); #printf "create_level_specs: key: %s => \"%s\", max_level: %d\n", $optkey, $max_level; foreach my $sp (split /[\s,]+/, $optkey) { #print "create_level_specs: SP: \"$sp\"\n"; # original level specifier if ($sp =~ /^\d+$/) { $max_level = $sp; #print "create_level_specs: max_level set: $max_level\n"; } # original level specifier + topn at level 1 elsif ($sp =~ /^(\d*)\.(\d+)$/) { if ($1) { $max_level = $1; } else { $max_level = $gdetail; } # top n specified, but no max level # force top N at level 1 (zero based) push @specsP1, { level => 0, topn => $2, threshold => 0 }; } # newer level specs elsif ($sp =~ /^::(\d+)$/) { push @specsP3, { level => undef, topn => 0, threshold => $1 }; } elsif ($sp =~ /^:(\d+):(\d+)?$/) { push @specsP2, { level => undef, topn => $1, threshold => defined $2 ? $2 : 0 }; } elsif ($sp =~ /^(\d+):(\d+)?:(\d+)?$/) { push @specsP1, { level => ($1 > 0 ? $1 - 1 : 0), topn => $2 ? $2 : 0, threshold => $3 ? $3 : 0 }; } else { print STDERR "create_level_specs: unexpected levelspec ignored: \"$sp\"\n"; } } #foreach my $sp (@specsP3, @specsP2, @specsP1) { # printf "Sorted specs: L%d, topn: %3d, threshold: %3d\n", $sp->{level}, $sp->{topn}, $sp->{threshold}; #} my ($min, $max); foreach my $sp ( @specsP3, @specsP2, @specsP1) { ($min, $max) = (0, $max_level); if (defined $sp->{level}) { $min = $max = $sp->{level}; } for my $level ($min..$max) { #printf "create_level_specs: setting L%d, topn: %s, threshold: %s\n", $level, $sp->{topn}, $sp->{threshold}; $lspecref->[$level]{topn} = $sp->{topn} if ($sp->{topn}); $lspecref->[$level]{threshold} = $sp->{threshold} if ($sp->{threshold}); } } return $max_level; } sub print_level_specs($ $) { my ($max_level,$lspecref) = @_; for my $level (0..$max_level) { printf "LevelSpec Row %d: %3d %3d\n", $level, $lspecref->[$level]{topn}, $lspecref->[$level]{threshold}; } } 1; #MODULE: ../Logreporters/RFC3463.pm package Logreporters::RFC3463; use 5.008; use strict; use re 'taint'; use warnings; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.000'; @ISA = qw(Exporter); @EXPORT = qw(&get_dsn_msg); } use subs @EXPORT; #------------------------------------------------- # Enhanced Mail System Status Codes (aka: extended status codes) # # RFC 3463 http://www.ietf.org/rfc/rfc3463.txt # RFC 4954 http://www.ietf.org/rfc/rfc4954.txt # # Class.Subject.Detail # my %dsn_codes = ( class => { '2' => 'Success', '4' => 'Transient failure', '5' => 'Permanent failure', }, subject => { '0' => 'Other/Undefined status', '1' => 'Addressing status', '2' => 'Mailbox status', '3' => 'Mail system status', '4' => 'Network & routing status', '5' => 'Mail delivery protocol status', '6' => 'Message content/media status', '7' => 'Security/policy status', }, detail => { '0.0' => 'Other undefined status', '1.0' => 'Other address status', '1.1' => 'Bad destination mailbox address', '1.2' => 'Bad destination system address', '1.3' => 'Bad destination mailbox address syntax', '1.4' => 'Destination mailbox address ambiguous', '1.5' => 'Destination mailbox address valid', '1.6' => 'Mailbox has moved', '1.7' => 'Bad sender\'s mailbox address syntax', '1.8' => 'Bad sender\'s system address', '2.0' => 'Other/Undefined mailbox status', '2.1' => 'Mailbox disabled, not accepting messages', '2.2' => 'Mailbox full', '2.3' => 'Message length exceeds administrative limit.', '2.4' => 'Mailing list expansion problem', '3.0' => 'Other/Undefined mail system status', '3.1' => 'Mail system full', '3.2' => 'System not accepting network messages', '3.3' => 'System not capable of selected features', '3.4' => 'Message too big for system', '4.0' => 'Other/Undefined network or routing status', '4.1' => 'No answer from host', '4.2' => 'Bad connection', '4.3' => 'Routing server failure', '4.4' => 'Unable to route', '4.5' => 'Network congestion', '4.6' => 'Routing loop detected', '4.7' => 'Delivery time expired', '5.0' => 'Other/Undefined protocol status', '5.1' => 'Invalid command', '5.2' => 'Syntax error', '5.3' => 'Too many recipients', '5.4' => 'Invalid command arguments', '5.5' => 'Wrong protocol version', '5.6' => 'Authentication Exchange line too long', '6.0' => 'Other/Undefined media error', '6.1' => 'Media not supported', '6.2' => 'Conversion required & prohibited', '6.3' => 'Conversion required but not supported', '6.4' => 'Conversion with loss performed', '6.5' => 'Conversion failed', '7.0' => 'Other/Undefined security status', '7.1' => 'Delivery not authorized, message refused', '7.2' => 'Mailing list expansion prohibited', '7.3' => 'Security conversion required but not possible', '7.4' => 'Security features not supported', '7.5' => 'Cryptographic failure', '7.6' => 'Cryptographic algorithm not supported', '7.7' => 'Message integrity failure', }, # RFC 4954 complete => { '2.7.0' => 'Authentication succeeded', '4.7.0' => 'Temporary authentication failure', '4.7.12' => 'Password transition needed', '5.7.0' => 'Authentication required', '5.7.8' => 'Authentication credentials invalid', '5.7.9' => 'Authentication mechanism too weak', '5.7.11' => 'Encryption required for requested authentication mechanism', }, ); # Returns an RFC 3463 DSN messages given a DSN code # sub get_dsn_msg ($) { my $dsn = shift; my ($msg, $class, $subject, $detail); return "*DSN unavailable" if ($dsn =~ /^$/); unless ($dsn =~ /^(\d)\.((\d{1,3})\.\d{1,3})$/) { print "Error: not a DSN code $dsn\n"; return "Invalid DSN"; } $class = $1; $subject = $3; $detail = $2; #print "DSN: $dsn, Class: $class, Subject: $subject, Detail: $detail\n"; if (exists $dsn_codes{'class'}{$class}) { $msg = $dsn_codes{'class'}{$class}; } if (exists $dsn_codes{'subject'}{$subject}) { $msg .= ': ' . $dsn_codes{'subject'}{$subject}; } if (exists $dsn_codes{'complete'}{$dsn}) { $msg .= ': ' . $dsn_codes{'complete'}{$dsn}; } elsif (exists $dsn_codes{'detail'}{$detail}) { $msg .= ': ' . $dsn_codes{'detail'}{$detail}; } #print "get_dsn_msg: $msg\n" if ($msg); return $dsn . ': ' . $msg; } 1; #MODULE: ../Logreporters/PolicySPF.pm package Logreporters::PolicySPF; use 5.008; use strict; use re 'taint'; use warnings; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.000'; @ISA = qw(Exporter); @EXPORT = qw(&postfix_policy_spf); } use subs @EXPORT; BEGIN { import Logreporters::TreeData qw(%Totals %Counts $END_KEY); import Logreporters::Utils; import Logreporters::Reports qw(&inc_unmatched); } # Handle postfix/policy_spf entries # # Mail::SPF::Result # Pass the SPF record designates the host to be allowed to send accept # Fail the SPF record has designated the host as NOT being allowed to send reject # SoftFail the SPF record has designated the host as NOT being allowed to send but is in transition accept but mark # Neutral the SPF record specifies explicitly that nothing can be said about validity accept # None the domain does not have an SPF record or the SPF record does not evaluate to a result accept # PermError a permanent error has occured (eg. badly formatted SPF record) unspecified # TempError a transient error has occured accept or reject sub postfix_policy_spf($) { my $line = shift; if ( $line =~ /^Attribute: / or # handler sender_policy_framework: is decisive. $line =~ /^handler [^:]+/ or # decided action=REJECT Please see http://www.openspf.org/why.html?sender=jrzjcez%40telecomitalia.it&ip=81.178.62.236&receiver=protegate1.zmi.at $line =~ /^decided action=/ or # pypolicyd-spf-0.7.1 # # Read line: "request=smtpd_access_policy" # Found the end of entry # Config: {'Mail_From_reject': 'Fail', 'PermError_reject': 'False', 'HELO_reject': 'SPF_Not_Pass', 'defaultSeedOnly': 1, 'debugLevel': 4, 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0//104,::1//128', 'TempError_Defer': 'False'} # spfcheck: pyspf result: "['Pass', 'sender SPF authorized', 'helo']" # ERROR: Could not match line "#helo pass and mfrom none" # Traceback (most recent call last): # File "/usr/local/bin/policyd-spf", line 405, in # line = sys.stdin.readline() # KeyboardInterrupt $line =~ /^Read line: "/ or $line =~ /^Found the end of entry$/ or $line =~ /^Config: \{/ or $line =~ /^spfcheck: pyspf result/ or $line =~ /^Starting$/ or $line =~ /^Normal exit$/ or $line =~ /^ERROR: Could not match line/ or $line =~ /^Traceback / or $line =~ /^KeyboardInterrupt/ or $line =~ /^\s\s+/ ) { #print "IGNORING...\n\tORIG: $::OrigLine\n"; return } # Keep policy-spf warnings in its section if (my ($warn,$msg) = $line =~ /^warning: ([^:]+): (.*)$/) { #TDspf warning: ignoring garbage: # No SPF $msg =~ s/^# ?//; $Totals{'policyspf'}++; $Counts{'policyspf'}{'*Warning'}{ucfirst $warn}{$msg}{$END_KEY}++ if ($Logreporters::TreeData::Collecting{'policyspf'}); return; } # pypolicyd-spf-0.7.1 # Fail; identity=helo; client-ip=192.168.0.1; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net # Fail; identity=helo; client-ip=192.168.0.2; helo=example.com; envelope-from=<>; receiver=bogus@example.net # Neutral; identity=helo; client-ip=192.168.0.3; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net # None; identity=helo; client-ip=192.168.0.4; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net # None; identity=helo; client-ip=192.168.0.5; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net # None; identity=mailfrom; client-ip=192.168.0.1; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net # None; identity=mailfrom; client-ip=192.168.0.2; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net # Pass; identity=helo; client-ip=192.168.0.2; helo=example.com; envelope-from=<>; receiver=bogus@example.net # Permerror; identity=helo; client-ip=192.168.0.4; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net # Softfail; identity=mailfrom; client-ip=192.168.0.6; helo=example.com; envelope-from=f@example.com; receiver=yahl@example.org if ($line =~ /^(Pass|Fail|None|Neutral|Permerror|Softfail|Temperror); (.*)$/) { my $result = $1; my %params = $2 =~ /([-\w]+)=([^;]+)/g; #$params{'s'} = '*unknown' unless $params{'s'}; $Totals{'policyspf'}++; if ($Logreporters::TreeData::Collecting{'policyspf'}) { my ($id) = $params{'identity'}; $id =~ s/mailfrom/envelope-from/; $Counts{'policyspf'}{'Policy Action'}{"SPF: $result"}{join(': ',$params{'identity'},$params{$id})}{$params{'client-ip'}}{$params{'receiver'}}++; } return; } elsif ($line =~ /^ERROR /) { $line =~ s/^ERROR //; $Totals{'warningsother'}++; return unless ($Logreporters::TreeData::Collecting{'warningsother'}); $Counts{'warningsother'}{"$Logreporters::service_name: $line"}++; return; } # Strip QID if it exists, and trailing ": ", leaving just the message. $line =~ s/^(?:$Logreporters::re_QID|): //; # other ignored if ( $line =~ /^SPF \S+ \(.+?\): .*$/ or $line =~ /^Mail From/ or $line =~ /^:HELO check failed/ or # log entry has no space after : $line =~ /^testing:/ ) { #TDspf testing: stripped sender=jrzjcez@telecomitalia.it, stripped rcpt=hengstberger@adv.at # postfix-policyd-spf-perl-2.007 #TDspf SPF pass (Mechanism 'ip4:10.0.0.2/22' matched): Envelope-from: foo@example.com #TDspf SPF pass (Mechanism 'ip4:10.10.10.10' matched): Envelope-from: anyone@sample.net #TDspf SPF pass (Mechanism 'ip4:10.10.10.10' matched): HELO/EHLO (Null Sender): mailout2.example.com #TDspf SPF fail (Mechanism '-all' matched): HELO/EHLO: mailout1.example.com #TDspf SPF none (No applicable sender policy available): Envelope-from: efrom@example.com #TDspf SPF permerror (Included domain 'example.com' has no applicable sender policy): Envelope-from: efrom@example.com #TDspf SPF permerror (Maximum DNS-interactive terms limit (10) exceeded): Envelope-from: efrom@example.com #TDspf Mail From (sender) check failed - Mail::SPF->new(10.0.0.1, , test.DNSreport.com) failed: 'identity' option must not be empty #TDspf HELO check failed - Mail::SPF->new(, , ) failed: Missing required 'identity' option #TDspf SPF not applicable to localhost connection - skipped check #print "IGNORING...\n\tLINE: $line\n\tORIG: \"$Logreporters::Reports::origline\"\n"; return; } my ($action, $domain, $ip, $message, $mechanism); ($domain, $ip, $message, $mechanism) = ('*unknown', '*unknown', '', '*unavailable'); #print "LINE: '$line'\n"; # postfix-policyd-spf-perl: http://www.openspf.org/Software if ($line =~ /^Policy action=(.*)$/) { $line = $1; #: Policy action=DUNNO return if $line =~ /^DUNNO/; # Policy action=PREPEND X-Comment: SPF not applicable to localhost connection - skipped check return if $line =~ /^PREPEND X-Comment: SPF not applicable to localhost connection - skipped check$/; #print "LINE: '$line'\n"; if ($line =~ /^DEFER_IF_PERMIT SPF-Result=\[?(.*?)\]?: (.*) of .*$/) { my ($lookup,$message) = ($1,$2); # Policy action=DEFER_IF_PERMIT SPF-Result=[10.0.0.1]: Time-out on DNS 'SPF' lookup of '[10.0.0.1]' # Policy action=DEFER_IF_PERMIT SPF-Result=example.com: 'SERVFAIL' error on DNS 'SPF' lookup of 'example.com' $message =~ s/^(.*?) on (DNS SPF lookup)$/$2: $1/; $message =~ s/'//g; $Totals{'policyspf'}++; $Counts{'policyspf'}{'Policy Action'}{'defer_if_permit'}{$message}{$lookup}{$END_KEY}++ if ($Logreporters::TreeData::Collecting{'policyspf'}); return; } if ($line =~ /^550 Please see http:\/\/www\.openspf\.org\/Why\?(.*)$/) { # Policy action=550 Please see http://www.openspf.org/Why?s=mfrom&id=from%40example.com&ip=10.0.0.1&r=example.net # Policy action=550 Please see http://www.openspf.org/Why?s=helo;id=mailout03.example.com;ip=192.168.0.1;r=mx1.example.net # Policy action=550 Please see http://www.openspf.org/Why?id=someone%40example.com&ip=10.0.0.1&receiver=vps.example.net my %params; for (split /[&;]/, $1) { my ($id,$val) = split /=/, $_; $params{$id} = $val; } $params{'id'} =~ s/^.*%40//; $params{'s'} = '*unknown' unless $params{'s'}; #print "Please see...:\n\tMessage: $message\n\tIP: $ip\n\tDomain: $domain\n"; $Totals{'policyspf'}++; $Counts{'policyspf'}{'Policy Action'}{'550 reject'}{'See http://www.openspf.org/Why?...'}{$params{'s'}}{$params{'ip'}}{$params{'id'}}++ if ($Logreporters::TreeData::Collecting{'policyspf'}); return; } if ($line =~ /^[^:]+: (none|pass|fail|softfail|neutral|permerror|temperror) \((.+?)\) receiver=[^;]+(?:; (.*))?$/) { # iehc is identity, envelope-from, helo, client-ip my ($result,$message,$iehc,$subject) = ($1,$2,$3,undef); my %params = (); #TDspf Policy action=PREPEND Received-SPF: pass (bounces.example.com ... _spf.example.com: 10.0.0.1 is authorized to use 'from@bounces.example.com' in 'mfrom' identity (mechanism 'ip4:10.0.0.1/24' matched)) receiver=sample.net; identity=mfrom; envelope-from="from@bounces.example.com"; helo=out.example.com; client-ip=10.0.0.1 # Note: "identity=mailfrom" new in Mail::SPF version 2.006 Aug. 17 #TDspf Policy action=PREPEND Received-SPF: pass (example.com: 10.0.0.1 is authorized to use 'from@example.com' in 'mfrom' identity (mechanism 'ip4:10.0.0.0/24' matched)) receiver=mx.example.com; identity=mailfrom; envelope-from="from@example.com"; helo=example.com; client-ip=10.0.0.1 #TDspf Policy action=PREPEND Received-SPF: none (example.com: No applicable sender policy available) receiver=sample.net; identity=mfrom; envelope-from="f@example.com"; helo=example.com; client-ip=10.0.0.1 #TDspf Policy action=PREPEND Received-SPF: neutral (example.com: Domain does not state whether sender is authorized to use 'f@example.com' in 'mfrom' identity (mechanism '?all' matched)) receiver=sample.net identity=mfrom; envelope-from="f@example.com"; helo="[10.0.0.1]"; client-ip=192.168.0.1 #TDspf Policy action=PREPEND Received-SPF: none (example.com: No applicable sender policy available) receiver=sample.net; identity=helo; helo=example.com; client-ip=192.168.0.1 #TDspf Policy action=PREPEND Received-SPF: none (example.com: No applicable sender policy available) receiver=mx1.example #print "LINE: $iehc\n"; if ($iehc) { %params = $iehc =~ /([-\w]+)=([^;]+)/g; if (exists $params{'identity'}) { $params{'identity'} =~ s/identity=//; if ($params{'identity'} eq 'mfrom' or $params{'identity'} eq 'mailfrom') { $params{'identity'} = 'mail from'; } $params{'identity'} = uc $params{'identity'}; } $params{'envelope-from'} =~ s/"//g if exists $params{'envelope-from'}; #($helo = $params{'helo'}) =~ s/"//g if exists $params{'helo'}; $ip = $params{'client-ip'} if exists $params{'client-ip'}; } $message =~ s/^([^:]+): // and $subject = $1; if ($message =~ /^No applicable sender policy available$/) { $message = 'No sender policy'; } elsif ($message =~ s/^(Junk encountered in mechanism) '(.*?)'/$1/) { #TDspf Policy action=PREPEND Received-SPF: permerror (example.com: Junk encountered in mechanism 'a:10.0.0.1') receiver=example.net; identity=mfrom; envelope-from="ef@example.com"; helo=h; client-ip=10.0.0.2 $ip = formathost ($ip, 'mech: ' . $2); } elsif ($message =~ s/^(Included domain) '(.*?)' (has no .*)$/$1 $3/) { #TDspf Policy action=PREPEND Received-SPF: permerror (example.com: Included domain 's.example.net' has no applicable sender policy) receiver=x.sample.com; identity=mfrom; envelope-from="ef@example.com"; helo=example.net; client-ip=10.0.0.2 $subject .= " (included: $2)"; } elsif ($message =~ /^Domain does not state whether sender is authorized to use '.*?' in '\S+' identity \(mechanism '(.+?)' matched\)$/) { # Domain does not state whether sender is authorized to use 'returns@example.com' in 'mfrom' identity (mechanism '?all' matched)) ($mechanism,$message) = ($1,'Domain does not state if sender authorized to use'); } elsif ($message =~ /^(\S+) is (not )?authorized( by default)? to use '.*?' in '\S+' identity(?:, however domain is not currently prepared for false failures)? \(mechanism '(.+?)' matched\)$/) { # Sender is not authorized by default to use 'from@example.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) # 192.168.1.10 is authorized by default to use 'from@example.com' in 'mfrom' identity (mechanism 'all' matched)) $message = join (' ', $1 eq 'Sender' ? 'Sender' : 'IP', # canonicalize IP address $2 ? 'not authorized' : 'authorized', $3 ? 'by default to use' : 'to use', ); $mechanism = $4; } elsif ($message =~ /^Maximum DNS-interactive terms limit \S+ exceeded$/) { $message = 'Maximum DNS-interactive terms limit exceeded'; } elsif ($message =~ /^Invalid IPv4 prefix length encountered in (.*)$/) { $subject .= " (invalid: $1)"; $message = 'Invalid IPv4 prefix length encountered'; } #print "Result: $result, Identity: $params{'identity'}, Mech: $mechanism, Subject: $subject, IP: $ip\n"; $Totals{'policyspf'}++; if ($Logreporters::TreeData::Collecting{'policyspf'}) { $message = join (' ', $message, $params{'identity'}) if exists $params{'identity'}; $Counts{'policyspf'}{'Policy Action'}{"SPF $result"}{$message}{'mech: ' .$mechanism}{$subject}{$ip}++ } return; } inc_unmatched('postfix_policy_spf(2)'); return; } =pod Mail::SPF::Query libmail-spf-query-perl 1:1.999 XXX incomplete Some possible smtp_comment results: pass "localhost is always allowed." none "SPF", "domain of sender $query->{sender} does not designate mailers unknown $explanation, "domain of sender $query->{sender} does not exist" $query->{spf_error_explanation}, $query->is_looping $query->{spf_error_explanation}, $directive_set->{hard_syntax_error} $query->{spf_error_explanation}, "Missing SPF record at $query->{domain}" error $query->{spf_error_explanation}, $query->{error} $result $explanation, $comment, $query->{directive_set}->{orig_txt} Possible header_comment results: pass "$query->{spf_source} designates $ip as permitted sender" fail "$query->{spf_source} does not designate $ip as permitted sender" softfail "transitioning $query->{spf_source} does not designate $ip as permitted sender" /^unknown / "encountered unrecognized mechanism during SPF processing of $query->{spf_source}" unknown "error in processing during lookup of $query->{sender}" neutral "$ip is neither permitted nor denied by domain of $query->{sender}" error "encountered temporary error during SPF processing of $query->{spf_source}" none "$query->{spf_source} does not designate permitted sender hosts" "could not perform SPF query for $query->{spf_source}" ); =cut #TDspf 39053DC: SPF none: smtp_comment=SPF: domain of sender user@example.com does not designate mailers, header_comment=sample.net: domain of user@example.com does not designate permitted sender hosts #TDspf : SPF none: smtp_comment=SPF: domain of sender user@example.com does not designate mailers, header_comment=sample.net: domain of user@example.com does not designate permitted sender hosts #TDspf : SPF pass: smtp_comment=Please see http://www.openspf.org/why.html?sender=user%40example.com&ip=10.0.0.1&receiver=sample.net: example.com MX mail.example.com A 10.0.0.1, header_comment=example.com: domain of user@example.com designates 10.0.0.1 as permitted sender #TDspf : SPF fail: smtp_comment=Please see http://www.openspf.org/why.html?sender=user%40example.com&ip=10.0.0.1&receiver=sample.net, header_comment=sample.net: domain of user@example.com does not designate 10.0.0.1 as permitted sender #TDspf : : SPF none: smtp_comment=SPF: domain of sender does not designate mailers, header_comment=mx1.example.com: domain of does not designate permitted sender hosts if (my ($result, $reply) = ($line =~ /^(SPF [^:]+): (.*)$/)) { #print "result: $result\n\treply: $reply\n\tORIG: \"$Logreporters::Reports::origline\"\n"; if ($reply =~ /^(?:smtp_comment=)(.*)$/) { $reply = $1; # SPF none if ($reply =~ /^SPF: domain of sender (?:(?:[^@]+@)?(\S+) )?does not designate mailers/) { $domain = $1 ? $1 : '*unknown'; #print "result: $result: domain: $domain\n"; } elsif ($reply =~ /^Please see http:\/\/[^\/]+\/why\.html\?sender=(?:.+%40)?([^&]+)&ip=([^&]+)/) { ($domain,$ip) = ($1,$2); #print "result: $result: domain: $domain, IP: $ip\n"; } # SPF unknown elsif ($reply =~ /^SPF record error: ([^,]+), .*: error in processing during lookup of (?:[^@]+\@)?(\S+)/) { ($message, $domain) = ($1, $2); #print "result: $result: domain: $domain, Problem: $message\n"; } elsif ($reply =~ /^SPF record error: ([^,]+), .*: encountered unrecognized mechanism during SPF processing of domain (?:[^@]+\@)?(\S+)/) { ($message, $domain) = ($1,$2); #print "result: \"$result\": domain: $domain, Problem: $message\n"; $result = "SPF permerror" if ($result =~ /SPF unknown mx-all/); } else { inc_unmatched('postfix_policy_spf(3)'); return; } } else { inc_unmatched('postfix_policy_spf(4)'); return; } $Totals{'policyspf'}++; if ($message) { $Counts{'policyspf'}{'Policy Action'}{$result}{$domain}{$ip}{$message}{$END_KEY}++ if ($Logreporters::TreeData::Collecting{'policyspf'}); } else { $Counts{'policyspf'}{'Policy Action'}{$result}{$domain}{$ip}{$END_KEY}++ if ($Logreporters::TreeData::Collecting{'policyspf'}); } return; } inc_unmatched('postfix_policy_spf(5)'); } 1; #MODULE: ../Logreporters/Postfwd.pm package Logreporters::Postfwd; use 5.008; use strict; use re 'taint'; use warnings; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.000'; @ISA = qw(Exporter); @EXPORT = qw(&postfix_postfwd); } use subs @EXPORT; BEGIN { import Logreporters::TreeData qw(%Totals %Counts $END_KEY); import Logreporters::Utils; import Logreporters::Reports qw(&inc_unmatched); } # postfwd: http://postfwd.org/ # # sub postfix_postfwd($) { my $line = shift; return if ( #TDpfw [STATS] Counters: 213000 seconds uptime, 39 rules #TDpfw [LOGS info]: compare rbl: "example.com[10.1.0.7]" -> "localrbl.local" #TDpfw [DNSBL] object 10.0.0.1 listed on rbl:list.dnswl.org (answer: 127.0.15.0, time: 0s) $line =~ /^\[STATS\] / or $line =~ /^\[DNSBL\] / or $line =~ /^\[LOGS info\]/ or $line =~ /^Process Backgrounded/ or $line =~ /^Setting [ug]id to/ or $line =~ /^Binding to TCP port/ or $line =~ /^terminating\.\.\./ or $line =~ /^Setting status interval to \S+ seconds/ or $line =~ /^postfwd .+ ready for input$/ or $line =~ /postfwd .+ (?:starting|terminated)/ ); my ($type,$rule,$id,$action,$host,$hostip,$recipient); if ($line =~ /^\[(RULES|CACHE)\] rule=(\d+), id=([^,]+), client=([^[]+)\[([^]]+)\], sender=.*?, recipient=<(.*?)>,.*? action=(.*)$/) { #TDpfw [RULES] rule=0, id=OK_DNSWL, client=example.com[10.0.0.1], sender=, recipient=, helo=, proto=ESMTP, state=RCPT, delay=0s, hits=OK_DNSWL, action=DUNNO #TDpfw [CACHE] rule=14, id=GREY_NODNS, client=unknown[192.168.0.1], sender=, recipient=, helo=, proto=ESMTP, state=RCPT, delay=0s, hits=SET_NODNS;EVAL_DNSBLS;EVAL_RHSBLS;GREY_NODNS, action=greylist ($type,$rule,$id,$host,$hostip,$recipient,$action) = ($1,$2,$3,$4,$5,$6,$7); $recipient = '*unknown' if (not defined $recipient); $Counts{'postfwd'}{"Rule $rule"}{$id}{$action}{$type}{$recipient}{formathost($hostip,$host)}++ if ($Logreporters::TreeData::Collecting{'postfwd'}); } elsif (($line =~ /Can't connect to TCP port/) or ($line =~ /Pid_file already exists for running process/) ) { $line =~ s/^[-\d\/:]+ //; # strip leading date/time stamps 2009/07/18-20:09:49 $Totals{'warningsother'}++; return unless ($Logreporters::TreeData::Collecting{'warningsother'}); $Counts{'warningsother'}{"$Logreporters::service_name: $line"}++; return; } # ignoring [DNSBL] lines #elsif ($line =~ /^\[DNSBL\] object (\S+) listed on (\S+) \(answer: ([^,]+), .*\)$/) { # #TDpfw [DNSBL] object 10.0.0.60 listed on rbl:list.dnswl.org (answer: 127.0.15.0, time: 0s) # ($type,$rbl) = split (/:/, $2); # $Counts{'postfwd'}{"DNSBL: $type"}{$rbl}{$1}{$3}{''}++ if ($Logreporters::TreeData::Collecting{'postfwd'}); #} else { inc_unmatched('postfwd'); return; } $Totals{'postfwd'}++; } 1; #MODULE: ../Logreporters/Postgrey.pm package Logreporters::Postgrey; use 5.008; use strict; use re 'taint'; use warnings; my (%pgDelays,%pgDelayso); BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.000'; @ISA = qw(Exporter); @EXPORT = qw(&postfix_postgrey &print_postgrey_reports); } use subs @EXPORT; BEGIN { import Logreporters::TreeData qw(%Totals %Counts $END_KEY); import Logreporters::Utils; import Logreporters::Config qw(%Opts); import Logreporters::Reports qw(&inc_unmatched &print_percentiles_report2); } # postgrey: http://postgrey.schweikert.ch/ # # Triplet: (client IP, envelope sender, envelope recipient address) # sub postfix_postgrey($) { my $line = shift; return if ( #TDpg cleaning up old logs... #TDpg cleaning up old entries... #TDpg cleaning clients database finished. before: 207, after: 207 #TDpg cleaning main database finished. before: 3800, after: 2539 #TDpg delayed 603 seconds: client=10.0.example.com, from=anyone@sample.net, to=joe@example.com #TDpg Setting uid to "504" #TDpg Setting gid to "1002 1002" #TDpg Process Backgrounded #TDpg 2008/03/08-15:54:49 postgrey (type Net::Server::Multiplex) starting! pid(21961) #TDpg Binding to TCP port 10023 on host 127.0.0.1 #TDpg 2007/01/25-14:58:24 Server closing! #TDpg Couldn't unlink "/var/run/postgrey.pid" [Permission denied] #TDpg ignoring garbage: #TDpg unrecognized request type: '' #TDpg rm /var/spool/postfix/postgrey/log.0000000002 #TDpg 2007/01/25-14:48:00 Pid_file already exists for running process (4775)... aborting at line 232 in file /usr/lib/perl5/vendor_perl/5.8.7/Net/Server.pm $line =~ /^cleaning / or $line =~ /^delayed / or $line =~ /^cleaning / or $line =~ /^Setting [ug]id/ or $line =~ /^Process Backgrounded/ or $line =~ /^Binding to / or $line =~ /^Couldn't unlink / or $line =~ /^ignoring garbage: / or $line =~ /^unrecognized request type/ or $line =~ /^rm / or # unanchored last $line =~ /Pid_file already exists/ or $line =~ /postgrey .* starting!/ or $line =~ /Server closing!/ ); my ($action,$reason,$delay,$host,$ip,$sender,$recip); if ($line =~ /^(?:$Logreporters::re_QID: )?action=(.*?), reason=(.*?)(?:, delay=(\d+))?, client_name=(.*?), client_address=(.*?)(?:, sender=(.*?))?(?:, +recipient=(.*))?$/o) { #TDpg action=greylist, reason=new, client_name=example.com, client_address=10.0.0.1, sender=from@example.com, recipient=to@sample.net #TDpgQ action=greylist, reason=new, client_name=example.com, client_address=10.0.0.1, sender=from@example.com #TDpgQ action=pass, reason=triplet found, client_name=example.com, client_address=10.0.0.1, sender=from@example.com, recipient=to@sample.net #TDpg action=pass, reason=triplet found, client_name=example.com, client_address=10.0.0.1, sender=from@example.com, recipient=to@sample.net #TDpg action=pass, reason=triplet found, client_name=example.com, client_address=10.0.0.1, recipient=to@sample.net #TDpg action=pass, reason=triplet found, delay=99, client_name=example.com, client_address=10.0.0.1, recipient=to@sample.net ($action,$reason,$delay,$host,$ip,$sender,$recip) = ($1,$2,$3,$4,$5,$6,$7); $reason =~ s/^(early-retry) \(.* missing\)$/$1/; $recip = '*unknown' if (not defined $recip); $sender = '' if (not defined $sender); $Totals{'postgrey'}++; if ($Logreporters::TreeData::Collecting{'postgrey'}) { $Counts{'postgrey'}{"\u$action"}{"\u$reason"}{formathost($ip,$host)}{$recip}{$sender}++; if (defined $delay and $Logreporters::TreeData::Collecting{'postgrey_delays'}) { $pgDelays{'1: Total'}{$delay}++; push @{$pgDelayso{'Postgrey'}}, $delay } } } elsif ($line =~ /^whitelisted: (.*?)(?:\[([^]]+)\])?$/) { #TDpg: whitelisted: example.com[10.0.0.1] $Totals{'postgrey'}++; if ($Logreporters::TreeData::Collecting{'postgrey'}) { $Counts{'postgrey'}{'Whitelisted'}{defined $2 ? formathost($2,$1) : $1}{$END_KEY}++; } } elsif ($line =~ /^tarpit whitelisted: (.*?)(?:\[([^]]+)\])?$/) { #TDpg: tarpit whitelisted: example.com[10.0.0.1] $Totals{'postgrey'}++; if ($Logreporters::TreeData::Collecting{'postgrey'}) { $Counts{'postgrey'}{'Tarpit whitelisted'}{defined $2 ? formathost($2,$1) : $1}{$END_KEY}++; } } else { inc_unmatched('postgrey'); } return; } sub print_postgrey_reports() { #print STDERR "pgDelays memory usage: ", commify(Devel::Size::total_size(\%pgDelays)), "\n"; if ($Opts{'postgrey_delays'}) { my @table; for (sort keys %pgDelays) { # anon array ref: label, array ref of $Delay{key} push @table, [ substr($_,3), $pgDelays{$_} ]; } if (@table) { print_percentiles_report2(\@table, "Postgrey Delays Percentiles", $Opts{'postgrey_delays_percentiles'}); } } } 1; #MODULE: ../Logreporters/PolicydWeight.pm package Logreporters::PolicydWeight; use 5.008; use strict; use re 'taint'; use warnings; BEGIN { use Exporter (); use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); $VERSION = '1.000'; @ISA = qw(Exporter); @EXPORT = qw(&postfix_policydweight); } use subs @EXPORT; BEGIN { import Logreporters::Reports qw(&inc_unmatched); import Logreporters::TreeData qw(%Totals %Counts); import Logreporters::Utils; } # Handle postfix/policydweight entries # sub postfix_policydweight($) { my $line = shift; my ($r1, $code, $reason, $reason2); if ( $line =~ /^weighted check/ or $line =~ /^policyd-weight .* started and daemonized/ or $line =~ /^(cache|child|master): / or $line =~ /^cache (?:spawned|killed)/ or $line =~ /^child \d+ exited/ or $line =~ /^Daemon terminated/ or $line =~ /^Daemon terminated/ ) { #print "$OrigLine\n"; return; } if ($line =~ s/^decided action=//) { $line =~ s/; delay: \d+s$//; # ignore, eg.: "delay: 3s" #print "....\n\tLINE: $line\n\tORIG: '$Logreporters::Reports::origline'\n"; if (($code,$r1) = ($line =~ /^(\d+)\s+(.*)$/ )) { my @problems = (); for (split /; */, $r1) { if (/^Mail appeared to be SPAM or forged\. Ask your Mail\/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs/ ) { push @problems, 'spam/forged: bad DNS/hit DNSRBLs'; } elsif (/^Your MTA is listed in too many DNSBLs/) { push @problems, 'too many DNSBLs'; } elsif (/^temporarily blocked because of previous errors - retrying too fast\. penalty: \d+ seconds x \d+ retries\./) { push @problems, 'temp blocked: retrying too fast'; } elsif (/^Please use DynDNS/) { push @problems, 'use DynDNS'; } elsif (/^please relay via your ISP \([^)]+\)/) { push @problems, 'use ISP\'s relay'; } elsif (/^in (.*)/) { push @problems, $1; } elsif (m#^check http://rbls\.org/\?q=#) { push @problems, 'see http://rbls.org'; } elsif (/^MTA helo: .* \(helo\/hostname mismatch\)/) { push @problems, 'helo/hostname mismatch'; } elsif (/^No DNS entries for your MTA, HELO and Domain\. Contact YOUR administrator\s+/) { push @problems, 'no DNS entries'; } else { push @problems, $_; } } $reason = $code; $reason2 = join (', ', @problems); } elsif ($line =~ s/^DUNNO\s+//) { #decided action=DUNNO multirecipient-mail - already accepted by previous query; delay: 0s $reason = 'DUNNO'; $reason2 = $line; } elsif ($line =~ s/^check_greylist//) { #decided action=check_greylist; delay: 16s $reason = 'Check greylist'; $reason2 = $line; } elsif ($line =~ s/^PREPEND X-policyd-weight:\s+//) { #decided action=PREPEND X-policyd-weight: using cached result; rate: -7.6; delay: 0s if ($line =~ /(using cached result); rate:/) { $reason = 'PREPEND X-policyd-weight: mail accepted'; $reason2 = "\u$1"; } else { #decided action=PREPEND X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 P0F_LINUX=0 , rate: -7.6; delay: 2s $reason = 'PREPEND X-policyd-weight: mail accepted'; $reason2 = 'Varies'; } } else { return; } } elsif ($line =~ /^err/) { # coerrce policyd-weight err's into general warnings $Totals{'startuperror'}++; $Counts{'startuperror'}{'Service: policyd-weight'}{$line}++ if ($Logreporters::TreeData::Collecting{'startuperror'}); return; } else { inc_unmatched('policydweight'); return; } $Totals{'policydweight'}++; $Counts{'policydweight'}{$reason}{$reason2}++ if ($Logreporters::TreeData::Collecting{'policydweight'}); } 1; package Logreporters; BEGIN { import Logreporters::Utils; import Logreporters::Config; import Logreporters::TreeData qw(%Totals %Counts %Collecting printTree buildTree $END_KEY); import Logreporters::RegEx; import Logreporters::Reports; import Logreporters::RFC3463; import Logreporters::PolicySPF; import Logreporters::Postfwd; import Logreporters::Postgrey; import Logreporters::PolicydWeight; } use 5.008; use strict; use warnings; no warnings "uninitialized"; use re 'taint'; use File::Basename; our $progname = fileparse($0); my @supplemental_reports = qw(delays postgrey_delays); # Default values for various options. These are used # to reset default values after an option has been # disabled (via undef'ing its value). This allows # a report to be disabled via config file or --nodetail, # but reenabled via subsequent command line option my %Defaults = ( detail => 10, # report level detail max_report_width => 100, # maximum line width for report output line_style => undef, # lines > max_report_width, 0=truncate,1=wrap,2=full syslog_name => 'postfix', # service name (postconf(5), syslog_name) sect_vars => 0, # show section vars in detail report hdrs unknown => 1, # show 'unknown' in address/hostname pairs ipaddr_width => 15, # width for printing ip addresses long_queue_ids => 0, # enable long queue ids (2.9+) delays => 1, # show message delivery delays report delays_percentiles => '0 25 50 75 90 95 98 100', # percentiles shown in delays report reject_reply_patterns => '5.. 4.. warn', # reject reply grouping patterns postgrey_delays => 1, # show postgrey delays report postgrey_delays_percentiles => '0 25 50 75 90 95 98 100', # percentiles shown in postgrey delays report ); my $usage_str = <<"END_USAGE"; Usage: $progname [ ARGUMENTS ] [logfile ...] ARGUMENTS can be one or more of options listed below. Later options override earlier ones. Any argument may be abbreviated to an unambiguous length. Input is read from the named logfile(s), or STDIN. --debug AREAS provide debug output for AREAS --help print usage information --version print program version --config_file FILE, -f FILE use alternate configuration file FILE --ignore_services PATTERN ignore postfix/PATTERN services --syslog_name PATTERN only consider log lines that match syslog service name PATTERN --detail LEVEL print LEVEL levels of detail (default: 10) --nodetail set all detail levels to 0 --[no]summary display the summary section --ipaddr_width WIDTH use WIDTH chars for IP addresses in address/hostname pairs --line_style wrap|full|truncate disposition of lines > max_report_width (default: truncate) --full same as --line_style=full --truncate same as --line_style=truncate --wrap same as --line_style=wrap --max_report_width WIDTH limit report width to WIDTH chars (default: 100) --limit L=V, -l L=V set level limiter L with value V --[no]long_queue_ids use long queue ids --[no]unknown show the 'unknown' hostname in formatted address/hostnames pairs --[no]sect_vars [do not] show config file var/cmd line option names in section titles --recipient_delimiter C split delivery addresses using recipient delimiter char C --reject_reply_patterns "R1 [R2 ...]" set reject reply patterns used in to group rejects to R1, [R2 ...], where patterns are [45][.0-9][.0-9] or "Warn" (default: 5.. 4.. Warn) Supplimental reports --[no]delays [do not] show msg delays percentiles report --delays_percentiles "P1 [P2 ...]" set delays report percentiles to P1 [P2 ...] (range: 0...100) --[no]postgrey_delays [do not] show postgrey delays percentiles report --postgrey_delays_percentiles "P1 [P2 ...]" set postgrey delays report percentiles to P1 [P2 ...] (range: 0...100) END_USAGE my @RejectPats; # pattern list used to match against reject replys my @RejectKeys; # 1-to-1 with RejectPats, but with 'x' replacing '.' (for report output) my (%DeferredByQid, %SizeByQid, %AcceptedByQid, %Delays); # local prototypes sub usage; sub init_getopts_table; sub init_defaults; sub build_sect_table; sub postfix_bounce; sub postfix_cleanup; sub postfix_panic; sub postfix_fatal; sub postfix_error; sub postfix_warning; sub postfix_script; sub postfix_postsuper; sub process_delivery_attempt; sub cleanhostreply; sub strip_ftph; sub get_reject_key; sub expand_bare_reject_limiters; sub create_ignore_list; sub in_ignore_list; sub header_body_checks; sub milter_common; # lines that match any RE in this list will be ignored. # see create_ignore_list(); my @ignore_list = (); # The Sections table drives Summary and Detail reports. For each entry in the # table, if there is data avaialable, a line will be output in the Summary report. # Additionally, a sub-section will be output in the Detail report if both the # global --detail, and the section's limiter variable, are sufficiently high (a # non-existent section limiter variable is considered to be sufficiently high). # my @Sections = (); # List of reject variants. See also: "Add reject variants" below, and conf file(s). my @RejectClasses = qw( rejectrelay rejecthelo rejectdata rejectunknownuser rejectrecip rejectsender rejectclient rejectunknownclient rejectunknownreverseclient rejectunverifiedclient rejectrbl rejectheader rejectbody rejectcontent rejectsize rejectmilter rejectproxy rejectinsufficientspace rejectconfigerror rejectverify rejectetrn rejectlookupfailure ); # Dispatch table of the list of supported policy services # XXX have add-ins register into the dispatch table my @policy_services = ( [ qr/^postfwd/, \&Logreporters::Postfwd::postfix_postfwd ], [ qr/^postgrey/, \&Logreporters::Postgrey::postfix_postgrey ], [ qr/^policyd?-spf/, \&Logreporters::PolicySPF::postfix_policy_spf ], [ qr/^policyd-?weight/, \&Logreporters::PolicydWeight::postfix_policydweight ], ); # Initialize main running mode and basic opts init_run_mode($config_file); # Configure the Getopts options table init_getopts_table(); # Place configuration file/environment variables onto command line init_cmdline(); # Initialize default values init_defaults(); # Process command line arguments, 0=no_permute,no_pass_through get_options(0); # Build the Section table, after reject_reply_patterns is final build_sect_table(); # Expand bare rejects before generic processing expand_bare_reject_limiters(); # Run through the list of Limiters, setting the limiters in %Opts. process_limiters(@Sections); # Set collection for any enabled supplemental sections foreach (@supplemental_reports) { $Logreporters::TreeData::Collecting{$_} = (($Opts{'detail'} >= 5) && $Opts{$_}) ? 1 : 0; } if (! defined $Opts{'line_style'}) { # default line style to full if detail >= 11, or truncate otherwise $Opts{'line_style'} = ($Opts{'detail'} > 10) ? $line_styles{'full'} : $line_styles{'truncate'}; } # Set the QID RE to capture either pre-2.9 short style or 2.9+ long style. $re_QID = $Opts{'long_queue_ids'} ? $re_QID_l : $re_QID_s; # Create the list of REs used to match against log lines create_ignore_list(); # Notes: # # - IN REs, always use /o flag or qr// at end of RE when RE uses interpolated vars # - In REs, email addresses may be empty "<>" - capture using *, not + ( eg. from=<.*?> ) # - See additional notes below, search for "Note:". # - XXX indicates change, fix or thought required # Main processing loop # LINE: while ( <> ) { chomp; s/\s+$//; next unless length $_; $Logreporters::Reports::origline = $_; # Linux: Jul 1 20:08:06 mailhost postfix/smtpd[4379]: connect from unknown[10.0.0.1] # FreeBSD: Jul 1 20:08:06 mailhost postfix/smtpd[4379]: connect from unknown[10.0.0.1] # Aug 17 15:16:12 mailhost postfix/cleanup[14194]: [ID 197553 mail.info] EC2B339E5: message-id=<2616.EC2B339E5@example.com> # Dec 25 05:20:28 mailhost policyd-spf[14194]: [ID 27553 mail.info] ... policyd-spf stuff ... next unless /^[A-Z][a-z]{2} [ \d]\d \d{2}:\d{2}:\d{2} (?:<[^>]+> )?(\S+) ($Opts{'syslog_name'}(?:\/([^:[]+))?)(?:\[\d+\])?: (?:\[ID \d+ \w+\.\w+\] )?(.*)$/o; our $service_name = $3; my ($mailhost,$server_name,$p1) = ($1,$2,$4); #print "mailhost: $mailhost, servername: $server_name, servicename: $service_name, p1: $p1\n"; $service_name = $server_name unless $service_name; #print "service_name: $service_name\n"; # ignored postfix services... next if $service_name eq 'postlog'; next if $service_name =~ /^$Opts{'ignore_services'}$/o; # common log entries up front if ($p1 =~ s/^connect from //) { #TD25 connect from sample.net[10.0.0.1] #TD connect from mail.example.com[2001:dead:beef::1] #TD connect from localhost.localdomain[127.0.0.1] #TD connect from unknown[unknown] $Totals{'connectioninbound'}++; next unless ($Collecting{'connectioninbound'}); my $host = $p1; my $hostip; if (($host,$hostip) = ($host =~ /^([^[]+)\[([^]]+)\]/)) { $host = formathost($hostip,$host); } $Counts{'connectioninbound'}{$host}++; next; } if ($p1 =~ /^disconnect from /) { #TD25 disconnect from sample.net[10.0.0.1] #TD disconnect from mail.example.com[2001:dead:beef::1] $Totals{'disconnection'}++; next; } if ($p1 =~ s/^connect to //) { next if ($p1 =~ /^subsystem /); $Totals{'connecttofailure'}++; next unless ($Collecting{'connecttofailure'}); my ($host,$hostip,$reason,$port) = ($p1 =~ /^([^[]+)\[([^]]+)\](?::\d+)?: (.*?)(?:\s+\(port (\d+)\))?$/); # all "connect to" messages indicate a problem with the connection #TDs connect to example.org[10.0.0.1]: Connection refused (port 25) #TDs connect to mail.sample.com[10.0.0.1]: No route to host (port 25) #TDs connect to sample.net[192.168.0.1]: read timeout (port 25) #TDs connect to mail.example.com[10.0.0.1]: server dropped connection without sending the initial SMTP greeting (port 25) #TDs connect to mail.example.com[192.168.0.1]: server dropped connection without sending the initial SMTP greeting (port 25) #TDs connect to ipv6-1.example.com[2001:dead:beef::1]: Connection refused (port 25) #TDs connect to ipv6-2.example.com[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]: Connection refused (port 25) #TDs connect to ipv6-3.example.com[1080:0:0:0:8:800:200C:4171]: Connection refused (port 25) #TDs connect to ipv6-4.example.com[3ffe:2a00:100:7031::1]: Connection refused (port 25) #TDs connect to ipv6-5.example.com[1080::8:800:200C:417A]: Connection refused (port 25) #TDs connect to ipv6-6.example.com[::192.9.5.5]: Connection refused (port 25) #TDs connect to ipv6-7.example.com[::FFFF:129.144.52.38]: Connection refused (port 25) #TDs connect to ipv6-8.example.com[2010:836B:4179::836B:4179]: Connection refused (port 25) #TDs connect to mail.example.com[10.0.0.1]: server refused to talk to me: 452 try later (port 25) $host = join(' :', $host, $port) if ($port and $port ne '25'); # Note: See ConnectToFailure below if ($reason =~ /^server (refused to talk to me): (.*)$/) { $Counts{'connecttofailure'}{ucfirst($1)}{formathost($hostip,$host)}{$2}++; } else { $Counts{'connecttofailure'}{ucfirst($reason)}{formathost($hostip,$host)}{''}++; } next; } =pod real 3m43.997s user 3m39.038s sys 0m3.005s =pod # Handle before panic, fatal, warning, so that service-specific code gets first crack # XXX replace w/dispatch table for add-ins, so user's can add their own... if ($service_name eq 'postfwd') { postfix_postfwd($p1); next; } if ($service_name eq 'postgrey') { postfix_postgrey($p1); next; } if ($service_name =~ /^policyd?-spf/) { postfix_policy_spf($p1); next; } # postfix/policy-spf if ($service_name =~ /^policyd-?weight/) { postfix_policydweight($p1); next; } # postfix/policydweight =cut # Handle policy service handlers before panic, fatal, warning, etc. # messages so that service-specific code gets first crack. # 5:25 foreach (@policy_services) { if ($service_name =~ $_->[0]) { #print "Calling policy service helper: $service_name:('$p1')\n"; &{$_->[1]}($p1); next LINE; } }; #=cut # ^warning: ... # ^fatal: ... # ^panic: ... # ^error: ... if ($p1 =~ /^warning: +(.*)$/) { postfix_warning($1); next; } if ($p1 =~ /^fatal: +(.*)$/) { postfix_fatal($1); next; } if ($p1 =~ /^panic: +(.*)$/) { postfix_panic($1); next; } if ($p1 =~ /^error: +(.*)$/) { postfix_error($1); next; } # output by all services that use table lookups - process before specific messages if ($p1 =~ /(?:lookup )?table (?:[^ ]+ )?has changed -- (?:restarting|exiting)$/) { #TD table hash:/var/mailman/data/virtual-mailman(0,lock|fold_fix) has changed -- restarting #TD table hash:/etc/postfix/helo_checks has changed -- restarting $Totals{'tablechanged'}++; next; } # postfix/postscreen and postfix/verify services if ($service_name eq 'postscreen' or $service_name eq 'verify') { postfix_postscreen($p1); next; } # postfix/postscreen, postfix/verify if ($service_name eq 'dnsblog') { postfix_dnsblog($p1); next; } # postfix/dnsblog if ($service_name =~ /^cleanup/) { postfix_cleanup($p1); next; } # postfix/cleanup* if ($service_name =~ /^bounce/) { postfix_bounce($p1); next; } # postfix/bounce* if ($service_name eq 'postfix-script') { postfix_script($p1); next; } # postfix/postfix-script if ($service_name eq 'postsuper') { postfix_postsuper($p1); next; } # postfix/postsuper # ignore tlsproxy for now if ($service_name eq 'tlsproxy') { next; } # postfix/tlsproxy my ($helo, $relay, $from, $origto, $to, $domain, $status, $type, $reason, $reason2, $filter, $site, $cmd, $qid, $rej_type, $reject_name, $host, $hostip, $dsn, $reply, $fmthost, $bytes); $rej_type = undef; # ^$re_QID: ... if ($p1 =~ s/^($re_QID): //o) { $qid = $1; next if ($p1 =~ /^host \S*\[\S*\] said: 4\d\d/); # deferrals, picked up in "status=deferred" if ($p1 =~ /^removed\s*$/ ) { # Note: See REMOVED elsewhere # 52CBDC2E0F: removed delete $SizeByQid{$qid} if (exists $SizeByQid{$qid}); $Totals{'removedfromqueue'}++; next; } # coerce into general warning if (($p1 =~ /^Cannot start TLS: handshake failure/) or ($p1 =~ /^non-E?SMTP response from/)) { postfix_warning($p1); next; } if ($p1 eq 'status=deferred (bounce failed)') { #TDqQ status=deferred (bounce failed) $Totals{'bouncefailed'}++; next; } # this test must preceed access checks below #TDsQ replace: header From: "Postmaster" : From: "Postmaster" if ($service_name eq 'smtp' and header_body_checks($p1)) { #print "main: header_body_checks\n"; next; } # Postfix access actions # REJECT optional text... # DISCARD optional text... # HOLD optional text... # WARN optional text... # FILTER transport:destination # REDIRECT user@domain # BCC user@domain (2.6 experimental branch) # The following actions are indistinguishable in the logs # 4NN text # 5NN text # DEFER_IF_REJECT optional text... # DEFER_IF_PERMIT optional text... # UCE restriction... # The following actions are not logged # PREPEND headername: headervalue # DUNNO # # Reject actions based on remote client information: # - one of host name, network address, envelope sender # or # - recipient address # Template of access controls. Rejects look like the first line, other access actions the second. # ftph is envelope from, envelope to, proto and helo. # QID: ACTION STAGE from host[hostip]: DSN trigger: explanation; ftph # QID: ACTION STAGE from host[hostip]: trigger: explanation; ftph # $re_QID: reject: RCPT|MAIL|CONNECT|HELO|DATA from ... # $re_QID: reject_warning: RCPT|MAIL|CONNECT|HELO|DATA from ... if ($p1 =~ /^(reject(?:_warning)?|discard|filter|hold|redirect|warn|bcc|replace): /) { my $action = $1; $p1 = substr($p1, length($action) + 2); #print "action: \"$action\", p1: \"$p1\"\n"; if ($p1 !~ /^(RCPT|MAIL|CONNECT|HELO|EHLO|DATA|VRFY|ETRN|END-OF-MESSAGE) from ([^[]+)\[([^]]+)\](?::\d+)?: (.*)$/) { inc_unmatched('unexpected access'); next; } my ($stage,$host,$hostip,$p1) = ($1,$2,$3,$4); #print "stage: \"$stage\", host: \"$host\", hostip: \"$hostip\", p1: \"$p1\"\n"; my ($efrom,$eto,$proto,$helo) = strip_ftph($p1); #print "efrom: \"$efrom\", eto: \"$eto\", proto: \"$proto\", helo: \"$helo\"\n"; #print "p1 now: \"$p1\"\n"; # QID: ACTION STAGE from host[hostip]: DSN trigger: explanation; ftph #TDsdN reject_warning: VRFY from host[10.0.0.1]: 450 4.1.2 <<1F4@bs>>: Recipient address rejected: Domain not found; to=<<1F4@bs>> proto=SMTP helo= #TDsdN reject: VRFY from host[10.0.0.1]: 550 5.1.1 <:>: Recipient address rejected: User unknown in local recipient table; to=<:> proto=SMTP helo=<10.0.0.1> #TDsdN reject: VRFY from host[10.0.0.1]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=SMTP #TDsdN reject: VRFY from host[10.0.0.1]: 554 5.7.1 Service unavailable; Client host [10.0.0.1] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=10.0.0.1; to= proto=SMTP #TDsdN reject: RCPT from host[10.0.0.1]: 450 4.1.2 : Recipient address rejected: User unknown in local recipient table; from=<> to= proto=SMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 550 : Recipient address rejected: User unknown in local recipient table; from=<> to= proto=SMTP helo= #TDsdN reject_warning: RCPT from host[10.0.0.1]: 550 : Recipient address rejected: User unknown in local recipient table; from=<> to= proto=SMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 550 5.1.1 : Recipient address rejected: User unknown in virtual address table; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 450 4.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 550 5.5.0 : Recipient address rejected: User unknown; from= to= proto=ESMTP helo=<[10.0.0.1]> #TDsdN reject: RCPT from host[10.0.0.1]: 450 : Recipient address rejected: Greylisted; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 454 4.7.1 : Recipient address rejected: Access denied; from= to= proto=SMTP helo= #TDsdN reject_warning: RCPT from host[10.0.0.1]: 454 4.7.1 : Recipient address rejected: Access denied; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 450 4.1.2 : Recipient address rejected: Domain not found; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 554 : Recipient address rejected: Please see http://www.openspf.org/why.html?sender=from%40example.net&ip=10.0.0.1&receiver=example.net; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 550 : Recipient address rejected: undeliverable address: host example.net[192.168.0.1] said: 550 : User unknown in virtual alias table (in reply to RCPT TO command); from= to= proto=SMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 554 : Recipient address rejected: Please see http://spf.pobox.com/why.html?sender=user%40example.com&ip=10.0.0.1&receiver=mail; from= to= proto=ESMTP helo=<10.0.0.1> #TDsdN reject: RCPT from host[10.0.0.1]: 554 : Relay access denied; from= to= proto=SMTP helo= #TDsdN reject_warning: HELO from host[10.0.0.1]: 554 : Relay access denied; proto=SMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= #TDsdN reject_warning: RCPT from host[10.0.0.1]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 550 : Sender address rejected: undeliverable address: host example.net[10.0.0.1] said: 550 : User unknown in virtual alias table (in reply to RCPT TO command); from= to= proto=SMTP helo= #TDsdN reject_warning: RCPT from host[10.0.0.1]: 554 : Client host rejected: Access denied; from= to= proto=SMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 554 : Client host rejected: Optional text; from= to= proto=SMTP helo= #TDsdN reject: CONNECT from host[10.0.0.1]: 503 5.5.0 : Client host rejected: Improper use of SMTP command pipelining; proto=SMTP #TDsdN reject_warning: RCPT from unk[10.0.0.1]: 450 Client host rejected: cannot find your hostname, [10.0.0.1]; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from unk[10.0.0.1]: 450 Client host rejected: cannot find your hostname, [10.0.0.1]; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from unk[10.0.0.1]: 450 Client host rejected: cannot find your hostname, [10.0.0.1]; proto=ESMTP #TDsdN reject: RCPT from unk[10.0.0.1]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [10.0.0.1] #TDsdN reject: CONNECT from unk[unknown]: 421 4.7.1 Client host rejected: cannot find your reverse hostname, [unknown]; proto=SMTP #TDsdN reject: RCPT from host[10.0.0.1]: 554 5.7.1 Service unavailable; Client host [10.0.0.1] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=10.0.0.1; from= to= proto=ESMTP helo= #TDsdN reject_warning: RCPT from host[10.0.0.1]: 554 5.7.1 Service unavailable; Client host [10.0.0.1] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=10.0.0.1; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 554 Service denied; Client host [10.0.0.1] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?83.164.27.124; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 454 4.7.1 : Helo command rejected: Access denied; from= to= proto=SMTP helo= #TDsdN reject_warning: RCPT from host[10.0.0.1]: 454 4.7.1 : Helo command rejected: Access denied; from= to= proto=SMTP helo= #TDsdN reject: EHLO from host[10.0.0.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; proto=SMTP helo= #TDsdQ reject: DATA from host[10.0.0.1]: 550 5.5.3 : Data command rejected: Multi-recipient bounce; from=<> proto=ESMTP helo= #TDsdN reject: ETRN from host[10.0.0.1]: 554 5.7.1 : Etrn command rejected: Access denied; proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 452 Insufficient system storage; from= to= #TDsdN reject_warning: RCPT from host[10.0.0.1]: 451 4.3.5 Server configuration error; from= to= proto=ESMTP helo= #TDsdN reject: RCPT from host[10.0.0.1]: 450 Server configuration problem; from= to= proto=ESMTP helo= #TDsdN reject: MAIL from host[10.0.0.1]: 552 Message size exceeds fixed limit; proto=ESMTP helo= #TDsdN reject: RCPT from unk[10.0.0.1]: 554 5.7.1 : Unverified Client host rejected: Access denied; from= to= proto=SMTP helo= #TDsdN reject: MAIL from host[10.0.0.1]: 451 4.3.0 : Temporary lookup failure; from= proto=ESMTP helo= # reject, reject_warning if ($action =~ /^reject/) { my ($recip); if ($p1 !~ /^($re_DSN) (.*)$/o) { inc_unmatched('reject1'); next; } ($dsn,$p1) = ($1,$2); #print "dsn: $dsn, p1: \"$p1\"\n"; $fmthost = formathost($hostip,$host); # reject_warning override temp or perm reject types $rej_type = ($action eq 'reject_warning' ? 'warn' : get_reject_key($dsn)); #print "REJECT stage: '$rej_type'\n"; if ($Collecting{'byiprejects'} and substr($rej_type,0,1) eq '5') { $Counts{'byiprejects'}{$fmthost}++; } if ($stage eq 'VRFY') { if ($p1 =~ /^(?:<(\S*)>: )?(.*);$/) { my ($trigger,$reason) = ($1,$2); $Totals{$reject_name = "${rej_type}rejectverify" }++; next unless ($Collecting{$reject_name}); if ($reason =~ /^Service unavailable; Client host \[[^]]+\] (blocked using [^;]*);/) { $reason = join (' ', 'Client host blocked using', $1); $trigger = ''; } $Counts{$reject_name}{$reason}{$fmthost}{ucfirst($trigger)}++; } else { inc_unmatched('vrfyfrom'); } next; } # XXX there may be several semicolon-separated messages # Recipient address rejected: Unknown users and via check_recipient_access if ($p1 =~ /^<(.*)>: Recipient address rejected: ([^;]*);/) { ($recip,$reason) = ($1,$2); my ($localpart,$domainpart); # Unknown users; local mailbox, alias, virtual, relay user, unspecified if ($recip eq '') { ($localpart, $domainpart) = ('<>', '*unspecified'); } else { ($localpart, $domainpart) = split (/@/, lc $recip); ($localpart, $domainpart) = ($recip, '*unspecified') if ($domainpart eq ''); } if ($reason =~ s/^User unknown *//) { $Totals{$reject_name = "${rej_type}rejectunknownuser" }++; next unless ($Collecting{$reject_name}); my ($table) = ($reason =~ /^in ((?:\w+ )+table)/); $table = 'Address table unavailable' if ($table eq ''); # when show_user_unknown_table_name=no $Counts{$reject_name}{ucfirst($table)}{$domainpart}{$localpart}{$fmthost}++; } else { # check_recipient_access $Totals{$reject_name = "${rej_type}rejectrecip" }++; next unless ($Collecting{$reject_name}); if ($reason =~ m{^Please see http://[^/]+/why\.html}) { $reason = 'SPF reject'; } elsif ($reason =~ /^undeliverable address: host ([^[]+)\[([^]]+)\](?::\d+)? said:/) { $reason = 'undeliverable address: remote host rejected recipient'; } $Counts{$reject_name}{ucfirst($reason)}{$domainpart}{$localpart}{$fmthost}++; } } elsif ($p1 =~ /^<(.*?)>.* Relay access denied/) { $Totals{$reject_name = "${rej_type}rejectrelay" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$fmthost}{$eto}++; } elsif ($p1 =~ /^<(.*)>: Sender address rejected: (.*);/) { $Totals{$reject_name = "${rej_type}rejectsender" }++; next unless ($Collecting{$reject_name}); ($from,$reason) = ($1,$2); if ($reason =~ /^undeliverable address: host ([^[]+)\[([^]]+)\](?::\d+)? said:/) { $reason = 'undeliverable address: remote host rejected sender'; } $Counts{$reject_name}{ucfirst($reason)}{$fmthost}{$from ne '' ? $from : '<>'}++; } elsif ($p1 =~ /^(?:<.*>: )?Unverified Client host rejected: /) { # check_reverse_client_hostname_access (postfix 2.6+) $Totals{$reject_name = "${rej_type}rejectunverifiedclient" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$fmthost}{$helo}{$eto}{$efrom}++; } elsif ($p1 =~ s/^(?:<.*>: )?Client host rejected: //) { # reject_unknown_client # client IP->name mapping fails # name->IP mapping fails # name->IP mapping =! client IP if ($p1 =~ /^cannot find your hostname/) { $Totals{$reject_name = "${rej_type}rejectunknownclient" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$fmthost}{$helo}{$eto}{$efrom}++; } # reject_unknown_reverse_client_hostname (no PTR record for client's IP) elsif ($p1 =~ /^cannot find your reverse hostname/) { $Totals{$reject_name = "${rej_type}rejectunknownreverseclient" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$hostip}++ } else { $Totals{$reject_name = "${rej_type}rejectclient" }++; next unless ($Collecting{$reject_name}); $p1 =~ s/;$//; $Counts{$reject_name}{ucfirst($p1)}{$fmthost}{$eto}{$efrom}++; } } elsif ($p1 =~ /^Service (?:temporarily )?(?:unavailable|denied)[^;]*; (?:(?:Unverified )?Client host |Sender address |Helo command )?\[[^ ]*\] blocked using ([^;]+);/) { # Note: similar code below: search RejectRBL # postfix 2.1 #TDsdN reject: RCPT from example.com[10.0.0.5]: 554 Service unavailable; Client host [10.0.0.5] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?10.0.0.5; from= to= proto=ESMTP helo= # postfix 2.3+ #TDsdN reject: RCPT from example.com[10.0.0.6]: 554 5.7.1 Service unavailable; Client host [10.0.0.6] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?10.0.0.6; from= to= proto=SMTP helo= #TDsdN reject: RCPT from example.com[10.0.0.1]: 550 5.7.1 Service unavailable; Client host [10.0.0.1] blocked using Trend Micro RBL+. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=10.0.0.1; Mail from 10.0.0.1 blocked using Trend Micro Email Reputation database. Please see ; from= to= proto=SMTP helo=<10.0.0.1> $Totals{$reject_name = "${rej_type}rejectrbl" }++; next unless ($Collecting{$reject_name}); ($site,$reason) = ($1 =~ /^(.+?)(?:$|(?:[.,] )(.*))/); $reason =~ s/^reason: // if ($reason); $Counts{$reject_name}{$site}{$fmthost}{$reason ? $reason : ''}++; } elsif ($p1 =~ /^<.*>: Helo command rejected: (.*);$/) { $Totals{$reject_name = "${rej_type}rejecthelo" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{ucfirst($1)}{$fmthost}{$helo}++; } elsif ($p1 =~ /^<.*>: Etrn command rejected: (.*);$/) { $Totals{$reject_name = "${rej_type}rejectetrn" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{ucfirst($1)}{$fmthost}{$helo}++; } elsif ($p1 =~ /^<.*>: Data command rejected: (.*);$/) { $Totals{$reject_name = "${rej_type}rejectdata" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$1}{$fmthost}{$helo}++; } elsif ($p1 =~ /^Insufficient system storage;/) { $Totals{'warninsufficientspace'}++; # force display in Warnings section also $Totals{$reject_name = "${rej_type}rejectinsufficientspace" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$fmthost}{$eto}{$efrom}++; } elsif ($p1 =~ /^Server configuration (?:error|problem);/) { $Totals{'warnconfigerror'}++; # force display in Warnings section also $Totals{$reject_name = "${rej_type}rejectconfigerror" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$fmthost}{$eto}{$efrom}++; } elsif ($p1 =~ /^Message size exceeds fixed limit;$/) { # Postfix responds with this message after a MAIL FROM:<...> SIZE=nnn command, where postfix consider's nnn excessive # Note: similar code below: search RejectSize # Note: reject_warning does not seem to occur $Totals{$reject_name = "${rej_type}rejectsize" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$fmthost}{$eto}{$efrom}++; } elsif ($p1 =~ /^<(.*?)>: Temporary lookup failure;/) { $Totals{$reject_name = "${rej_type}rejectlookupfailure" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$fmthost}{$eto}{$efrom}++; # This would capture all other rejects, but I think it might be more useful to add # additional capture sections based on user reports of uncapture lines. # #} elsif ( ($reason) = ($p1 =~ /^([^;]+);/)) { # $Totals{$rej_type . 'rejectother'}++; # $Counts{$rej_type . 'rejectother'}{$reason}++; } else { inc_unmatched('rejectother'); } } # end of $re_QID: reject: # QID: ACTION STAGE from host[hostip]: trigger: reason; ftph # #TDsdN warn: RCPT from host[10.0.0.1]: TEST access WARN action; from= to= proto=ESMTP helo= #TDsdN warn: RCPT from host[10.0.0.1]: ; from= to= proto=ESMTP helo= #TDsdN discard: RCPT from host[10.0.0.1]: : Sender address TEST DISCARD action; from= to= proto=ESMTP helo= #TDsdN discard: RCPT from host[10.0.0.1]: : Client host TEST DISCARD action w/ip(client_checks); from= to= proto=ESMTP helo= #TDsdN discard: RCPT from host[10.0.0.1]: : Unverified Client host triggers DISCARD action; from= to= proto=ESMTP helo=<10.0.0.1> #TDsdN hold: RCPT from host[10.0.0.1]: : Recipient address triggers HOLD action; from= to= proto=SMTP helo=<10.0.0.1> #TDsdN hold: RCPT from host[10.0.0.1]: : Helo command optional text...; from= to= proto=ESMTP helo= #TDsdN hold: RCPT from host[10.0.0.1]: : Helo command triggers HOLD action; from= to= proto=ESMTP helo= #TDsdN hold: DATA from host[10.0.0.1]: : Helo command triggers HOLD action; from= to= proto=ESMTP helo= #TDsdN filter: RCPT from host[10.0.0.1]: <>: Sender address triggers FILTER filter:somefilter; from=<> to= proto=SMTP helo= #TDsdN filter: RCPT from host[10.0.0.1]: : Recipient address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from= to= proto=SMTP helo= #TDsdN redirect: RCPT from host[10.0.0.1]: : Client host triggers REDIRECT root@localhost; from= to= proto=SMTP helo= #TDsdN redirect: RCPT from host[10.0.0.1]: : Recipient address triggers REDIRECT root@localhost; from= to= proto=ESMTP helo= # BCC action (postfix 2.6+) #TDsdN bcc: RCPT from host[10.0.0.1]: : Sender address triggers BCC root@localhost; from= to= proto=ESMTP helo= # $re_QID: discard, filter, hold, redirect, warn, bcc, replace ... else { my $trigger; ($trigger,$reason) = ($p1 =~ /^(?:<(\S*)>: )?(.*);$/ ); if ($trigger eq '') { $trigger = '*unavailable'; } else { $trigger =~ s/^<(.+)>$/$1/; } $reason = '*unavailable' if ($reason eq ''); $fmthost = formathost ($hostip,$host); #print "trigger: \"$trigger\", reason: \"$reason\"\n"; # reason -> subject text # subject -> "Helo command" : smtpd_helo_restrictions # subject -> "Client host" : smtpd_client_restrictions # subject -> "Unverified Client host" : smtpd_client_restrictions # subject -> "Client certificate" : smtpd_client_restrictions # subject -> "Sender address" : smtpd_sender_restrictions # subject -> "Recipient address" : smtpd_recipient_restrictions # subject -> "Data command" : smtpd_data_restrictions # subject -> "End-of-data" : smtpd_end_of_data_restrictions # subject -> "Etrn command" : smtpd_etrn_restrictions # text -> triggers action|triggers |optional text... my ($subject, $text) = ($reason =~ /^((?:Recipient|Sender) address|(?:Unverified )?Client host|Client certificate|(?:Helo|Etrn|Data) command|End-of-data) (.+)$/o); #printf "ACTION: '$action', SUBJECT: %-30s TEXT: \"$text\"\n", '"' . $subject . '"'; if ($action eq 'filter') { $Totals{'filtered'}++; next unless ($Collecting{'filtered'}); # See "Note: Counts" before changing $Counts below re: Filtered $text =~ s/triggers FILTER //; if ($subject eq 'Recipient address') { $Counts{'filtered'}{$text}{$subject}{$trigger}{$efrom}{$fmthost}++; } elsif ($subject =~ /Client host$/) { $Counts{'filtered'}{$text}{$subject}{$fmthost}{$eto}{$efrom}++; } else { $Counts{'filtered'}{$text}{$subject}{$trigger}{$eto}{$fmthost}++; } } elsif ($action eq 'redirect') { $Totals{'redirected'}++; next unless ($Collecting{'redirected'}); $text =~ s/triggers REDIRECT //; # See "Note: Counts" before changing $Counts below re: Redirected if ($subject eq 'Recipient address') { $Counts{'redirected'}{$text}{$subject}{$trigger}{$efrom}{$fmthost}++; } elsif ($subject =~ /Client host$/) { $Counts{'redirected'}{$text}{$subject}{$fmthost}{$eto}{$efrom}++; } else { $Counts{'redirected'}{$text}{$subject}{$trigger}{$eto}{$fmthost}++; } } # hold, discard, and warn allow "optional text" elsif ($action eq 'hold') { $Totals{'hold'}++; next unless ($Collecting{'hold'}); # See "Note: Counts" before changing $Counts below re: Hold $subject = $reason unless $text eq 'triggers HOLD action'; if ($subject eq 'Recipient address') { $Counts{'hold'}{$subject}{$trigger}{$efrom}{$fmthost}++; } elsif ($subject =~ /Client host$/) { $Counts{'hold'}{$subject}{$fmthost}{$eto}{$efrom}++; } else { $Counts{'hold'}{$subject}{$trigger}{$eto}{$fmthost}++; } } elsif ($action eq 'discard') { $Totals{'discarded'}++; next unless ($Collecting{'discarded'}); # See "Note: Counts" before changing $Counts below re: Discarded $subject = $reason unless $text eq 'triggers DISCARD action'; if ($subject eq 'Recipient address') { $Counts{'discarded'}{$subject}{$trigger}{$efrom}{$fmthost}++; } elsif ($subject =~ /Client host$/) { $Counts{'discarded'}{$subject}{$fmthost}{$eto}{$efrom}++; } else { $Counts{'discarded'}{$subject}{$trigger}{$eto}{$fmthost}++; } } elsif ($action eq 'warn') { $Totals{'warned'}++; next unless ($Collecting{'warned'}); $Counts{'warned'}{$reason}{$fmthost}{$eto}{''}++; # See "Note: Counts" before changing $Counts above... } elsif ($action eq 'bcc') { $Totals{'bcced'}++; next unless ($Collecting{'bcced'}); # See "Note: Counts" before changing $Counts below re: Filtered $text =~ s/triggers BCC //o; if ($subject eq 'Recipient address') { $Counts{'bcced'}{$text}{$subject}{$trigger}{$efrom}{$fmthost}++; } elsif ($subject =~ /Client host$/) { $Counts{'bcced'}{$text}{$subject}{$fmthost}{$eto}{$efrom}++; } else { $Counts{'bcced'}{$text}{$subject}{$trigger}{$eto}{$fmthost}++; } } else { die "Unexpected ACTION: '$action'"; } } } elsif ($p1 =~ s/^client=(([^ ]*)\[([^ ]*)\](?::(?:\d+|unknown))?)//) { my ($hip,$host,$hostip) = ($1,$2,$3); # Increment accepted when the client connection is made and smtpd has a QID. # Previously, accepted was being incorrectly incremented when the first qmgr # "from=xxx, size=nnn ..." line was seen. This is erroneous when the smtpd # client connection occurred outside the date range of the log being analyzed. $AcceptedByQid{$qid} = $hip; $Totals{'msgsaccepted'}++; #TDsdQ client=unknown[192.168.0.1] #TDsdQ client=unknown[192.168.0.1]:unknown #TDsdQ client=unknown[192.168.0.1]:10025 #TDsd client=example.com[192.168.0.1], helo=example.com #TDsdQ client=mail.example.com[2001:dead:beef::1] #TDsdQ client=localhost[127.0.0.1], sasl_sender=someone@example.com #TDsdQ client=example.com[192.168.0.1], sasl_method=PLAIN, sasl_username=anyone@sample.net #TDsdQ client=example.com[192.168.0.1], sasl_method=LOGIN, sasl_username=user@example.com, sasl_sender= #TDsdQ client=unknown[10.0.0.1], sasl_sender=user@examine.com next if ($p1 eq ''); my ($method,$user,$sender) = ($p1 =~ /^(?:, sasl_method=([^,]+))?(?:, sasl_username=([^,]+))?(?:, sasl_sender=?)?$/); # sasl_sender occurs when AUTH verb is present in MAIL FROM, typically used for relaying # the username (eg. sasl_username) of authenticated users. if ($sender or $method or $user) { $Totals{'saslauth'}++; next unless ($Collecting{'saslauth'}); $method ||= '*unknown method'; $user ||= '*unknown user'; $Counts{'saslauth'}{$user . ($sender ? " ($sender)" : '')}{$method}{formathost($hostip,$host)}++; } } # ^$re_QID: ... (not access(5) action) elsif ($p1 =~ /^from=<(.*?)>, size=(\d+), nrcpt=(\d+)/) { my ($efrom,$bytes,$nrcpt) = ($1,$2,$3); #TDsdQ from=, size=4051, nrcpt=1 (queue active) #TDsdQ(12) from=, size=25302, nrcpt=2 (queue active) #TDsdQ from=, size=5529, nrcpt=1 (queue active) #TDsdQ from=, size=5335, nrcpt=1 (queue active) # Distinguish bytes accepted vs. bytes delivered due to multiple recips # Increment bytes accepted on the first qmgr "from=..." line... next if (exists $SizeByQid{$qid}); $SizeByQid{$qid} = $bytes; # ...but only when the smtpd "client=..." line has been seen too. # This under-counts when the smtpd "client=..." connection log entry and the # qmgr "from=..." log entry span differnt periods (as fed to postfix-logwatch). next if (! exists $AcceptedByQid{$qid}); $Totals{'bytesaccepted'} += $bytes; $Counts{'envelopesenders'}{$efrom ne '' ? $efrom : '<>'}++ if ($Collecting{'envelopesenders'}); if ($Collecting{'envelopesenderdomains'}) { my ($localpart, $domain); if ($efrom eq '') { ($localpart, $domain) = ('<>', '*unknown'); } else { ($localpart, $domain) = split (/@/, lc $efrom); } $Counts{'envelopesenderdomains'}{$domain ne '' ? $domain : '*unknown'}{$localpart}++; } delete $AcceptedByQid{$qid}; # prevent incrementing BytesAccepted again } ### sent, forwarded, bounced, softbounce, deferred, (un)deliverable elsif ($p1 =~ s/^to=<(.*?)>,(?: orig_to=<(.*?)>,)? relay=([^,]*).*, ($re_DDD), status=(\S+) //o) { ($relay,$status) = ($3,$5); my ($to,$origto,$localpart,$domainpart,$dsn,$p1) = process_delivery_attempt ($1,$2,$4,$p1); #TD 552B6C20E: to=, relay=mail.example.net[10.0.0.1]:25, delay=1021, delays=1020/0.04/0.56/0.78, dsn=2.0.0, status=sent (250 Ok: queued as 6EAC4719EB) #TD 552B6C20E: to=, relay=mail.example.net[10.0.0.1]:25, conn_use=2 delay=1021, delays=1020/0.04/0.56/0.78, dsn=2.0.0, status=sent (250 Ok: queued as 6EAC4719EB) #TD DD925BBE2: to=, orig_to=, relay=mail.example.net[2001:dead:beef::1], delay=2, status=sent (250 Ok: queued as 5221227246) ### sent if ($status eq 'sent') { if ($p1 =~ /forwarded as /) { $Totals{'bytesforwarded'} += $SizeByQid{$qid} if (exists $SizeByQid{$qid}); $Totals{'forwarded'}++; next unless ($Collecting{'forwarded'}); $Counts{'forwarded'}{$domainpart}{$localpart}{$origto}++; } else { if ($service_name eq 'lmtp') { $Totals{'bytessentlmtp'} += $SizeByQid{$qid} if (exists $SizeByQid{$qid}); $Totals{'sentlmtp'}++; next unless ($Collecting{'sentlmtp'}); $Counts{'sentlmtp'}{$domainpart}{$localpart}{$origto}++; } elsif ($service_name eq 'smtp') { $Totals{'bytessentsmtp'} += $SizeByQid{$qid} if (exists $SizeByQid{$qid}); $Totals{'sent'}++; next unless ($Collecting{'sent'}); $Counts{'sent'}{$domainpart}{$localpart}{$origto}++; } # virtual, command, ... else { $Totals{'bytesdelivered'} += $SizeByQid{$qid} if (exists $SizeByQid{$qid}); $Totals{'delivered'}++; next unless ($Collecting{'delivered'}); $Counts{'delivered'}{$domainpart}{$localpart}{$origto}++; } } } elsif ($status eq 'deferred') { #TDsQ to=, relay=none, delay=27077, delays=27077/0/0.57/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=example.com type=MX: Host not found, try again) #TDsQ to=, relay=none, delay=141602, status=deferred (connect to mx1.example.com[10.0.0.1]: Connection refused) #TDsQ to=, relay=none, delay=141602, status=deferred (delivery temporarily suspended: connect to example.com[192.168.0.1]: Connection refused) #TDsQ to=, relay=none, delay=306142, delays=306142/0.04/0.18/0, dsn=4.4.1, status=deferred (connect to example.com[10.0.0.1]: Connection refused) #TDsQ to=, relay=example.org[10.0.0.1], delay=48779, status=deferred (lost connection with mail.example.org[10.0.0.1] while sending MAIL FROM) #TDsQ to=, relay=sample.net, delay=26541, status=deferred (conversation with mail.example.com timed out while sending end of data -- message may be sent more than once) #TDsQ to=, relay=sample.net[10.0.0.1]:25, delay=322, delays=0.04/0/322/0, dsn=4.4.2, status=deferred (conversation with example.com[10.0.0.01] timed out while receiving the initial server greeting) #TDsQ to=, orig_to=, relay=none, delay=238024, status=deferred (delivery temporarily suspended: transport is unavailable) # XXX postfix reports dsn=5.0.0, host's reply may contain its own dsn's such as 511 and #5.1.1 # XXX should these be used instead? #TDsQ to=, relay=sample.net[10.0.0.1]:25, delay=5.7, delays=0.05/0.02/5.3/0.3, dsn=4.7.1, status=deferred (host sample.net[10.0.0.1] said: 450 4.7.1 : Recipient address rejected: Greylisted (in reply to RCPT TO command)) #TDsQ to=, relay=example.com[10.0.0.1]:25, delay=79799, delays=79797/0.02/0.4/1.3, dsn=4.0.0, status=deferred (host example.com[10.0.0.1] said: 450 : User unknown in local recipient table (in reply to RCPT TO command)) #TDsQ to=, relay=example.com[10.0.0.1]:25, delay=97, delays=0.03/0/87/10, dsn=4.0.0, status=deferred (host example.com[10.0.0.1] said: 450 : Recipient address rejected: undeliverable address: User unknown in virtual alias table (in reply to RCPT TO command)) ($reply,$fmthost) = cleanhostreply($p1,$relay,$to,$domainpart); $Totals{'deferred'}++ if ($DeferredByQid{$qid}++ == 0); $Totals{'deferrals'}++; next unless ($Collecting{'deferrals'}); $Counts{'deferrals'}{get_dsn_msg($dsn)}{$reply}{$domainpart}{$localpart}{$fmthost}++; } ### bounced elsif ($status eq 'bounced' or $status eq 'SOFTBOUNCE') { # local agent #TDlQ to=, relay=local, delay=2.5, delays=2.1/0.22/0/0.21, dsn=5.1.1, status=bounced (unknown user: "friend") # smtp agent #TDsQ to=, orig_to=, relay=sample.net[10.0.0.1]:25, delay=22, delays=0.02/0.09/22/0.07, dsn=5.0.0, status=bounced (host sample.net[10.0.0.1] said: 551 invalid address (in reply to MAIL FROM command)) #TDsQ to=, relay=sample.net[10.0.0.1]:25, delay=11, delays=0.13/0.07/0.98/0.52, dsn=5.0.0, status=bounced (host sample.net[10.0.0.1] said: 550 MAILBOX NOT FOUND (in reply to RCPT TO command)) #TDsQ to=, orig_to=, relay=sample.net[10.0.0.1]:25, delay=22, delays=0.02/0.09/22/0.07, dsn=5.0.0, status=bounced (host sample.net[10.0.0.1] said: 551 invalid address (in reply to MAIL FROM command)) #TDsQ to=, relay=none, delay=0.57, delays=0.57/0/0/0, dsn=5.4.6, status=bounced (mail for sample.net loops back to myself) #TDsQ to=<>, relay=none, delay=1, status=bounced (mail for sample.net loops back to myself) #TDsQ to=, relay=none, delay=0, status=bounced (Host or domain name not found. Name service error for name=unknown.com type=A: Host not found) # XXX verify these... #TD EB0B8770: to=, orig_to=, relay=none, delay=1, status=bounced (User unknown in virtual alias table) #TD EB0B8770: to=, orig_to=, relay=sample.net[192.168.0.1], delay=1.1, status=bounced (User unknown in relay recipient table) #TD D8962E54: to=, relay=local, conn_use=2 delay=0.21, delays=0.05/0.02/0/0.14, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "to") #TD F031C832: to=, orig_to=, relay=local, delay=0.17, delays=0.13/0.01/0/0.03, dsn=5.1.1, status=bounced (unknown user: "to") #TD C76431E2: to=, relay=local, delay=2, status=SOFTBOUNCE (host sample.net[192.168.0.1] said: 450 : User unknown in local recipient table (in reply to RCPT TO command)) #TD 04B0702E: to=, relay=example.com[10.0.0.1]:25, delay=12, delays=6.5/0.01/0.03/5.1, dsn=5.1.1, status=bounced (host example.com[10.0.0.1] said: 550 5.1.1 User unknown (in reply to RCPT TO command)) #TD 9DAC8B2D: to=, relay=example.com[10.0.0.1]:25, delay=1.4, delays=0.04/0/0.27/1.1, dsn=5.0.0, status=bounced (host example.com[10.0.0.1] said: 511 sorry, no mailbox here by that name (#5.1.1 - chkuser) (in reply to RCPT TO command)) #TD 79CB702D: to=, relay=example.com[10.0.0.1]:25, delay=0.3, delays=0.04/0/0.61/0.8, dsn=5.0.0, status=bounced (host example.com[10.0.0.1] said: 550 , Recipient unknown (in reply to RCPT TO command)) #TD 88B7A079: to=, relay=example.com[10.0.0.1]:25, delay=45, delays=0.03/0/5.1/40, dsn=5.0.0, status=bounced (host example.com[10.0.0.1] said: 550-"The recipient cannot be verified. Please check all recipients of this 550 message to verify they are valid." (in reply to RCPT TO command)) #TD 47B7B074: to=, relay=example.com[10.0.0.1]:25, delay=6.6, delays=6.5/0/0/0.11, dsn=5.1.1, status=bounced (host example.com[10.0.0.1] said: 550 5.1.1 User unknown; rejecting (in reply to RCPT TO command)) #TDppQ to=, relay=dbmail-pipe, delay=0.15, delays=0.09/0.01/0/0.06, dsn=5.3.0, status=bounced (Command died with signal 11: "/usr/sbin/dbmail-smtp") # print "bounce message from " . $to . " msg : " . $relay . "\n"; # See same code elsewhere "Note: Bounce" ### local bounce # XXX local v. remote bounce seems iffy, relative if ($relay =~ /^(?:none|local|virtual|127\.0\.0\.1|maildrop|avcheck)/) { $Totals{'bouncelocal'}++; next unless ($Collecting{'bouncelocal'}); $Counts{'bouncelocal'}{get_dsn_msg($dsn)}{$domainpart}{ucfirst($p1)}{$localpart}++; } else { $Totals{'bounceremote'}++; next unless ($Collecting{'bounceremote'}); ($reply,$fmthost) = cleanhostreply($p1,$relay,$to,$domainpart); $Counts{'bounceremote'}{get_dsn_msg($dsn)}{$domainpart}{$localpart}{$fmthost}{$reply}++; } } elsif ($status =~ 'undeliverable') { #TDsQ to=, relay=sample.com[10.0.0.1], delay=0, dsn=5.0.0, status=undeliverable (host sample.com[10.0.0.1] refused to talk to me: 554 5.7.1 example.com Connection not authorized) #TDsQ to=, relay=mx.example.com[10.0.0.1]:25, conn_use=2, delay=5.5, delays=0.03/0/0.21/5.3, dsn=5.0.0, status=undeliverable-but-not-cached (host mx.example.com[10.0.0.1] said: 550 RCPT TO: User unknown (in reply to RCPT TO command)) #TDvQ to=, relay=virtual, delay=0.14, delays=0.06/0/0/0.08, dsn=5.1.1, status=undeliverable (unknown user: "u@example.com") #TDlQ to=, relay=local, delay=0.02, delays=0.01/0/0/0, dsn=5.1.1, status=undeliverable-but-not-cached (unknown user: "to") $Totals{'undeliverable'}++; next unless ($Collecting{'undeliverable'}); if ($p1 =~ /^unknown user: ".+?"$/) { $Counts{'undeliverable'}{get_dsn_msg($dsn)}{'Unknown user'}{$domainpart}{$localpart}{$origto ? $origto : ''}++; } else { my ($reply,$fmthost) = cleanhostreply($p1,'',$to ne '' ? $to : '<>',$domainpart); $Counts{'undeliverable'}{get_dsn_msg($dsn)}{$reply}{$domainpart}{$localpart}{$fmthost}++; } } elsif ($status eq 'deliverable') { # address verification, sendmail -bv deliverable reports #TDvQ to=, relay=virtual, delay=0.09, delays=0.03/0/0/0.06, dsn=2.0.0, status=deliverable (delivers to maildir) $Totals{'deliverable'}++; next unless ($Collecting{'deliverable'}); my $dsn = ($p1 =~ s/^($re_DSN) // ? $1 : '*unavailable'); $Counts{'deliverable'}{$dsn}{$p1}{$origto ? "$to ($origto)" : $to}++; } else { # keep this as the last condition in this else clause inc_unmatched('unknownstatus'); } } # end of sent, forwarded, bounced, softbounce, deferred, (un)deliverable # pickup elsif ($p1 =~ /^(uid=\S* from=<.*?>)/) { #TDpQ2 uid=0 from= $AcceptedByQid{$qid} = $1; $Totals{'msgsaccepted'}++; } elsif ($p1 =~ /^from=<(.*?)>, status=expired, returned to sender$/) { #TDqQ from=, status=expired, returned to sender $Totals{'returnedtosender'}++; next unless ($Collecting{'returnedtosender'}); $Counts{'returnedtosender'}{$1 ne '' ? $1 : '<>'}++; } elsif ($p1 =~ s/^host ([^[]+)\[([^]]+)\](?::\d+)? refused to talk to me://) { #TDsQ host mail.example.com[10.0.0.1] refused to talk to me: 553 Connections are being blocked due to previous incidents of abuse #TDsQ host mail.example.com[10.0.0.1] refused to talk to me: 501 Connection from 192.168.2.1 (XY) rejected # Note: See ConnectToFailure above $Totals{'connecttofailure'}++; next unless ($Collecting{'connecttofailure'}); $Counts{'connecttofailure'}{'Refused to talk to me'}{formathost($2,$1)}{$p1}++; } elsif ($p1 =~ /^lost connection with ([^[]*)\[([^]]+)\](?::\d+)? (while .*)$/) { # outbound smtp #TDsQ lost connection with sample.net[10.0.0.1] while sending MAIL FROM #TDsQ lost connection with sample.net[10.0.0.2] while receiving the initial server greeting $Totals{'connectionlostoutbound'}++; next unless ($Collecting{'connectionlostoutbound'}); $Counts{'connectionlostoutbound'}{ucfirst($3)}{formathost($2,$1)}++; } elsif ($p1 =~ /^conversation with ([^[]*)\[([^]]+)\](?::\d+)? timed out (while .*)$/) { #TDsQ conversation with sample.net[10.0.0.1] timed out while receiving the initial SMTP greeting # Note: see TimeoutInbound below $Totals{'timeoutinbound'}++; next unless ($Collecting{'timeoutinbound'}); $Counts{'timeoutinbound'}{ucfirst($3)}{formathost($2,$1)}{''}++; } elsif ($p1 =~ /^enabling PIX (\.) workaround for ([^[]+)\[([^]]+)\](?::\d+)?/ or $p1 =~ /^enabling PIX workarounds: (.*) for ([^[]+)\[([^]]+)\](?::\d+)?/) { #TDsQ enabling PIX . workaround for example.com[192.168.0.1] #TDsQ enabling PIX . workaround for mail.sample.net[10.0.0.1]:25 #TDsQ enabling PIX workarounds: disable_esmtp delay_dotcrlf for spam.example.org[10.0.0.1]:25 $Totals{'pixworkaround'}++; next unless ($Collecting{'pixworkaround'}); $Counts{'pixworkaround'}{$1}{formathost($3,$2)}++; } # milter-reject, milter-hold, milter-discard elsif ($p1 =~ s/^milter-//) { milter_common($p1); } elsif ($p1 =~ s/^SASL (\[CACHED\] )?authentication failed; //) { #TDsQ SASL authentication failed; cannot authenticate to server smtp.example.com[10.0.0.1]: no mechanism available #TDsQ SASL authentication failed; server example.com[10.0.0.1] said: 535 Error: authentication failed #TDsQ SASL [CACHED] authentication failed; server example.com[10.0.0.1] said: 535 Error: authentication failed # see saslauthfail elsewhere $Totals{'saslauthfail'}++; next unless ($Collecting{'saslauthfail'}); my $cached = $1; if ($p1 =~ /^(authentication protocol loop with server): ([^[]+)\[([^]]+)\](?::\d+)?$/) { ($reason,$host,$hostip,$reason2) = ($1,$2,$3,''); } elsif ($p1 =~ /^(cannot authenticate to server) ([^[]+)\[([^]]+)\](?::\d+)?: (.*)$/) { ($reason,$host,$hostip,$reason2) = ($1,$2,$3,$4); } elsif ($p1 =~ /^server ([^[]+)\[([^]]+)\](?::\d+)? said: (.+)$/) { ($reason,$host,$hostip,$reason2) = ('server ... said',$1,$2,$3); } else { inc_unmatched('saslauthfail'); next; } $reason .= ': ' . $reason2 if $reason2; $Counts{'saslauthfail'}{$cached . $reason}{formathost($hostip,$host)}++; } else { # keep this as the last condition in this else clause inc_unmatched('unknownqid') if ! in_ignore_list ($p1); } } # end of $re_QID section elsif ($p1 =~ /^(timeout|lost connection) (after [^ ]+)(?: \((?:approximately )?(\d+) bytes\))? from ([^[]*)\[([^]]+)\](?::\d+)?$/) { my ($lort,$reason,$bytes,$host,$hostip) = ($1,$2,$3,$4,$5); if ($lort eq 'timeout') { # see also TimeoutInbound in $re_QID section #TDsd timeout after RSET from example.com[192.168.0.1] #TDsd timeout after DATA (6253 bytes) from example.com[10.0.0.1] $Totals{'timeoutinbound'}++; next unless ($Collecting{'timeoutinbound'}); $Counts{'timeoutinbound'}{ucfirst($reason)}{formathost($hostip,$host)}{commify($bytes)}++; } else { #TDsd lost connection after CONNECT from mail.example.com[192.168.0.1] # postfix 2.5:20071003 #TDsd lost connection after DATA (494133 bytes) from localhost[127.0.0.1] # postfix 2.6:20080621 #TDsd lost connection after DATA (approximately 0 bytes) from example.com[10.0.0.1] $Totals{'connectionlostinbound'}++; next unless ($Collecting{'connectionlostinbound'}); $Counts{'connectionlostinbound'}{ucfirst($reason)}{formathost($hostip,$host)}{commify($bytes)}++; } } elsif ($p1 =~ /^(reject(?:_warning)?): RCPT from ([^[]+)\[([^]]+)\](?::\d+)?: ($re_DSN) Service (?:temporarily )?(?:unavailable|denied)[^;]*; (?:(?:Unverified )?Client host |Sender address |Helo command )?\[[^ ]*\] blocked using ([^;]+);/o) { my ($rej_type,$host,$hostip,$dsn,) = ($1,$2,$3,$4); ($site,$reason) = ($5 =~ /^(.+?)(?:$|(?:[.,] )(.*))/); $reason =~ s/^reason: // if ($reason); $rej_type = ($rej_type =~ /_warning/ ? 'warn' : get_reject_key($dsn)); #print "REJECT RBL NOQ: '$rej_type'\n"; # Note: similar code above: search RejectRBL # This section required: postfix didn't always log QID (eg. postfix 1.1) # Also, "reason:" was probably always present in this case, but I'm not certain # postfix 1.1 #TDsd reject_warning: RCPT from example.com[10.0.0.1]: 554 Service unavailable; [10.0.0.1] blocked using orbz.org, reason: Open relay. Please see http://orbz.org/?10.0.0.1; from= to= #TDsd reject: RCPT from example.com[10.0.0.2]: 554 Service unavailable; [10.0.0.2] blocked using orbz.org, reason: Open relay. Please see http://orbz.org/?10.0.0.2; from= to= #TDsd reject: RCPT from unknown[10.0.0.3]: 554 Service unavailable; [10.0.0.3] blocked using bl.spamcop.net, reason: Blocked - see http://www.spamcop.net/bl.shtml?10.0.0.3; from= to= #TDsd reject: RCPT from example.com[10.0.0.4]: 554 Service unavailable; [10.0.0.4] blocked using sbl.spamhaus.org, reason: http://www.spamhaus.org/SBL/sbl.lasso?query=B12057; from= to= if ($Collecting{'byiprejects'} and substr($rej_type,0,1) eq '5') { $fmthost = formathost($hostip,$host); $Counts{'byiprejects'}{$fmthost}++; } $Totals{$reject_name = "${rej_type}rejectrbl" }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$site}{$fmthost ? $fmthost : formathost($hostip,$host)}{$reason ? $reason : ''}++; } # proxy-reject, proxy-accept elsif ($p1 =~ s/^proxy-(reject|accept): ([^:]+): //) { # 2.7 #TDsdN proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 9BE3547AFE; from= to= proto=ESMTP helo= #TDsdN proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=11912-03 - INFECTED: Eicar-Test-Signature; from= to= proto=ESMTP helo= #TDsdN proxy-reject: END-OF-MESSAGE: ; from= to= proto=SMTP helo= next if $1 eq 'accept'; #ignore accepts my ($stage) = ($2); my ($efrom,$eto,$proto,$helo) = strip_ftph($p1); #print "efrom: '$efrom', eto: '$eto', proto: '$proto', helo: '$helo'\n"; #print "stage: '$stage', reply: '$p1'\n"; my ($dsn,$reject_name); ($dsn,$reply) = ($1,$2) if $p1 =~ /^($re_DSN) (.*)$/o; #print " dsn: '$dsn', reply: '$reply', key: ", get_reject_key($dsn), "\n"; # DSN may not be present. Can occur, for example, when queue file size limit is reached, # which is logged as a Warning. Ignore these, since they can't be add to any # reject section (no SMTP reply code). if (! defined $dsn) { next; } $Totals{$reject_name = get_reject_key($dsn) . 'rejectproxy' }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$stage}{$reply}{$eto}++; } ### smtpd_tls_loglevel >= 1 # Server TLS messages elsif (($status,$host,$hostip,$type) = ($p1 =~ /^(?:(Anonymous|Trusted|Untrusted) )?TLS connection established from ([^[]+)\[([^]]+)\](?::\d+)?: (.*)$/)) { #TDsd TLS connection established from example.com[192.168.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) # Postfix 2.5+: status: Untrusted or Trusted #TDsd Untrusted TLS connection established from example.com[192.168.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) #TDsd Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) $Totals{'tlsserverconnect'}++; next unless ($Collecting{'tlsserverconnect'}); $Counts{'tlsserverconnect'}{$status ? "$status: $type" : $type}{formathost($hostip,$host)}++; } # Client TLS messages elsif ( ($status,$host,$type) = ($p1 =~ /^(?:(Verified|Trusted|Untrusted|Anonymous) )?TLS connection established to ([^ ]*): (.*)$/o)) { #TD TLS connection established to example.com: TLSv1 with cipher AES256-SHA (256/256 bits) # Postfix 2.5+: peer verification status: Untrusted, Trusted or Verified when # server's trust chain is valid and peername is matched #TD Verified TLS connection established to 127.0.0.1[127.0.0.1]:26: TLSv1 with cipher DHE-DSS-AES256-SHA (256/256 bits) $Totals{'tlsclientconnect'}++; next unless ($Collecting{'tlsclientconnect'}); $Counts{'tlsclientconnect'}{$status ? "$status: $type" : $type}{$host}++; } # smtp_tls_note_starttls_offer=yes elsif ($p1 =~ /^Host offered STARTTLS: \[(.*)\]$/o) { #TD Host offered STARTTLS: [mail.example.com] $Totals{'tlsoffered'}++; next unless ($Collecting{'tlsoffered'}); $Counts{'tlsoffered'}{$1}++; } ### smtpd_tls_loglevel >= 1 elsif ($p1 =~ /^Unverified: (.*)/o) { #TD Unverified: subject_CN=(www|smtp|mailhost).(example.com|sample.net), issuer=someuser $Totals{'tlsunverified'}++; next unless ($Collecting{'tlsunverified'}); $Counts{'tlsunverified'}{$1}++; } # Note: no QID elsif (($host,$hostip,$dsn,$from,$to) = ($p1 =~ /^reject: RCPT from ([^[]+)\[([^]]+)\](?::\d+)?: ([45]52) Message size exceeds fixed limit; from=<(.*?)> to=<(.*?)>/)) { #TD reject: RCPT from size.example.com[192.168.0.1]: 452 Message size exceeds fixed limit; from= to= #TD reject: RCPT from size.example.com[192.168.0.1]: 552 Message size exceeds fixed limit; from= to= proto=ESMTP helo= # Note: similar code above: search RejectSize # Note: reject_warning does not seem to occur if ($Collecting{'byiprejects'} and substr($dsn,0,1) eq '5') { $fmthost = formathost($hostip,$host); $Counts{'byiprejects'}{$fmthost}++; } $Totals{$reject_name = get_reject_key($dsn) . 'rejectsize' }++; next unless ($Collecting{$reject_name}); $Counts{$reject_name}{$fmthost ? $fmthost : formathost($hostip,$host)}{$to}{$from ne '' ? $from : '<>'}++; } elsif ($p1 =~ /looking for plugins in (.*)$/) { #TD looking for plugins in '/usr/lib/sasl2', failed to open directory, error: No such file or directory $Totals{'warnconfigerror'}++; next unless ($Collecting{'warnconfigerror'}); $Counts{'warnconfigerror'}{$1}++; } # SMTP/ESMTP protocol violations elsif ($p1 =~ /^(improper command pipelining) (after \S+) from ([^[]*)\[([^]]+)\](?::\d+)?/) { # ProtocolViolation #TDsd postfix/smtpd[24928]: improper command pipelining after RCPT from unknown[192.168.0.1] my ($error,$stage,$host,$hostip) = ($1,$2,$3,$4); $Totals{'smtpprotocolviolation'}++; next unless ($Collecting{'smtpprotocolviolation'}); $Counts{'smtpprotocolviolation'}{ucfirst($error)}{ucfirst($stage)}{formathost($hostip,$host)}++; } elsif ($p1 =~ /^(too many errors) (after [^ ]*)(?: \((?:approximately )?\d+ bytes\))? from ([^[]*)\[([^]]+)\](?::\d+)?$/) { my ($error,$stage,$host,$hostip) = ($1,$2,$3,$4); #TDsd too many errors after AUTH from sample.net[10.0.0.1] #TDsd too many errors after DATA (0 bytes) from 1-0-0-10.example.com[10.0.0.1] $Totals{'smtpprotocolviolation'}++; next unless ($Collecting{'smtpprotocolviolation'}); $Counts{'smtpprotocolviolation'}{ucfirst($error)}{ucfirst($stage)}{formathost($hostip,$host)}++; } # coerce these into general warnings elsif ( $p1 =~ /^cannot load Certificate Authority data/ or $p1 =~ /^SSL_connect error to /) { #TDsQ Cannot start TLS: handshake failure #TDsd cannot load Certificate Authority data #TDs SSL_connect error to mail.example.com: 0 postfix_warning($p1); } else { # add to the unmatched list if not on the ignore_list inc_unmatched('final') if ! in_ignore_list ($p1); } } ######################################## # Final tabulations, and report printing for my $code (@RejectKeys) { for my $type (@RejectClasses) { $Totals{'totalrejects' . $code} += $Totals{$code . $type}; } if ($code =~ /^5/o) { $Totals{'totalrejects'} += $Totals{'totalrejects' . $code}; } } # XXX this was naive - the goal was to avoid recounting messages # released from quarantine, but externally introduced messages may # contain resent-message-id; trying to track only internally resent # messages does not seem useful. # make some corrections now, due to double counting #$Totals{'msgsaccepted'} -= $Totals{'resent'} if ($Totals{'msgsaccepted'} >= $Totals{'resent'}); $Totals{'totalacceptplusreject'} = $Totals{'msgsaccepted'} + $Totals{'totalrejects'}; # Print the Summary report if any key has non-zero data. # Note: must explicitely check for any non-zero data, # as Totals always has some keys extant. # if ($Opts{'summary'}) { for (keys %Totals) { if ($Totals{$_}) { print_summary_report (@Sections); last; } } } # Print the Detail report, if detail is sufficiently high # if ($Opts{'detail'} >= 5) { #print STDERR "Counts memory usage: ", commify(Devel::Size::total_size(\%Counts)), "\n"; #print STDERR "Delays memory usage: ", commify(Devel::Size::total_size(\%Delays)), "\n"; print_detail_report(@Sections); if ($Opts{'delays'}) { my @table; for (sort keys %Delays) { # anon array ref: label, array ref of $Delay{key} push @table, [ substr($_,3), $Delays{$_} ]; } if (@table) { print_percentiles_report2(\@table, "Delivery Delays Percentiles", $Opts{'delays_percentiles'}); } } print_postgrey_reports(); } # debug: show which ignore_list items are hit most #my %IGNORED; #for (sort { $IGNORED{$b} <=> $IGNORED{$a} } keys %IGNORED) { # printf "%10d: KEY: %s\n", $IGNORED{$_}, $_; #} # Finally, print any unmatched lines # print_unmatched_report(); # # End of main # ################################################## # Create the list of REs against which log lines are matched. # Lines that match any of the patterns in this list are ignored. # # Note: This table is created at runtime, due to a Perl bug which # I reported as perl bug #56202: # # http://rt.perl.org/rt3/Public/Bug/Display.html?id=56202 # sub create_ignore_list() { # top 3 hitters up front push @ignore_list, qr/^statistics:/; push @ignore_list, qr/^setting up TLS connection (?:from|to)/; push @ignore_list, qr/^Verified: /; push @ignore_list, qr/^skipped, still being delivered/; # SSL info at/above mail.info level push @ignore_list, qr/^read from [a-fA-F\d]{8}/; push @ignore_list, qr/^write to [a-fA-F\d]{8}/; push @ignore_list, qr/^[a-f\d]{4} [a-f\d]{2}/; push @ignore_list, qr/^[a-f\d]{4} - ]+ /; push @ignore_list, qr/^premature end-of-input (?:on|from) .* socket while reading input attribute name$/; push @ignore_list, qr/^certificate peer name verification failed/; push @ignore_list, qr/^Peer certi?ficate could not be verified$/; # missing i was a postfix typo push @ignore_list, qr/^Peer cert verify depth=/; push @ignore_list, qr/^Peer verification:/; push @ignore_list, qr/^Server certificate could not be verified/; push @ignore_list, qr/^cannot load .SA certificate and key data/; push @ignore_list, qr/^tlsmgr_cache_run_event/; push @ignore_list, qr/^SSL_accept/; push @ignore_list, qr/^SSL_connect:/; push @ignore_list, qr/^connection (?:closed|established)/; push @ignore_list, qr/^delete smtpd session/; push @ignore_list, qr/^put smtpd session/; push @ignore_list, qr/^save session/; push @ignore_list, qr/^Reusing old/; push @ignore_list, qr/^looking up session/; push @ignore_list, qr/^lookup smtpd session/; push @ignore_list, qr/^lookup \S+ type/; push @ignore_list, qr/^xsasl_(?:cyrus|dovecot)_/; push @ignore_list, qr/^watchdog_/; push @ignore_list, qr/^read smtpd TLS/; push @ignore_list, qr/^open smtpd TLS/; push @ignore_list, qr/^write smtpd TLS/; push @ignore_list, qr/^read smtp TLS cache entry/; push @ignore_list, qr/^starting TLS engine$/; push @ignore_list, qr/^initializing the server-side TLS/; push @ignore_list, qr/^global TLS level: /; push @ignore_list, qr/^auto_clnt_/; push @ignore_list, qr/^generic_checks:/; push @ignore_list, qr/^inet_addr_/; push @ignore_list, qr/^mac_parse:/; push @ignore_list, qr/^cert has expired/; push @ignore_list, qr/^daemon started/; push @ignore_list, qr/^master_notify:/; push @ignore_list, qr/^rewrite_clnt:/; push @ignore_list, qr/^rewrite stream/; push @ignore_list, qr/^dict_/; push @ignore_list, qr/^send attr /; push @ignore_list, qr/^match_/; push @ignore_list, qr/^input attribute /; push @ignore_list, qr/^Run-time/; push @ignore_list, qr/^Compiled against/; push @ignore_list, qr/^private\//; push @ignore_list, qr/^reject_unknown_/; # don't combine or shorten these reject_ patterns push @ignore_list, qr/^reject_unauth_/; push @ignore_list, qr/^reject_non_/; push @ignore_list, qr/^permit_/; push @ignore_list, qr/^idle timeout/; push @ignore_list, qr/^get_dns_/; push @ignore_list, qr/^dns_/; push @ignore_list, qr/^chroot /; push @ignore_list, qr/^process generation/; push @ignore_list, qr/^fsspace:/; push @ignore_list, qr/^master disconnect/; push @ignore_list, qr/^resolve_clnt/; push @ignore_list, qr/^ctable_/; push @ignore_list, qr/^extract_addr/; push @ignore_list, qr/^mynetworks:/; push @ignore_list, qr/^name_mask:/; #TDm reload -- version 2.6-20080814, configuration /etc/postfix #TDm reload configuration /etc/postfix push @ignore_list, qr/^reload (?:-- version \S+, )?configuration/; push @ignore_list, qr/^terminating on signal 15$/; push @ignore_list, qr/^verify error:num=/; push @ignore_list, qr/^verify return:/; push @ignore_list, qr/^nss_ldap: /; push @ignore_list, qr/^discarding EHLO keywords: /; push @ignore_list, qr/^sql auxprop plugin/; push @ignore_list, qr/^sql plugin/; push @ignore_list, qr/^sql_select/; push @ignore_list, qr/^auxpropfunc error/; push @ignore_list, qr/^commit transaction/; push @ignore_list, qr/^begin transaction/; push @ignore_list, qr/^maps_find: /; push @ignore_list, qr/^check_access: /; push @ignore_list, qr/^check_domain_access: /; push @ignore_list, qr/^check_mail_access: /; push @ignore_list, qr/^check_table_result: /; push @ignore_list, qr/^mail_addr_find: /; push @ignore_list, qr/^mail_addr_map: /; push @ignore_list, qr/^mail_flow_put: /; push @ignore_list, qr/^smtp_addr_one: /; push @ignore_list, qr/^smtp_connect_addr: /; push @ignore_list, qr/^smtp_connect_unix: trying: /; push @ignore_list, qr/^smtp_find_self: /; push @ignore_list, qr/^smtp_get: /; push @ignore_list, qr/^smtp_fputs: /; push @ignore_list, qr/^smtp_parse_destination: /; push @ignore_list, qr/^smtp_sasl_passwd_lookup: /; push @ignore_list, qr/^smtpd_check_/; push @ignore_list, qr/^smtpd_chat_notify: /; push @ignore_list, qr/^been_here: /; push @ignore_list, qr/^set_eugid: /; push @ignore_list, qr/^deliver_/; push @ignore_list, qr/^flush_send_file: queue_id/; push @ignore_list, qr/^milter_macro_lookup/; push @ignore_list, qr/^milter8/; push @ignore_list, qr/^skipping non-protocol event/; push @ignore_list, qr/^reply: /; push @ignore_list, qr/^event: /; push @ignore_list, qr/^trying... /; push @ignore_list, qr/ all milters$/; push @ignore_list, qr/^vstream_/; push @ignore_list, qr/^server features/; push @ignore_list, qr/^skipping event/; push @ignore_list, qr/^Using /; push @ignore_list, qr/^rec_(?:put|get): /; push @ignore_list, qr/^subject=/; push @ignore_list, qr/^issuer=/; push @ignore_list, qr/^pref /; # yes, multiple spaces push @ignore_list, qr/^request: \d/; push @ignore_list, qr/^done incoming queue scan$/; push @ignore_list, qr/^qmgr_/; push @ignore_list, qr/^trigger_server_accept_fifo: /; push @ignore_list, qr/^proxymap stream/; push @ignore_list, qr/^(?:start|end) sorted recipient list$/; push @ignore_list, qr/^connecting to \S+ port /; push @ignore_list, qr/^Write \d+ chars/; push @ignore_list, qr/^Read \d+ chars/; push @ignore_list, qr/^(?:lookup|delete) smtp session/; push @ignore_list, qr/^delete smtp session/; push @ignore_list, qr/^(?:reloaded|remove|looking for) session .* cache$/; push @ignore_list, qr/^(?:begin|end) \S+ address list$/; push @ignore_list, qr/^mapping DSN status/; push @ignore_list, qr/^record [A-Z]/; push @ignore_list, qr/^dir_/; push @ignore_list, qr/^transport_event/; push @ignore_list, qr/^read [A-Z](?: |$)/; push @ignore_list, qr/^relay: /; push @ignore_list, qr/^why: /; push @ignore_list, qr/^fp: /; push @ignore_list, qr/^path: /; push @ignore_list, qr/^level: /; push @ignore_list, qr/^recipient: /; push @ignore_list, qr/^delivered: /; push @ignore_list, qr/^queue_id: /; push @ignore_list, qr/^queue_name: /; push @ignore_list, qr/^user: /; push @ignore_list, qr/^sender: /; push @ignore_list, qr/^offset: /; push @ignore_list, qr/^offset: /; push @ignore_list, qr/^verify stream disconnect/; push @ignore_list, qr/^event_request_timer: /; push @ignore_list, qr/^smtp_sasl_authenticate: /; push @ignore_list, qr/^flush_add: /; push @ignore_list, qr/^disposing SASL state information/; push @ignore_list, qr/^starting new SASL client/; push @ignore_list, qr/^error: dict_ldap_connect: /; push @ignore_list, qr/^error: to submit mail, use the Postfix sendmail command/; push @ignore_list, qr/^local_deliver[:[]/; push @ignore_list, qr/^_sasl_plugin_load /; push @ignore_list, qr/^exp_type: /; push @ignore_list, qr/^wakeup [\dA-Z]/; push @ignore_list, qr/^defer (?:site|transport) /; push @ignore_list, qr/^local: /; push @ignore_list, qr/^exp_from: /; push @ignore_list, qr/^extension: /; push @ignore_list, qr/^owner: /; push @ignore_list, qr/^unmatched: /; push @ignore_list, qr/^domain: /; push @ignore_list, qr/^initializing the client-side TLS engine/; push @ignore_list, qr/^header_token: /; push @ignore_list, qr/^(?:PUSH|POP) boundary/; push @ignore_list, qr/^recipient limit \d+$/; push @ignore_list, qr/^scan_dir_next: found/; push @ignore_list, qr/^open (?:btree|incoming)/; push @ignore_list, qr/^Renamed to match inode number/; push @ignore_list, qr/^cleanup_[^:]+:/; push @ignore_list, qr/^(?:before|after) input_transp_cleanup: /; push @ignore_list, qr/^event_enable_read: /; push @ignore_list, qr/^report recipient to all milters /; push @ignore_list, qr/_action = defer_if_permit$/; push @ignore_list, qr/^reject_invalid_hostname: /; push @ignore_list, qr/^cfg_get_/; push @ignore_list, qr/^sacl_check: /; # non-anchored #push @ignore_list, qr/: Greylisted for /; push @ignore_list, qr/certificate verification (?:depth|failed for)/; push @ignore_list, qr/re-using session with untrusted certificate, look for details earlier in the log$/; push @ignore_list, qr/socket: wanted attribute: /; push @ignore_list, qr/ smtpd cache$/; push @ignore_list, qr/ old session$/; push @ignore_list, qr/fingerprint=/; push @ignore_list, qr/TLS cipher list "/; } # Evaluates a given line against the list of ignore patterns. # sub in_ignore_list($) { my $line = shift; foreach (@ignore_list) { #return 1 if $line =~ /$_/; if ($line =~ /$_/) { #$IGNORED{$_}++; return 1; } } return 0; } # Accepts common fields from a standard delivery attempt, processing then # and returning modified values # sub process_delivery_attempt ($ $ $ $) { my ($to,$origto,$DDD,$reason) = @_; $reason =~ s/\((.*)\)/$1/; # Makes capturing nested parens easier # leave $to/$origto undefined, or strip < > chars if not null address (<>). defined $to and $to = ($to eq '') ? '<>' : lc $to; defined $origto and $origto = ($origto eq '') ? '<>' : lc $origto; my ($localpart, $domainpart) = split ('@', $to); ($localpart, $domainpart) = ($to, '*unspecified') if ($domainpart eq ''); my ($dsn); # If recipient_delimiter is set, break localpart into user + extension # and save localpart in origto if origto is empty # if ($Opts{'recipient_delimiter'} and $localpart =~ /\Q$Opts{'recipient_delimiter'}\E/o) { # special cases: never split mailer-daemon or double-bounce # or owner- or -request if delim is "-" (dash). unless ($localpart =~ /^(?:mailer-daemon|double-bounce)$/i or ($Opts{'recipient_delimiter'} eq '-' and $localpart =~ /^owner-.|.-request$/i)) { my ($user,$extension) = split (/\Q$Opts{'recipient_delimiter'}\E/, $localpart, 2); $origto = $localpart if ($origto eq ''); $localpart = $user; } } unless (($dsn) = ($DDD =~ /dsn=(\d\.\d+\.\d+)/o)) { $dsn = ''; } if ($Collecting{'delays'} and $DDD =~ m{delay=([\d.]+)(?:, delays=([\d.]+)/([\d.]+)/([\d.]+)/([\d.]+))?}) { # Message delivery time stamps # delays=a/b/c/d, where # a = time before queue manager, including message transmission # b = time in queue manager # c = connection setup including DNS, HELO and TLS; # d = message transmission time. if (defined $2) { $Delays{'1: Before qmgr'}{$2}++; $Delays{'2: In qmgr'}{$3}++; $Delays{'3: Conn setup'}{$4}++; $Delays{'4: Transmission'}{$5}++; } $Delays{'5: Total'}{$1}++; } return ($to,$origto,$localpart,$domainpart,$dsn,$reason); } # Processes postfix/bounce messages # sub postfix_bounce($) { my $line = shift; my $type; $line =~ s/^(?:$re_QID): //o; if ($line =~ /^(sender|postmaster) non-delivery notification/o) { #TDbQ postmaster non-delivery notification: 7446BCD68 #TDbQ sender non-delivery notification: 7446BCD68 $type = 'Non-delivery'; } elsif ($line =~ /^(sender|postmaster) delivery status notification/o ) { #TDbQ sender delivery status notification: 7446BCD68 $type = 'Delivery'; } elsif ($line =~ /^(sender|postmaster) delay notification: /o) { #TDbQ sender delay notification: AA61EC2F9A $type = 'Delayed'; } else { inc_unmatched('bounce') if ! in_ignore_list($line); return; } $Totals{'notificationsent'}++; return unless ($Collecting{'notificationsent'}); $Counts{'notificationsent'}{$type}{$1}++; } # Processes postfix/cleanup messages # cleanup always has a QID # sub postfix_cleanup($) { my $line = shift; my ($qid,$reply,$fmthost,$reject_name); ($qid, $line) = ($1, $2) if ($line =~ /^($re_QID): (.*)$/o ); #TDcQ message-id= return if ($line =~ /^message-id=/); # milter-reject, milter-hold, milter-discard if ($line =~ s/^milter-//) { milter_common($line); return; } ### cleanup bounced messages (always_bcc, recipient_bcc_maps, sender_bcc_maps) # Note: Bounce # See same code elsewhere "Note: Bounce" #TDcQ to=, relay=none, delay=0.11, delays=0.11/0/0/0, dsn=5.7.1, status=bounced optional text... #TDcQ to=, orig_to=, relay=none, delay=0.13, delays=0.13/0/0/0, dsn=5.7.1, status=bounced optional text... if ($line =~ /^to=<(.*?)>,(?: orig_to=<(.*?)>,)? relay=([^,]*).*, ($re_DDD), status=([^ ]+) (.*)$/o) { # ($to,$origto,$relay,$DDD,$status,$reason) = ($1,$2,$3,$4,$5,$6); if ($5 ne 'bounced' and $5 ne 'SOFTBOUNCE') { inc_unmatched('cleanupbounce'); return; } my ($to,$origto,$relay,$DDD,$reason) = ($1,$2,$3,$4,$6); my ($localpart,$domainpart,$dsn); ($to,$origto,$localpart,$domainpart,$dsn,$reason) = process_delivery_attempt ($to,$origto,$DDD,$reason); ### local bounce # XXX local v. remote bounce seems iffy, relative if ($relay =~ /^(?:none|local|virtual|maildrop|127\.0\.0\.1|avcheck)/) { $Totals{'bouncelocal'}++; return unless ($Collecting{'bouncelocal'}); $Counts{'bouncelocal'}{get_dsn_msg($dsn)}{$domainpart}{ucfirst($reason)}{$localpart}++; } ### remote bounce else { ($reply,$fmthost) = cleanhostreply($reason,$relay,$to ne '' ? $to : '<>',$domainpart); $Totals{'bounceremote'}++; return unless ($Collecting{'bounceremote'}); $Counts{'bounceremote'}{get_dsn_msg($dsn)}{$domainpart}{$localpart}{$fmthost}{$reply}++; } } # *header_checks and body_checks elsif (header_body_checks($line)) { #print "cleanup: header_body_checks\n"; return; } #TDcQ resent-message-id=4739073.1 #TDcQ resent-message-id= #TDcQ resent-message-id=? <120B11@samplepc> elsif ( ($line =~ /^resent-message-id=?$/o )) { $Totals{'resent'}++; } #TDcN unable to dlopen .../sasl2/libplain.so.2: .../sasl2/libplain.so.2: failed to map segment from shared object: Operation not permitted elsif ($line =~ /^unable to dlopen /) { # strip extraneous doubling of library path $line = "$1$2 $3" if ($line =~ /(unable to dlopen )([^:]+: )\2(.+)$/); postfix_warning($line); } else { inc_unmatched('cleanup(last)') if ! in_ignore_list($line); } } =pod header_body_checks Handle cleanup's header_checks and body_checks, and smtp's smtp_body_checks/smtp_*header_checks Possible actions that log are: REJECT optional text... DISCARD optional text... FILTER transport:destination HOLD optional text... REDIRECT user@domain PREPEND text... REPLACE text... WARN optional text... DUNNO and IGNORE are not logged Returns: 1: if line matched or handled 0: otherwise =cut sub header_body_checks($) { my $line = shift; # bcc, discard, filter, hold, prepend, redirect, reject, replace, warning return 0 if ($line !~ /^[bdfhprw]/) or # short circuit alternation when no match possible ($line !~ /^(re(?:ject|direct|place)|filter|hold|discard|prepend|warning|bcc): (header|body|content) (.*)$/); my ($action,$part,$p3) = ($1,$2,$3); #print "header_body_checks: action: \"$action\", part: \"$part\", p3: \"$p3\"\n"; my ($trigger,$host,$eto,$p4,$fmthost,$reject_name); # $re_QID: reject: body ... # $re_QID: reject: header ... # $re_QID: reject: content ... if ($p3 =~ /^(.*) from ([^;]+); from=<.*?>(?: to=<(.*?)>)?(?: proto=\S*)?(?: helo=<.*?>)?(?:: (.*)|$)/) { ($trigger,$host,$eto,$p4) = ($1,$2,$3,$4); # $action $part $trigger $host $eto $p4 #TDcQ reject: body Subject: Cheap cialis from local; from=: optional text... #TDcQ reject: body Quality replica watches!!! from hb.example.com[10.0.0.1]; from= to= proto=SMTP helo=: optional text... #TDcQ reject: header To: from hb.example.com[10.0.0.1]; from= to= proto=ESMTP helo=: optional text... # message_reject_characters (postfix >= 2.3) #TDcQ reject: content Received: by example.com Postfix from example.com[10.0.0.1]; from= to= proto=ESMTP helo=.example.com>: 5.7.1 disallowed character #TDcQ filter: header To: to@example.com from hb.example.com[10.0.0.1]; from= to= proto=ESMTP helo=: transport:destination #TDcQ hold: header Message-ID: from localhost[127.0.0.1]; from= to= proto=ESMTP helo=: optional text... #TDcQ hold: header Subject: Hold Test from local; from= to=: optional text... #TDcQ hold: header Received: by example.com...from x from local; from= #TDcQ hold: header Received: from x.com (x.com[10.0.0.1])??by example.com (Postfix) with ESMTP id 630BF??for ; Thu, 20 Oct 2006 13:27: from example.com[10.0.0.1]; from= to= proto=ESMTP helo= # hold: header Received: from [10.0.0.1] by example.com Thu, 9 Jan 2008 18:06:06 -0500 from sample.net[10.0.0.2]; from=<> to= proto=SMTP helo=: faked header #TDcQ redirect: header From: "Attn Men" from hb.example.com[10.0.0.1]; from= to= proto=ESMTP helo=: user@domain #TDcQ redirect: header From: "Superman" from hb.example.com[10.0.0.2]; from= to= proto=ESMTP helo=: user@domain #TDcQ redirect: body Original drugs from hb.example.com[10.0.0.1]; from= to= proto=SMTP helo=: user@domain #TDcQ discard: header Subject: **SPAM** Blah... from hb.example.com[10.0.0.1]; from= to= proto=ESMTP helo= #TDcQ prepend: header Rubble: Mr. from localhost[127.0.0.1]; from= to= proto=ESMTP helo=: text... #TDcQ replace: header Rubble: flintstone from localhost[127.0.0.1]; from= to= proto=ESMTP helo=: text... #TDcQ warning: header Date: Tues, 99:34:67 from localhost[127.0.0.1]; from= to= proto=ESMTP helo=: optional text... # BCC action (2.6 experimental branch) #TDcQ bcc: header To: to@example.com from hb.example.com[10.0.0.1]; from= to= proto=ESMTP helo=: user@domain # Note: reject_warning does not seem to occur } else { # smtp_body_checks, smtp_header_checks, smtp_mime_header_checks, smtp_nested_header_checks (postfix >= 2.5) #TDsQ replace: header Sender: : Sender: $trigger = $p3; $host = ''; $eto = ''; $p4 = $part eq 'body' ? 'smtp_body_checks' : 'smtp_*header_checks'; #inc_unmatched('header_body_checks'); #return 1; } #print " trigger: \"$trigger\", host: \"$host\", eto: \"$eto\", p4: \"$p4\"\n"; $trigger =~ s/\s+/ /g; $trigger = '*unknown reason' if ($trigger eq ''); $eto = '*unknown' if ($eto eq ''); my ($trig,$trig_opt,$text); if ($part eq 'header') { ($trig = $trigger) =~ s/^([^:]+:).*$/Header check "$1"/; } elsif ($part eq 'body') { $trig = "Body check"; } else { $trig = "Content check"; } # message_reject_characters (postfix >= 2.3) if ($p4 eq '') { $text = '*generic'; $trig_opt = $trig; } else { $text = $p4; $trig_opt = "$trig ($p4)"; } if ($host eq 'local') { $fmthost = formathost('127.0.0.1', 'local'); } elsif ($host =~ /([^[]+)\[([^]]+)\]/) { $fmthost = formathost($2,$1); } else { $fmthost = '*unknown'; } # Note: Counts # Ensure each $Counts{key} accumulator is consistently # used with the same number of hash key levels throughout the code. # For example, $Counts{'hold'} below has 4 keys; ensure that every # other usage of $Counts{'hold'} also has 4 keys. Currently, it is # OK to set the last key as '', but only the last. if ($action eq 'reject') { $Counts{'byiprejects'}{$fmthost}++ if $Collecting{'byiprejects'}; # Note: no temporary or reject_warning # Note: no reply code - force into a 5xx reject # XXX this won't be seen if the user has no 5.. entry in reject_reply_patterns $Totals{$reject_name = "5xxreject$part" }++; $Counts{$reject_name}{$text}{$eto}{$fmthost}{$trigger}++ if $Collecting{$reject_name}; } elsif ( $action eq 'filter' ) { $Totals{'filtered'}++; $Counts{'filtered'}{$text}{$trig}{$trigger}{$eto}{$fmthost}++ if $Collecting{'filtered'}; } elsif ( $action eq 'hold' ) { $Totals{'hold'}++; $Counts{'hold'}{$trig_opt}{$fmthost}{$eto}{$trigger}++ if $Collecting{'hold'}; } elsif ( $action eq 'redirect' ) { $Totals{'redirected'}++; $Counts{'redirected'}{$trig}{$text}{$eto}{$fmthost}{$trigger}++ if $Collecting{'redirected'}; } elsif ( $action eq 'discard' ) { $Totals{'discarded'}++; $Counts{'discarded'}{$trig}{$fmthost}{$eto}{$trigger}++ if $Collecting{'discarded'}; } elsif ( $action eq 'prepend' ) { $Totals{'prepended'}++; $Counts{'prepended'}{"$trig ($text)"}{$fmthost}{$eto}{$trigger}++ if $Collecting{'prepended'}; } elsif ( $action eq 'replace' ) { $Totals{'replaced'}++; $Counts{'replaced'}{"$trig ($text)"}{$fmthost}{$eto}{$trigger}++ if $Collecting{'replaced'}; } elsif ( $action eq 'warning' ) { $Totals{'warned'}++; $Counts{'warned'}{$trig}{$fmthost}{$eto}{$trigger}++ if $Collecting{'warned'}; } elsif ( $action eq 'bcc' ) { $Totals{'bcced'}++; $Counts{'bcced'}{$text}{$trig}{$trigger}{$eto}{$fmthost}++ if $Collecting{'bcced'}; } else { inc_unmatched('header_body_checks unexpected action'); } return 1; } # Handle common milter actions: # milter-reject, milter-hold, milter-discard # which are created by both smtpd and cleanup # sub milter_common($) { my $line = shift; #TDsdN milter-reject: MAIL from milterS.example.com[10.0.0.1]: 553 5.1.7 address incomplete; proto=ESMTP helo= #TDsdN milter-reject: CONNECT from milterS.example.com[10.0.0.2]: 451 4.7.1 Service unavailable - try again later; proto=SMTP #TDsdQ milter-reject: END-OF-MESSAGE from milterS.example.com[10.0.0.3]: 5.7.1 black listed URL host sample.com by ...uribl.com; from= to= proto=ESMTP helo= #TDsdQ milter-hold: END-OF-MESSAGE from milterS.example.com[10.0.0.4]: milter triggers HOLD action; from= to= proto=ESMTP helo= #TDcQ milter-reject: END-OF-MESSAGE from milterC.example.com[10.0.0.1]: 5.7.1 Some problem; from= to= proto=SMTP helo= #TDcQ milter-reject: CONNECT from milterC.example.com[10.0.0.2]: 5.7.1 Some problem; proto=SMTP #TDcQ milter-hold: END-OF-MESSAGE from milterC.example.com[10.0.0.3]: milter triggers HOLD action; from= to= proto=ESMTP helo= #TDcQ milter-discard: END-OF-MESSAGE from milterC.example.com[10.0.0.4]: milter triggers DISCARD action; from= to= proto=ESMTP helo= # 84B82AC8B3: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Blocked my ($efrom,$eto,$proto,$helo) = strip_ftph($line); #print "efrom: '$efrom', eto: '$eto', proto: '$proto', helo: '$helo'\n"; $line =~ s/;$//; if ($line =~ /^(reject|hold|discard): (\S+) from ([^[]+)\[([^]]+)\](?::\d+)?: (.*)$/) { my ($action,$stage,$host,$hostip,$reply) = ($1,$2,$3,$4,$5); #print "action: '$action', stage: '$stage', host: '$host', hostip: '$hostip', reply: '$reply'\n"; if ($action eq 'reject') { my ($dsn,$fmthost,$reject_name); ($dsn,$reply) = ($1,$2) if $reply =~ /^($re_DSN) (.*)$/o; #print " dsn: '$dsn', reply: '$reply'\n"; if ($Collecting{'byiprejects'} and substr($dsn,0,1) eq '5') { $fmthost = formathost($hostip,$host); $Counts{'byiprejects'}{$fmthost}++; } # Note: reject_warning does not seem to occur # Note: See rejectmilter elsewhere $Totals{$reject_name = get_reject_key($dsn) . 'rejectmilter' }++; return unless ($Collecting{$reject_name}); $Counts{$reject_name}{$stage}{$fmthost ? $fmthost : formathost($hostip,$host)}{$reply}++; } # milter-hold elsif ($action eq 'hold') { $Totals{'hold'}++; return unless ($Collecting{'hold'}); $Counts{'hold'}{'milter'}{$stage}{formathost($hostip,$host)}{$eto}++; } # milter-discard else { # $action eq 'discard' $Totals{'discarded'}++; return unless ($Collecting{'discarded'}); $Counts{'discarded'}{'milter'}{$stage}{formathost($hostip,$host)}{$eto}++; } } else { inc_unmatched('milter_common)'); } } sub postfix_dnsblog { my $line = shift; #postfix/dnsblog[16943]: addr 192.168.0.1 listed by domain bl.spamcop.net as 127.0.0.2 #postfix/dnsblog[78598]: addr 192.168.0.1 blocked by domain zen.spamhaus.org as 127.0.0.11 if ($line =~ /^addr (\S+) (?:listed|blocked) by domain (\S+) as (\S+)$/) { $Counts{'dnsblog'}{$2}{$1}{$3}++ if $Collecting{'dnsblog'}; } else { inc_unmatched('dnsblog') if ! in_ignore_list($line); return; } } sub postfix_postscreen { my $line = shift; return if ( $line =~ /^cache / or $line =~ /discarding EHLO keywords: / or $line =~ /: discard_mask / or $line =~ /: sq=\d+ cq=\d+ event/ or $line =~ /: replacing command "/ ); if (($line =~ /^(PREGREET) \d+ (?:after \S+)? from \[([^]]+)\](?::\d+)?/) or # PREGREET 20 after 0.31 from [192.168.0.1]:12345: HELO 10.0.0.1?? # HANGUP after 0.7 from [192.168.0.4]:12345 ($line =~ /^(HANGUP) (?:after \S+)? from \[([^]]+)\](?::\d+)?/)) { $Counts{'postscreen'}{lc $1}{$2}{$END_KEY}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^(WHITELISTED|BLACKLISTED|PASS \S+) \[([^]]+)\](?::\d+)?$/) { # PASS NEW [192.168.0.2]:12345 # PASS OLD [192.168.0.3]:12345 $Counts{'postscreen'}{lc $1}{$2}{$END_KEY}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^DNSBL rank (\S+) for \[([^]]+)\](?::\d+)?$/) { $Counts{'postscreen'}{'dnsbl'}{$2}{$1}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^(CONNECT|COMMAND (?:(?:TIME|COUNT|LENGTH) LIMIT|PIPELINING)|NON-SMTP COMMAND|BARE NEWLINE) from \[([^\]]+)\]:\d+/) { # CONNECT from [192.168.1.1]:12345 $Counts{'postscreen'}{lc($1)}{$2}{$END_KEY}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^DISCONNECT \[([^\]]+)\]:\d+$/) { # DISCONNECT [192.168.1.1]:12345 $Counts{'postscreen'}{'disconnect'}{$1}{$END_KEY}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^NOQUEUE: reject: RCPT from \[([^]]+)\](?::\d+)?: ($re_DSN) ([^;]+)/o) { #NOQUEUE: reject: RCPT from [192.168.0.1]:12345: 550 5.7.1 Service unavailable; client [192.168.0.1] blocked using b.barracudacentral.org; from=, to=, proto=SMTP, helo= my ($ip,$dsn,$msg) = ($1,$2,$3); if ($dsn =~ /^([54])/) { $Counts{'postscreen'}{$1 . 'xx reject'}{"$dsn $msg"}{$ip}++ if $Collecting{'postscreen'}; } else { $Counts{'postscreen'}{'reject'}{"$dsn $msg"}{$ip}{$END_KEY}++ if $Collecting{'postscreen'}; } } elsif ($line =~ /^NOQUEUE: reject: CONNECT from \[([^]]+)\](?::\d+)?: too many connections/) { # NOQUEUE: reject: CONNECT from [192.168.0.1]:7197: too many connections $Counts{'postscreen'}{'reject'}{'Too many connections'}{$1}{$END_KEY}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^reject: connect from \[([^]]+)\](?::\d+)?: (.+)$/) { # reject: connect from [192.168.0.1]:21225: all screening ports busy $Counts{'postscreen'}{'reject'}{"\u$2"}{$1}{$END_KEY}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^(?:WHITELIST VETO) \[([^]]+)\](?::\d+)?$/) { # WHITELIST VETO [192.168.0.8]:43579 $Counts{'postscreen'}{'whitelist veto'}{$1}{$END_KEY}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^(entering|leaving) STRESS mode with (\d+) connections$/) { # entering STRESS mode with 90 connections $Counts{'postscreen'}{'stress mode: ' . $1}{$2}{$END_KEY}++ if $Collecting{'postscreen'}; } elsif ($line =~ /^close database (\S+): No such file or directory/) { # close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug) $Counts{'postscreen'}{'close database'}{$1}{$END_KEY}++ if $Collecting{'postscreen'}; } else { inc_unmatched('postscreen') if ! in_ignore_list($line); return; } $Totals{'postscreen'}++; } # Handles postfix/postsuper lines # sub postfix_postsuper($) { my $line = shift; return if $line =~ /^Deleted: \d+ messages?$/; if ($line =~ /^Placed on hold: (\d+) messages?$/o) { #TDps Placed on hold: 2 messages # Note: See Hold elsewhere $Totals{'hold'} += $1; return unless ($Collecting{'hold'}); $Counts{'hold'}{'Postsuper'}{'localhost'}{"bulk hold: $1"}{''} += $1; } elsif ($line =~ /^Released from hold: (\d+) messages?$/o) { #TDps Released from hold: 1 message $Totals{'releasedfromhold'} += $1; } elsif ($line =~ /^Requeued: (\d+) messages?$/o) { #TDps Requeued: 1 message $Totals{'requeued'} += $1; } elsif (my($qid,$p2) = ($line =~ /($re_QID): (.*)$/)) { # postsuper double reports the following 3 lines return if ($p2 eq 'released from hold'); return if ($p2 eq 'placed on hold'); return if ($p2 eq 'requeued'); if ($p2 =~ /^removed\s*$/o) { # Note: See REMOVED elsewhere # 52CBDC2E0F: removed delete $SizeByQid{$qid} if (exists $SizeByQid{$qid}); $Totals{'removedfromqueue'}++; } elsif (! in_ignore_list ($p2)) { inc_unmatched('postsuper2'); } } elsif (! in_ignore_list ($line)) { inc_unmatched('postsuper1'); } } # Handles postfix panic: lines # sub postfix_panic($) { #TD panic: myfree: corrupt or unallocated memory block $Totals{'panicerror'}++; return unless ($Collecting{'panicerror'}); $Counts{'panicerror'}{ucfirst($1)}++; } # Handles postfix fatal: lines # sub postfix_fatal($) { my ($reason) = shift; if ($reason =~ /^\S*\(\d+\): Message file too big$/o) { #TD fatal: root(0): Message file too big $Totals{'fatalfiletoobig'}++; # XXX its not clear this is at all useful - consider falling through to last case } elsif ( $reason =~ /^config variable (\S*): (.*)$/o ) { #TD fatal: config variable inet_interfaces: host not found: 10.0.0.1:2525 #TD fatal: config variable inet_interfaces: host not found: all:2525 $Totals{'fatalconfigerror'}++; return unless ($Collecting{'fatalconfigerror'}); $Counts{'fatalconfigerror'}{ucfirst($reason)}++; } else { #TD fatal: watchdog timeout #TD fatal: bad boolean configuration: smtpd_use_tls = #TDvN fatal: update queue file active/4B709F060E: File too large $reason =~ s/(^update queue file \w+\/)\w+:/$1*:/; $Totals{'fatalerror'}++; return unless ($Collecting{'fatalerror'}); $Counts{'fatalerror'}{ucfirst($reason)}++; } } # Handles postfix fatal: lines # sub postfix_error($) { my ($reason) = shift; # postfix/postfix-script[4271]: error: unknown command: 'rel' $Totals{'error'}++; return unless ($Collecting{'fatalerror'}); $Counts{'error'}{ucfirst($reason)}++; } # Handles postfix warning: lines # and additional lines coerced into warnings # sub postfix_warning($) { my ($warning) = shift; # Skip these return if ($warning =~ /$re_QID: skipping further client input$/o); return if ($warning =~ /^Mail system is down -- accessing queue directly$/o); return if ($warning =~ /^SASL authentication failure: (?:Password verification failed|no secret in database)$/o); return if ($warning =~ /^no MX host for .* has a valid A record$/o); return if ($warning =~ /^uid=\d+: Broken pipe$/o); #TD warning: connect to 127.0.0.1:12525: Connection refused #TD warning: problem talking to server 127.0.0.1:12525: Connection refused #TD warning: valid_ipv4_hostaddr: invalid octet count: my ($domain,$to,$type,$site,$helo,$cmd); my ($addr,$size,$hostip,$host,$port,$reason,$qid,$queue,$reason2,$process,$status,$service); if (($hostip,$host,$reason) = ($warning =~ /^(?:smtpd_peer_init: )?([^:]+): hostname ([^ ]+) verification failed: (.*)$/) or ($hostip,$reason,$host) = ($warning =~ /^(?:smtpd_peer_init: )?([^:]+): (address not listed for hostname) (.*)$/) or ($host,$reason,$hostip,$reason2) = ($warning =~ /^(?:smtpd_peer_init: )?hostname (\S+) (does not resolve to address) ([\d.]+)(: host not found, try again)?$/)) { #TD warning: 10.0.0.1: hostname sample.com verification failed: Host not found #TD warning: smtpd_peer_init: 192.168.0.1: hostname example.com verification failed: Name or service not known #TD warning: 192.168.0.1: address not listed for hostname sample.net # post 2.8 #TD warning: hostname 281.example.net does not resolve to address 192.168.0.1: host not found, try again #TD warning: hostname 281.example.net does not resolve to address 192.168.0.1 $reason .= $reason2 if $reason2; $Totals{'hostnameverification'}++; return unless ($Collecting{'hostnameverification'}); $Counts{'hostnameverification'}{ucfirst($reason)}{formathost($hostip,$host)}++; } elsif (($warning =~ /^$re_QID: queue file size limit exceeded$/o) or ($warning =~ /^uid=\d+: File too large$/o)) { $Totals{'warnfiletoobig'}++; } elsif ($warning =~ /^database (?:[^ ]*) is older than source file ([\w\/]+)$/o) { #TD warning: database /etc/postfix/client_checks.db is older than source file /etc/postfix/client_checks $Totals{'databasegeneration'}++; return unless ($Collecting{'databasegeneration'}); $Counts{'databasegeneration'}{$1}++; } elsif (($reason,$qid,$reason2) = ($warning =~ /^(open active) ($re_QID): (.*)$/o) or ($reason,$qid,$reason2) = ($warning =~ /^qmgr_active_corrupt: (save corrupt file queue active) id ($re_QID): (.*)$/o) or ($qid,$reason,$reason2) = ($warning =~ /^($re_QID): (write queue file): (.*)$/o)) { #TD warning: open active BDB9B1309F7: No such file or directory #TD warning: qmgr_active_corrupt: save corrupt file queue active id 4F4272F342: No such file or directory #TD warning: E669DE52: write queue file: No such file or directory $Totals{'queuewriteerror'}++; return unless ($Collecting{'queuewriteerror'}); $Counts{'queuewriteerror'}{"$reason: $reason2"}{$qid}++; } elsif (($qid,$reason) = ($warning =~ /^qmgr_active_done_3_generic: remove ($re_QID) from active: (.*)$/o)) { #TD warning: qmgr_active_done_3_generic: remove AF0F223FC05 from active: No such file or directory $Totals{'queuewriteerror'}++; return unless ($Collecting{'queuewriteerror'}); $Counts{'queuewriteerror'}{"remove from active: $reason"}{$qid}++; } elsif (($queue,$qid) = ($warning =~ /^([^\/]*)\/($re_QID): Error writing message file$/o )) { #TD warning: maildrop/C9E66ADF: Error writing message file $Totals{'messagewriteerror'}++; return unless ($Collecting{'messagewriteerror'}); $Counts{'messagewriteerror'}{$queue}{$qid}++; } elsif (($process,$status) = ($warning =~ /^process ([^ ]*) pid \d+ exit status (\d+)$/o)) { #TD warning: process /usr/lib/postfix/smtp pid 9724 exit status 1 $Totals{'processexit'}++; return unless ($Collecting{'processexit'}); $Counts{'processexit'}{"Exit status $status"}{$process}++; } elsif ($warning =~ /^mailer loop: (.*)$/o) { #TD warning: mailer loop: best MX host for example.com is local $Totals{'mailerloop'}++; return unless ($Collecting{'mailerloop'}); $Counts{'mailerloop'}{$1}++; } elsif ($warning =~ /^no (\S+) host for (\S+) has a valid address record$/) { #TDs warning: no MX host for example.com has a valid address record $Totals{'dnserror'}++; return unless ($Collecting{'dnserror'}); $Counts{'dnserror'}{"No $1 host has a valid address record"}{$2}{$END_KEY}++; } elsif ($warning =~ /^(Unable to look up \S+ host) (.+)$/) { #TDsd warning: Unable to look up MX host for example.com: Host not found #TDsd warning: Unable to look up MX host mail.example.com for Sender address from@example.com: hostname nor servname provided, or not known #TDsd warning: Unable to look up NS host ns1.example.logal for Sender address bounce@example.local: No address associated with hostname $Totals{'dnserror'}++; return unless ($Collecting{'dnserror'}); my ($problem,$target,$reason) = ($1, split(/: /,$2)); $reason =~ s/, try again//; if ($target =~ /^for (\S+)$/) { $Counts{'dnserror'}{$problem}{ucfirst($reason)}{$1}{$END_KEY}++; } elsif ($target =~ /^(\S+)( for \S+ address) (\S+)$/) { $Counts{'dnserror'}{$problem . lc($2)}{ucfirst($reason)}{$1}{$3}++; } } elsif ($warning =~ /^((?:malformed|numeric) domain name in .+? of \S+ record) for (.*):(.*)?$/) { my ($problem,$domain,$reason) = ($1,$2,$3); #TDsd warning: malformed domain name in resource data of MX record for example.com: #TDsd warning: malformed domain name in resource data of MX record for example.com: mail.example.com\\032 #TDsd warning: numeric domain name in resource data of MX record for sample.com: 192.168.0.1 $Totals{'dnserror'}++; return unless ($Collecting{'dnserror'}); $Counts{'dnserror'}{ucfirst($problem)}{$domain}{$reason eq '' ? '*unknown' : $reason}{$END_KEY}++; } elsif ($warning =~ /^numeric hostname: ([\S]+)$/) { #TD warning: numeric hostname: 192.168.0.1 $Totals{'numerichostname'}++; return unless ($Collecting{'numerichostname'}); $Counts{'numerichostname'}{$1}++; } elsif ( ($host,$hostip,$port,$type,$reason) = ($warning =~ /^([^[]+)\[([^]]+)\](?::(\d+))? (sent \w+ header instead of SMTP command): (.*)$/) or ($type,$host,$hostip,$port,$reason) = ($warning =~ /^(non-E?SMTP command) from ([^[]+)\[([^]]+)\](?::(\d+))?: (.*)$/) or ($type,$host,$hostip,$port,$reason) = ($warning =~ /^(?:$re_QID: )?(non-E?SMTP response) from ([^[]+)\[([^]]+)\](?::(\d+))?:(?: (.*))?$/o)) { # ancient #TDsd warning: example.com[192.168.0.1] sent message header instead of SMTP command: From: "Someone" <40245426501example.com> # current #TDsd warning: non-SMTP command from sample.net[10.0.0.1]: Received: from 192.168.0.1 (HELO bogus.sample.com) #TDs warning: 6B01A8DEF: non-ESMTP response from mail.example.com[192.168.0.1]:25: $Totals{'smtpconversationerror'}++; return unless ($Collecting{'smtpconversationerror'}); $host .= ' :' . $port if ($port and $port ne '25'); $Counts{'smtpconversationerror'}{ucfirst($type)}{formathost($hostip,$host)}{$reason}++; } elsif ($warning =~ /^valid_hostname: (.*)$/o) { #TD warning: valid_hostname: empty hostname $Totals{'hostnamevalidationerror'}++; return unless ($Collecting{'hostnamevalidationerror'}); $Counts{'hostnamevalidationerror'}{$1}++; } elsif (($host,$hostip,$type,$reason) = ($warning =~ /^([^[]+)\[([^]]+)\](?::\d+)?: SASL (.*) authentication failed(.*)$/)) { #TDsd warning: unknown[10.0.0.1]: SASL LOGIN authentication failed: bad protocol / cancel #TDsd warning: example.com[192.168.0.1]: SASL DIGEST-MD5 authentication failed # see saslauthfail elsewhere $Totals{'saslauthfail'}++; return unless ($Collecting{'saslauthfail'}); if ($reason) { $reason = $type . $reason; } else { $reason = $type; } $Counts{'saslauthfail'}{$reason}{formathost($hostip,$host)}++; } elsif (($host,$reason) = ($warning =~ /^(\S+): RBL lookup error:.* Name service error for (?:name=)?\1(?: type=[^:]+)?: (.*)$/o)) { #TD warning: 192.168.0.1.sbl.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=192.168.0.1.sbl.spamhaus.org type=A: Host not found, try again #TD warning: 10.0.0.1.relays.osirusoft.com: RBL lookup error: Name service error for 10.0.0.1.relays.osirusoft.com: Host not found, try again $Totals{'rblerror'}++; return unless ($Collecting{'rblerror'}); $Counts{'rblerror'}{$reason}{$host}++; } elsif ( ($host,$hostip,$reason,$helo) = ($warning =~ /^host ([^[]+)\[([^]]+)\](?::\d+)? (greeted me with my own hostname) ([^ ]*)$/ ) or ($host,$hostip,$reason,$helo) = ($warning =~ /^host ([^[]+)\[([^]]+)\](?::\d+)? (replied to HELO\/EHLO with my own hostname) ([^ ]*)$/ )) { #TDs warning: host example.com[192.168.0.1] greeted me with my own hostname example.com #TDs warning: host example.com[192.168.0.1] replied to HELO/EHLO with my own hostname example.com $Totals{'heloerror'}++; return unless ($Collecting{'heloerror'}); $Counts{'heloerror'}{ucfirst($reason)}{formathost($hostip,$host)}++; } elsif (($size,$host,$hostip) = ($warning =~ /^bad size limit "([^"]+)" in EHLO reply from ([^[]+)\[([^]]+)\](?::\d+)?$/ )) { #TD warning: bad size limit "-679215104" in EHLO reply from example.com[192.168.0.1] $Totals{'heloerror'}++; return unless ($Collecting{'heloerror'}); $Counts{'heloerror'}{"Bad size limit in EHLO reply"}{formathost($hostip,$host)}{"$size"}++; } elsif ( ($host,$hostip,$cmd,$addr) = ($warning =~ /^Illegal address syntax from ([^[]+)\[([^]]+)\](?::\d+)? in ([^ ]*) command: (.*)/ )) { #TD warning: Illegal address syntax from example.com[192.168.0.1] in MAIL command: user@sample.net $addr =~ s/[<>]//g unless ($addr eq '<>'); $Totals{'illegaladdrsyntax'}++; return unless ($Collecting{'illegaladdrsyntax'}); $Counts{'illegaladdrsyntax'}{$cmd}{$addr}{formathost($hostip,$host)}++; } elsif ($warning =~ /^(timeout|premature end-of-input) on (.+) while reading (.*)$/o or $warning =~ /^(malformed (?:base64|numerical)|unexpected end-of-input) from (.+) while reading (.*)$/o) { #TDs warning: premature end-of-input on private/anvil while reading input attribute name #TDs warning: timeout on private/anvil while reading input attribute data #TDs warning: unexpected end-of-input from 127.0.0.1:10025 socket while reading input attribute name #TDs warning: malformed base64 data from %s while reading input attribute data: ... #TDs warning: malformed numerical data from %s while reading input attribute data: ... $Totals{'attrerror'}++; return unless ($Collecting{'attrerror'}); $Counts{'attrerror'}{$2}{$1}{$3}++; } elsif ($warning =~ /^(.*): (bad command startup -- throttling)/o) { #TD warning: /usr/libexec/postfix/trivial-rewrite: bad command startup -- throttling $Totals{'startuperror'}++; return unless ($Collecting{'startuperror'}); $Counts{'startuperror'}{ucfirst($2)}{$1}++; } elsif ($warning =~ /(problem talking to service [^:]*): (.*)$/o) { #TD warning: problem talking to service rewrite: Connection reset by peer #TD warning: problem talking to service rewrite: Success $Totals{'communicationerror'}++; return unless ($Collecting{'communicationerror'}); $Counts{'communicationerror'}{ucfirst($1)}{$2}++; } elsif (my ($map,$key) = ($warning =~ /^$re_QID: ([^ ]*) map lookup problem for (.*)$/o)) { #TD warning: 6F74F74431: virtual_alias_maps map lookup problem for root@example.com $Totals{'mapproblem'}++; return unless ($Collecting{'mapproblem'}); $Counts{'mapproblem'}{$map}{$key}++; } elsif (($map,$reason) = ($warning =~ /^pcre map ([^,]+), (.*)$/o)) { #TD warning: pcre map /etc/postfix/body_checks, line 92: unknown regexp option "F": skipping this rule $Totals{'mapproblem'}++; return unless ($Collecting{'mapproblem'}); $Counts{'mapproblem'}{$map}{$reason}++; } elsif (($reason) = ($warning =~ /dict_ldap_lookup: (.*)$/o)) { #TD warning: dict_ldap_lookup: Search error 80: Internal (implementation specific) error $Totals{'ldaperror'}++; return unless ($Collecting{'ldaperror'}); $Counts{'ldaperror'}{$reason}++; } elsif (($type,$size,$host,$hostip,$service) = ($warning =~ /^(.+) limit exceeded: (\d+) from ([^[]+)\[([^]]+)\](?::\d+)? for service (.*)/ )) { #TDsd warning: Connection concurrency limit exceeded: 51 from example.com[192.168.0.1] for service smtp #TDsd warning: Connection rate limit exceeded: 20 from mail.example.com[192.168.0.1] for service smtp #TDsd warning: Connection rate limit exceeded: 30 from unknown[unknown] for service smtp #TDsd warning: Recipient address rate limit exceeded: 21 from example.com[10.0.0.1] for service smtp #TDsd warning: Message delivery request rate limit exceeded: 11 from example.com[10.0.0.1] for service smtp #TDsd warning: New TLS session rate limit exceeded: 49 from example.com[10.0.0.1] for service smtp $Totals{'anvil'}++; return unless ($Collecting{'anvil'}); $Counts{'anvil'}{$service}{$type}{formathost($hostip,$host)}{$size}++; } elsif (my ($extname,$intname,$limit) = ($warning =~ /service "([^"]+)" \(([^)]+)\) has reached its process limit "([^"]+)":/o)) { #TD warning: service "smtp" (25) has reached its process limit "50": new clients may experience noticeable delays $Totals{'processlimit'}++; return unless ($Collecting{'processlimit'}); $Counts{'processlimit'}{'See http://www.postfix.org/STRESS_README.html'}{"$extname ($intname)"}{$limit}++; } else { #TDsd warning: No server certs available. TLS won't be enabled #TDs warning: smtp_connect_addr: bind : Address already in use # These two messages follow ProcessLimit message above #TDm warning: to avoid this condition, increase the process count in master.cf or reduce the service time per client #TDm warning: see http://www.postfix.org/STRESS_README.html for examples of stress-dependent configuration settings return if ($warning =~ /^to avoid this condition,/o); return if ($warning =~ /^see http:\/\/www\.postfix\.org\/STRESS_README.html/o); #TDsd warning: 009314BD9E: read timeout on cleanup socket $warning =~ s/^$re_QID: (read timeout on \S+ socket)/$1/; #TDsd warning: Read failed in network_biopair_interop with errno=0: num_read=0, want_read=11 #TDs warning: Read failed in network_biopair_interop with errno=0: num_read=0, want_read=11 $warning =~ s/^(Read failed in network_biopair_interop) with .*$/$1/; =cut $warning =~ s/^(TLS library problem: )\d+:(error:.*)$/$1$2/; $warning =~ s/^(network_biopair_interop: error reading) \d+ bytes(.*)$/$1$2/; 1 TLS library problem: 10212:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher... 1 TLS library problem: 10217:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher... 1 network_biopair_interop: error reading 1102 bytes from the network: Connection reset by peer 1 network_biopair_interop: error reading 1120 bytes from the network: Connection reset by peer =cut $Totals{'warningsother'}++; return unless ($Collecting{'warningsother'}); $Counts{'warningsother'}{$warning}++; } } # Handles postfix/postfix-script lines # sub postfix_script($) { my $line = shift; return if ($line =~ /^the Postfix mail system is running: PID: /o); if ($line =~ /^starting the Postfix mail system/o) { $Totals{'postfixstart'}++; } elsif ($line =~ /^stopping the Postfix mail system/o) { $Totals{'postfixstop'}++; } elsif ($line =~ /^refreshing the Postfix mail system/o) { $Totals{'postfixrefresh'}++; } elsif ($line =~ /^waiting for the Postfix mail system to terminate/o) { $Totals{'postfixwaiting'}++; } elsif (! in_ignore_list ($line)) { inc_unmatched('postfix_script'); } } # Clean up a server's reply, to give some uniformity to reports # sub cleanhostreply($ $ $ $) { my ($hostreply,$relay,$recip,$domain) = @_; my $fmtdhost = ''; my ($r1, $r2, $dsn, $msg, $host, $event); #print "RELAY: $relay, RECIP: $recip, DOMAIN: $domain\n"; #print "HOSTREPLY: \"$hostreply\"\n"; return ('Accepted', '*unknown') if $hostreply =~ /^25\d/o; # Host or domain name not found. Name service error for name=example.com type=MX: Host not found... if ($hostreply =~ /^Host or domain name not found. Name service error for name=([^:]+): Host not found/o) { return ('Host not found', $1); } if (($host,$dsn,$r1) = ($hostreply =~ /host (\S+) said: ($re_DSN)[\- :]*"?(.*)"?$/o)) { # Strip recipient address from host's reply - we already have it in $recip. $r1 =~ s/[<(]?\Q$recip\E[>)]?\W*//ig; # Strip and capture "in reply to XYZ command" from host's reply if ($r1 =~ s/\s*[(]?(?:in reply to (.*) command)[)]?//o) { $r2 = ": $1"; } $r1 =~ s/^Recipient address rejected: //o; # Canonicalize numerous forms of "recipient unknown" if ( $r1 =~ /^user unknown/i or $r1 =~ /^unknown user/i or $r1 =~ /^unknown recipient address/i or $r1 =~ /^invalid recipient/i or $r1 =~ /^recipient unknown/i or $r1 =~ /^sorry, no mailbox here by that name/i or $r1 =~ /^User is unknown/ or $r1 =~ /^User not known/ or $r1 =~ /^MAILBOX NOT FOUND/ or $r1 =~ /^Recipient Rejected: No account by that name here/ or $r1 =~ /^Recipient does not exist here/ or $r1 =~ /The email account that you tried to reach does not exist./ # Google's long mess or $r1 =~ /(?:no such user|user unknown)/i ) { #print "UNKNOWN RECIP: $r1\n"; $r1 = 'Unknown recipient'; } elsif ($r1 =~ /greylisted/oi) { #print "GREYLISTED RECIP: $r1\n"; $r1 = 'Recipient greylisted'; } elsif ($r1 =~ /^Message temporarily deferred - (\d\.\d+\.\d+)\. Please refer to (.+)$/o) { # Yahoo: 421 Message temporarily deferred - 4.16.51. Please refer to http://... (in reply to end of DATA command)) $dsn = "$dsn $1"; $r1 = "see $2"; } elsif ($r1 =~ /^Resources temporarily not available - Please try again later \[#(\d\.\d+\.\d+)\]\.$/o) { #Yahoo 451 Resources temporarily not available - Please try again later [#4.16.5]. $dsn = "$dsn $1"; $r1 = "resources not available"; } elsif ($r1 =~ /^Message temporarily deferred - (\[\d+\])/o) { # Yahoo: 451 Message temporarily deferred - [160] $dsn = "$dsn $1"; $r1 = ''; } } elsif ($hostreply =~ /^connect to (\S+): (.*)$/o) { #print "CONNECT: $hostreply\n"; $host = $1; $r1 = $2; $r1 =~ s/server refused to talk to me/refused/; } elsif ($hostreply =~ /^host (\S+) refused to talk to me: (.*)$/o) { $host = $1; $msg = $2; #print "HOSTREFUSED: $hostreply\n"; #Yahoo: '421 Message from (10.0.0.1) temporarily deferred - 4.16.50. Please refer to http://... if ($msg =~ /^(\d+) Message from \([^)]+\) temporarily deferred - (\d\.\d+\.\d+)\. Please refer to (.+)$/) { $dsn = "$1 $2"; $msg = "see $3"; } #$r1 = join(': ', 'refused', $msg); $r1 = $msg; } elsif ($hostreply =~ /^(delivery temporarily suspended): connect to (\S+): (.*)$/o) { #print "DELIVERY SUSP: $hostreply\n"; $host = $2; $r1 = join(': ', $1, $3); } elsif ($hostreply =~ /^(delivery temporarily suspended: conversation) with (\S+) (.*)$/o) { # delivery temporarily suspended: conversation with example.com[10.0.0.1] timed out while receiving the initial server greeting) #print "DELIVERY SUSP2: $hostreply\n"; $host = $2; $r1 = join(' ', $1, $3); } elsif (($event,$host,$r1) = ($hostreply =~ /^(lost connection|conversation) with (\S+) (.*)$/o)) { #print "LOST conv/conn: $hostreply\n"; $r1 = join(' ',$event,$r1); } elsif ($hostreply =~ /^(.*: \S+maildrop: Unable to create a dot-lock) at .*$/o) { #print "MAILDROP: $hostreply\n"; $r1 = $1; } elsif ($hostreply =~ /^mail for (\S+) loops back to myself/o) { #print "LOOP: $hostreply\n"; $host = $1; $r1 = 'mailer loop'; } elsif ($hostreply =~ /^unable to find primary relay for (\S+)$/o) { #print "NORELAY: $hostreply\n"; $host = $1; $r1 = 'no relay found'; } elsif ($hostreply =~ /^message size \d+ exceeds size limit \d+ of server (\S+)\s*$/o) { #print "TOOBIG: $hostreply\n"; $host = $1; $r1 = 'message too big'; } else { #print "UNMATCH: $hostreply\n"; $r1 = $hostreply; } #print "R1: $r1, R2: $r2\n"; $r1 =~ s/for name=\Q$domain\E //ig; if ($host eq '') { if ($relay =~ /([^[]+)\[([^]]+)\]/) { $fmtdhost = formathost($2,$1); } else { $fmtdhost = '*unknown'; } } elsif ($host =~ /^([^[]+)\[([^]]+)\]/) { $fmtdhost = formathost($2,$1); } else { $fmtdhost = $host; } return (($dsn ? "$dsn " : '' ) . "\u$r1$r2", $fmtdhost); } # Strip and return from, to, proto, and helo information from a log line # From is set to the empty envelope sender <> as necessary, and To is # always lowercased. # # Note: modifies its input for efficiency # sub strip_ftph($) { my ($helo, $proto, $to, $from); #print "strip_ftph: '$_[0]\n"; $helo = ($_[0] =~ s/\s+helo=<(.*?)>\s*$//) == 1 ? $1 : '*unavailable'; $proto = ($_[0] =~ s/\s+proto=(\S+)\s*$//) == 1 ? $1 : '*unavailable'; $to = ($_[0] =~ s/\s+to=<(.*?)>\s*$//) == 1 ? (lc($1) || '<>') : '*unavailable'; $from = ($_[0] =~ s/\s+from=<(.*?)>\s*$//) == 1 ? ( $1 || '<>') : '*unavailable'; #print "helo: $helo, proto: $proto, to: $to, from: $from\n"; #print "strip_ftph: final: '$_[0]'\n"; return ($from,$to,$proto,$helo); } # Initialize the Getopts option list. Requires the Section table to # be built already. # sub init_getopts_table() { print "init_getopts_table: enter\n" if $Opts{'debug'} & Logreporters::D_ARGS; init_getopts_table_common(@supplemental_reports); add_option ('recipient_delimiter=s'); add_option ('delays!'); add_option ('show_delays=i', sub { $Opts{'delays'} = $_[1]; 1; }); add_option ('delays_percentiles=s'); add_option ('reject_reply_patterns=s'); add_option ('ignore_services=s'); add_option ('postgrey_delays!'); add_option ('postgrey_show_delays=i', sub { $Opts{'postgrey_delays'} = $_[1]; 1; }); add_option ('postgrey_delays_percentiles=s'); add_option ('unknown!', sub { $Opts{'unknown'} = $_[1]; 1; }); add_option ('show_unknown=i', sub { $Opts{'unknown'} = $_[1]; 1; }); add_option ('enable_long_queue_ids=i', sub { $Opts{'long_queue_ids'} = $_[1]; 1; }); add_option ('long_queue_ids!'); =pod # aliases and backwards compatibility add_option ('msgsdeferred=s', \$Opts{'deferred'}); add_option ('msgsdelivered=s', \$Opts{'delivered'}); add_option ('msgssent=s', \$Opts{'sent'}); add_option ('msgssentlmtp=s', \$Opts{'sentlmtp'}); add_option ('msgsforwarded=s', \$Opts{'forwarded'}); add_option ('msgsresent=s', \$Opts{'resent'}); add_option ('warn=s', \$Opts{'warned'}); add_option ('held=s', \$Opts{'hold'}); =cut } # Builds the entire @Section table used for data collection # # Each Section entry has as many as six fields: # # 1. Section array reference # 2. Key to %Counts, %Totals accumulator hashes, and %Collecting hash # 3. Output in Detail report? (must also a %Counts accumulator) # 4. Numeric output format specifier for Summary report # 5. Section title for Summary and Detail reports # 6. A hash to a divisor used to calculate the percentage of a total for that key # # Use begin_section_group/end_section_group to create groupings around sections. # # Sections can be freely reordered if desired, but maintain proper group nesting. # # # The reject* entries of this table are dynamic, in that they are built based # upon the value of $Opts{'reject_reply_patterns'}, which can be specified by # either command line or configuration file. This allows various flavors, of # reject sections based on SMTP reply code (eg. 421 45x, 5xx, etc.). Instead # of creating special sections for each reject variant, the primary key of each # reject section could have been the SMTP reply code. However, this would # require special-case processing to distinguish 4xx temporary rejects from 5xx # permanent rejects in various Totals{'totalrejects*'} counts, and in the # Totals{'totalrejects'} tally. # # Sections can be freely reordered if desired. sub build_sect_table() { if ($Opts{'debug'} & Logreporters::D_SECT) { print "build_sect_table: enter\n"; print "\treject patterns: $Opts{'reject_reply_patterns'}\n"; } my $S = \@Sections; # References to these are used in the Sections table below; we'll predeclare them. $Totals{'totalrejects'} = 0; $Totals{'totalrejectswarn'} = 0; $Totals{'totalacceptplusreject'} = 0; # Configuration and critical errors appear first # SECTIONREF, NAME, DETAIL, FMT, TITLE, DIVISOR begin_section_group ($S, 'warnings'); add_section ($S, 'panicerror', 1, 'd', '*Panic: General panic'); add_section ($S, 'fatalfiletoobig', 0, 'd', '*Fatal: Message file too big'); add_section ($S, 'fatalconfigerror', 1, 'd', '*Fatal: Configuration error'); add_section ($S, 'fatalerror', 1, 'd', '*Fatal: General fatal'); add_section ($S, 'error', 1, 'd', '*Error: General error'); add_section ($S, 'processlimit', 1, 'd', '*Warning: Process limit reached, clients may delay'); add_section ($S, 'warnfiletoobig', 0, 'd', '*Warning: Queue file size limit exceeded'); add_section ($S, 'warninsufficientspace', 0, 'd', '*Warning: Insufficient system storage error'); add_section ($S, 'warnconfigerror', 1, 'd', '*Warning: Server configuration error'); add_section ($S, 'queuewriteerror', 1, 'd', '*Warning: Error writing queue file'); add_section ($S, 'messagewriteerror', 1, 'd', '*Warning: Error writing message file'); add_section ($S, 'databasegeneration', 1, 'd', '*Warning: Database is older than source file'); add_section ($S, 'mailerloop', 1, 'd', '*Warning: Mailer loop'); add_section ($S, 'startuperror', 1, 'd', '*Warning: Startup error'); add_section ($S, 'mapproblem', 1, 'd', '*Warning: Map lookup problem'); add_section ($S, 'attrerror', 1, 'd', '*Warning: Error reading attribute data'); add_section ($S, 'anvil', 1, 'd', '*Warning: Anvil limit reached'); add_section ($S, 'processexit', 1, 'd', 'Process exited'); add_section ($S, 'hold', 1, 'd', 'Placed on hold'); add_section ($S, 'communicationerror', 1, 'd', 'Postfix communications error'); add_section ($S, 'saslauthfail', 1, 'd', 'SASL authentication failed'); add_section ($S, 'ldaperror', 1, 'd', 'LDAP error'); add_section ($S, 'warningsother', 1, 'd', 'Miscellaneous warnings'); add_section ($S, 'totalrejectswarn', 0, 'd', 'Reject warnings (warn_if_reject)'); end_section_group ($S, 'warnings'); begin_section_group ($S, 'bytes', "\n"); add_section ($S, 'bytesaccepted', 0, 'Z', 'Bytes accepted '); # Z means print scaled as in 1k, 1m, etc. add_section ($S, 'bytessentsmtp', 0, 'Z', 'Bytes sent via SMTP'); add_section ($S, 'bytessentlmtp', 0, 'Z', 'Bytes sent via LMTP'); add_section ($S, 'bytesdelivered', 0, 'Z', 'Bytes delivered'); add_section ($S, 'bytesforwarded', 0, 'Z', 'Bytes forwarded'); end_section_group ($S, 'bytes', $sep1); begin_section_group ($S, 'acceptreject', "\n"); begin_section_group ($S, 'acceptreject2', "\n"); add_section ($S, 'msgsaccepted', 0, 'd', 'Accepted', \$Totals{'totalacceptplusreject'}); add_section ($S, 'totalrejects', 0, 'd', 'Rejected', \$Totals{'totalacceptplusreject'}); end_section_group ($S, 'acceptreject2', $sep2); add_section ($S, 'totalacceptplusreject', 0, 'd', 'Total', \$Totals{'totalacceptplusreject'}); end_section_group ($S, 'acceptreject', $sep1); # The various Reject sections are built dynamically based upon a list of reject reply keys, # which are user-configured via $Opts{'reject_reply_patterns'} @RejectPats = (); foreach my $rejpat (split /[ ,]/, $Opts{'reject_reply_patterns'}) { if ($rejpat !~ /^(warn|[45][\d.]{2})$/io) { print STDERR usage "Invalid pattern \"$rejpat\" in reject_reply_patterns"; exit (2); } if (grep (/\Q$rejpat\E/, @RejectPats) == 0) { push @RejectPats, $rejpat } else { print STDERR "Ignoring duplicate pattern \"$rejpat\" in reject_reply_patterns\n"; } } @RejectKeys = @RejectPats; for (@RejectKeys) { s/\./x/g; } print "\tRejectPat: \"@RejectPats\", RejectKeys: \"@RejectKeys\"\n" if $Opts{'debug'} & Logreporters::D_SECT; # Add reject variants foreach my $key (@RejectKeys) { $key = lc($key); my $keyuc = ucfirst($key); my $totalsref = \$Totals{'totalrejects' . $key}; print "\t reject key: $key\n" if $Opts{'debug'} & Logreporters::D_SECT; begin_section_group ($S, 'rejects', "\n"); begin_section_group ($S, 'rejects2', "\n"); add_section ($S, $key . 'rejectrelay', 1, 'd', $keyuc . ' Reject relay denied', $totalsref); add_section ($S, $key . 'rejecthelo', 1, 'd', $keyuc . ' Reject HELO/EHLO', $totalsref); add_section ($S, $key . 'rejectdata', 1, 'd', $keyuc . ' Reject DATA', $totalsref); add_section ($S, $key . 'rejectunknownuser', 1, 'd', $keyuc . ' Reject unknown user', $totalsref); add_section ($S, $key . 'rejectrecip', 1, 'd', $keyuc . ' Reject recipient address', $totalsref); add_section ($S, $key . 'rejectsender', 1, 'd', $keyuc . ' Reject sender address', $totalsref); add_section ($S, $key . 'rejectclient', 1, 'd', $keyuc . ' Reject client host', $totalsref); add_section ($S, $key . 'rejectunknownclient', 1, 'd', $keyuc . ' Reject unknown client host', $totalsref); add_section ($S, $key . 'rejectunknownreverseclient', 1, 'd', $keyuc . ' Reject unknown reverse client host', $totalsref); add_section ($S, $key . 'rejectunverifiedclient', 1, 'd', $keyuc . ' Reject unverified client host', $totalsref); add_section ($S, $key . 'rejectrbl', 1, 'd', $keyuc . ' Reject RBL', $totalsref); add_section ($S, $key . 'rejectheader', 1, 'd', $keyuc . ' Reject header', $totalsref); add_section ($S, $key . 'rejectbody', 1, 'd', $keyuc . ' Reject body', $totalsref); add_section ($S, $key . 'rejectcontent', 1, 'd', $keyuc . ' Reject content', $totalsref); add_section ($S, $key . 'rejectsize', 1, 'd', $keyuc . ' Reject message size', $totalsref); add_section ($S, $key . 'rejectmilter', 1, 'd', $keyuc . ' Reject milter', $totalsref); add_section ($S, $key . 'rejectproxy', 1, 'd', $keyuc . ' Reject proxy', $totalsref); add_section ($S, $key . 'rejectinsufficientspace', 1, 'd', $keyuc . ' Reject insufficient space', $totalsref); add_section ($S, $key . 'rejectconfigerror', 1, 'd', $keyuc . ' Reject server config error', $totalsref); add_section ($S, $key . 'rejectverify', 1, 'd', $keyuc . ' Reject VRFY', $totalsref); add_section ($S, $key . 'rejectetrn', 1, 'd', $keyuc . ' Reject ETRN', $totalsref); add_section ($S, $key . 'rejectlookupfailure', 1, 'd', $keyuc . ' Reject temporary lookup failure', $totalsref); end_section_group ($S, 'rejects2', $sep2); add_section ($S, 'totalrejects' . $key, 0, 'd', "Total $keyuc Rejects", $totalsref); end_section_group ($S, 'rejects', $sep1); $Totals{'totalrejects' . $key} = 0; } begin_section_group ($S, 'byiprejects', "\n"); add_section ($S, 'byiprejects', 1, 'd', 'Reject by IP'); end_section_group ($S, 'byiprejects'); begin_section_group ($S, 'general1', "\n"); add_section ($S, 'connectioninbound', 1, 'd', 'Connections'); add_section ($S, 'connectionlostinbound', 1, 'd', 'Connections lost (inbound)'); add_section ($S, 'connectionlostoutbound', 1, 'd', 'Connections lost (outbound)'); add_section ($S, 'disconnection', 0, 'd', 'Disconnections'); add_section ($S, 'removedfromqueue', 0, 'd', 'Removed from queue'); add_section ($S, 'delivered', 1, 'd', 'Delivered'); add_section ($S, 'sent', 1, 'd', 'Sent via SMTP'); add_section ($S, 'sentlmtp', 1, 'd', 'Sent via LMTP'); add_section ($S, 'forwarded', 1, 'd', 'Forwarded'); add_section ($S, 'resent', 0, 'd', 'Resent'); add_section ($S, 'deferred', 1, 'd', 'Deferred'); add_section ($S, 'deferrals', 1, 'd', 'Deferrals'); add_section ($S, 'bouncelocal', 1, 'd', 'Bounced (local)'); add_section ($S, 'bounceremote', 1, 'd', 'Bounced (remote)'); add_section ($S, 'bouncefailed', 1, 'd', 'Bounce failure'); add_section ($S, 'postscreen', 1, 'd', 'Postscreen'); add_section ($S, 'dnsblog', 1, 'd', 'DNSBL log'); add_section ($S, 'envelopesenders', 1, 'd', 'Envelope senders'); add_section ($S, 'envelopesenderdomains', 1, 'd', 'Envelope sender domains'); add_section ($S, 'bcced', 1, 'd', 'BCCed'); add_section ($S, 'filtered', 1, 'd', 'Filtered'); add_section ($S, 'redirected', 1, 'd', 'Redirected'); add_section ($S, 'discarded', 1, 'd', 'Discarded'); add_section ($S, 'prepended', 1, 'd', 'Prepended'); add_section ($S, 'replaced', 1, 'd', 'Replaced'); add_section ($S, 'warned', 1, 'd', 'Warned'); add_section ($S, 'requeued', 0, 'd', 'Requeued messages'); add_section ($S, 'returnedtosender', 1, 'd', 'Expired and returned to sender'); add_section ($S, 'notificationsent', 1, 'd', 'Notifications sent'); add_section ($S, 'policyspf', 1, 'd', 'Policy SPF'); add_section ($S, 'policydweight', 1, 'd', 'Policyd-weight'); add_section ($S, 'postfwd', 1, 'd', 'Postfwd'); add_section ($S, 'postgrey', 1, 'd', 'Postgrey'); end_section_group ($S, 'general1'); begin_section_group ($S, 'general2', "\n"); add_section ($S, 'connecttofailure', 1, 'd', 'Connection failures (outbound)'); add_section ($S, 'timeoutinbound', 1, 'd', 'Timeouts (inbound)'); add_section ($S, 'heloerror', 1, 'd', 'HELO/EHLO conversations errors'); add_section ($S, 'illegaladdrsyntax', 1, 'd', 'Illegal address syntax in SMTP command'); add_section ($S, 'released', 0, 'd', 'Released from hold'); add_section ($S, 'rblerror', 1, 'd', 'RBL lookup errors'); add_section ($S, 'dnserror', 1, 'd', 'DNS lookup errors'); add_section ($S, 'numerichostname', 1, 'd', 'Numeric hostname'); add_section ($S, 'smtpconversationerror', 1, 'd', 'SMTP dialog errors'); add_section ($S, 'hostnameverification', 1, 'd', 'Hostname verification errors (FCRDNS)'); add_section ($S, 'hostnamevalidationerror', 1, 'd', 'Hostname validation errors'); add_section ($S, 'smtpprotocolviolation', 1, 'd', 'SMTP protocol violations'); add_section ($S, 'deliverable', 1, 'd', 'Deliverable (address verification)'); add_section ($S, 'undeliverable', 1, 'd', 'Undeliverable (address verification)'); add_section ($S, 'tablechanged', 0, 'd', 'Restarts due to lookup table change'); add_section ($S, 'pixworkaround', 1, 'd', 'PIX workaround enabled'); add_section ($S, 'tlsserverconnect', 1, 'd', 'TLS connections (server)'); add_section ($S, 'tlsclientconnect', 1, 'd', 'TLS connections (client)'); add_section ($S, 'saslauth', 1, 'd', 'SASL authenticated messages'); add_section ($S, 'tlsunverified', 1, 'd', 'TLS certificate unverified'); add_section ($S, 'tlsoffered', 1, 'd', 'Host offered TLS'); end_section_group ($S, 'general2'); begin_section_group ($S, 'postfixstate', "\n"); add_section ($S, 'postfixstart', 0, 'd', 'Postfix start'); add_section ($S, 'postfixstop', 0, 'd', 'Postfix stop'); add_section ($S, 'postfixrefresh', 0, 'd', 'Postfix refresh'); add_section ($S, 'postfixwaiting', 0, 'd', 'Postfix waiting to terminate'); end_section_group ($S, 'postfixstate'); if ($Opts{'debug'} & Logreporters::D_SECT) { print "\tSection table\n"; printf "\t\t%s\n", (ref($_) eq 'HASH' ? $_->{NAME} : $_) foreach @Sections; print "build_sect_table: exit\n" } } # XXX create array of defaults for detail <5, 5-9, >10 sub init_defaults() { map { $Opts{$_} = $Defaults{$_} unless exists $Opts{$_} } keys %Defaults; if (! $Opts{'standalone'}) { # LOGWATCH # these take affect if no env present (eg. nothing in conf file) # 0 to 4 nodelays if ($Opts{'detail'} < 5) { # detail 0 to 4, disable all supplimental reports $Opts{'delays'} = 0; $Opts{'postgrey_delays'} = 0; } } } # XXX ensure something is matched? # XXX cache values so we don't have to substitute X for . each time #match $dsn against list for best fit sub get_reject_key($) { my $reply = shift; my $replyorig = $reply; ($reply) = split / /, $reply; for (my $i = 0; $i <= $#RejectPats; $i++) { #print "TRYING: $RejectPats[$i]\n"; # we'll allow extended DSNs to match (eg. 5.7.1 will match 5..) if ($reply =~ /^$RejectPats[$i]/) { # no /o here, pattern varies #print "MATCHED: orig: $replyorig, reply $reply matched pattern $RejectPats[$i], returning $RejectKeys[$i]\n"; return $RejectKeys[$i]; } } #print "NOT MATCHED: REPLY CODE: '$replyorig', '$reply'\n"; return; } # Replace bare reject limiters with specific reject limiters # based on reject_reply_patterns # sub expand_bare_reject_limiters() { # don't reorder the list of limiters. This breaks --nodetail followed by a # bare reject such as --limit rejectrbl=10. Reordering is no longer necessary # since process_limiters was instituted and using the special __none__ pseudo- # limiter to indicate the position at which --nodefailt was found on the command # line. # my ($limiter, @reject_limiters, @non_reject_limiters); my ($limiter, @new_list); # XXX check if limiter matches just one in rejectclasses while ($limiter = shift @Limiters) { if ($limiter =~ /^reject[^_]/) { foreach my $reply_code (@RejectKeys) { printf "bare_reject: \L$reply_code$limiter\n" if $Opts{'debug'} & Logreporters::D_VARS; #push @reject_limiters, lc($reply_code) . $limiter; push @new_list, lc($reply_code) . $limiter; } } elsif ($limiter =~ /^(?:[45]\.\.|Warn)reject[^_]/) { $limiter =~ s/^([45])\.\./$1xx/; #push @reject_limiters, lc $limiter; push @new_list, lc $limiter; } else { #push @non_reject_limiters, $limiter; push @new_list, $limiter; } } #@Limiters = (@reject_limiters, @non_reject_limiters); @Limiters = @new_list; } # Return a usage string, built from: # arg1 + # $usage_str + # a string built from each usable entry in the @Sections table. # reject patterns are special cased to minimize the number of # command line options presented. # sub usage($) { my $ret = ""; $ret = "@_\n" if ($_[0]); $ret .= $usage_str; my ($name, $desc, %reject_types); foreach my $sect (get_usable_sectvars(@Sections, 0)) { if (my ($code,$rej) = ($sect->{NAME} =~ /^(...|warn)(reject.*)$/oi)) { $rej = lc $rej; next if (exists $reject_types{$rej}); $reject_types{$rej}++; $name = '[###]' . $rej; $desc = '###' . substr($sect->{TITLE}, length($code)); } else { $name = lc $sect->{NAME}; $desc = $sect->{TITLE}; } $ret .= sprintf " --%-38s%s\n", "$name" . ' LEVEL', "$desc"; } $ret .= "\n"; return $ret; } 1; # vi: shiftwidth=3 tabstop=3 syntax=perl et ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/mod_security20000644000000000000000000000013212664334617021272 xustar0030 mtime=1456585103.151364187 30 atime=1456586568.776190839 30 ctime=1456586568.776190839 ./logwatch-7.4.2/scripts/services/mod_security20000644000175000001440000001747212664334617022401 0ustar00generalusers00000000000000#!/usr/bin/perl -w ########################################################################## # $Id: mod_security2, v 1.0.1 2013/01/11 ########################################################################## # # Revision 1.0.1 2013/01/11 # fixed problem with uninitialized values #6 # ########################################################################## # This script is written an maintained by: # Torben Hansen # # To send comments, suggestions, bugreports, etc, please use: # https://github.com/derhansen/logwatch-modsec2 ########################################################################## ########################################################################## # Copyright © 2013 Torben Hansen # # Permission is hereby granted, free of charge, to any person obtaining a # copy of this software and associated documentation files (the # “Softwareâ€), to deal in the Software without restriction, including # without limitation the rights to use, copy, modify, merge, publish, # distribute, sublicense, and/or sell copies of the Software, and to # permit persons to whom the Software is furnished to do so, subject to # the following conditions: # # The above copyright notice and this permission notice shall be included # in all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANT- # ABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO # EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR # THE USE OR OTHER DEALINGS IN THE SOFTWARE. # ########################################################################## use Logwatch ':dates'; # Disable warnings about unused variables no warnings qw(once); my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $SearchDate = TimeFilter('%d/%b/%Y:%H:%M:%S'); my $within_range = 0; my %tmpEntry = (); my $count = 0; my %messages = (); my %topips = (); my %toprules = (); my $check = 0; my $option = ''; if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG MODE \n\n"; } # Initialize array $tmpEntry{$count}{"action"} = ""; $tmpEntry{$count}{"hostname"} = ""; $tmpEntry{$count}{"message"} = ""; $tmpEntry{$count}{"ruleid"} = ""; while (defined($ThisLine = )) { chomp($ThisLine); # Reset $check if line starts with two dashes if ( $ThisLine =~ /-[A-Z]--/ ) { $check = 0; $option = ""; } if ($check == 1) { if ($option eq "audit-log-header") { ($timestamp, $transactionID, $sourceIP, $sourcePort, $destIP, $destPort ) = ($ThisLine =~ /\[(.*?)\] (.*?) (.*?) (.*?) (.*?) (.*?)$/ ); $tmpEntry{$count}{"timestamp"} = $timestamp; $tmpEntry{$count}{"sourceIp"} = $sourceIP; $tmpEntry{$count}{"sourcePort"} = $sourcePort; $tmpEntry{$count}{"destIp"} = $destIP; $tmpEntry{$count}{"destPort"} = $destPort; if ( $Debug >= 5 ) { print STDERR "\n"; print STDERR "DATE: " . $timestamp . "\n"; print STDERR "FROM: ". $sourceIP . ":" . $sourcePort . "\n"; print STDERR "TO: ". $destIP . ":" . $destPort . "\n"; } } if ($option eq "request-header") { if ( ($method, $requestUri) = ($ThisLine =~ /^(POST|GET) (.*?)$/) ) { $tmpEntry{$count}{"method"} = $method; $tmpEntry{$count}{"uri"} = $requestUri; if ( $Debug >= 5 ) { print STDERR "METHOD: " . $method . "\n"; print STDERR "URI: " . $requestUri . "\n"; } } elsif ( ($hostname) = ($ThisLine =~ /^Host: (.*?)$/) ) { $tmpEntry{$count}{"hostname"} = $hostname; if ( $Debug >= 5 ) { print STDERR "HOST: " . $hostname . "\n"; } } } if ($option eq "audit-log-trailer") { if ( $ThisLine =~ /^Message:/ ) { if ( ($ruleId) = ($ThisLine =~ /\[id \"(.*?)\"\]/) ) { if ( $Debug >= 5 ) { print STDERR "Rule ID: " . $ruleId. "\n"; } } if ( ($msg) = ($ThisLine =~ /\[msg \"(.*?)\"\]/) ) { if ( $Debug >= 5 ) { print STDERR "Message: " . $msg. "\n"; } } $tmpEntry{$count}{"ruleid"} = $ruleId; $tmpEntry{$count}{"message"} = $msg; } if ( ($action) = ($ThisLine =~ /^Action: (.*?)$/) ) { $tmpEntry{$count}{"action"} = $action; if ( $Debug >= 5 ) { print STDERR "Action: " . $action. "\n"; } } if ( ($engineMode) = ($ThisLine =~ /^Engine-Mode: (.*?)$/) ) { $tmpEntry{$count}{"engine"} = $engineMode; if ( $Debug >= 5 ) { print STDERR "Engine mode: " . $engineMode. "\n"; } } } } if ( $ThisLine =~ /-A--/ ) { $check = 1; $option = "audit-log-header"; } elsif ( $ThisLine =~ /-B--/ ) { $check = 1; $option = "request-header"; } elsif ( $ThisLine =~ /-H--/ ) { $check = 1; $option = "audit-log-trailer"; } elsif ( $ThisLine =~ /-Z--/ ) { $check = 0; $option = ""; # Create new summary entry if date matches searchdate if ( $tmpEntry{$count}{"timestamp"} =~ /$SearchDate/ ) { if ( $tmpEntry{$count}{"action"} ne "" && $tmpEntry{$count}{"hostname"} ne "" && $tmpEntry{$count}{"message"} ne "" && $tmpEntry{$count}{"ruleid"} ne "" ) { $messages{$tmpEntry{$count}{"hostname"}}{"numAttacks"}++; $messages{$tmpEntry{$count}{"hostname"}}{"attack"}{$tmpEntry{$count}{"sourceIp"}}{$tmpEntry{$count}{"ruleid"}} = $tmpEntry{$count}{"message"}; $messages{$tmpEntry{$count}{"hostname"}}{$tmpEntry{$count}{"sourceIp"}}{$tmpEntry{$count}{"ruleid"}}++; $topips{$tmpEntry{$count}{"sourceIp"}}++; $toprules{$tmpEntry{$count}{"ruleid"}}++; } } # Increase counter $count++; # Reset values $tmpEntry = (); $tmpEntry{$count}{"action"} = ""; $tmpEntry{$count}{"hostname"} = ""; $tmpEntry{$count}{"message"} = ""; $tmpEntry{$count}{"ruleid"} = ""; if ( $Debug >= 5 ) { print STDERR "---------------------------------------\n"; } } } # Start summary if (keys %messages) { print "\nATTACKS BLOCKED ON VHOSTS:\n"; foreach my $vhost ( sort {$a cmp $b} keys %messages ) { print "\n" . $vhost . " - " . $messages{$vhost}{"numAttacks"} . " time(s)\n"; foreach my $fromip (sort {$a cmp $b} keys %{$messages{$vhost}{"attack"}}) { foreach my $ruleid (sort {$a cmp $b} keys %{$messages{$vhost}{"attack"}{$fromip}}) { print " [ip: " . sprintf("%-15s", $fromip) . "] "; print "[id: " . $ruleid . " ] [msg: " . $messages{$vhost}{"attack"}{$fromip}{$ruleid} . "] "; print " - " . $messages{$vhost}{$fromip}{$ruleid} . " time(s)\n"; } } } } # Top 10 blocked IPs if (keys %topips) { print "\nTOP 10 BLOCKED IPS:\n"; my $cnt = 0; foreach my $ip ( sort {$topips{$b} <=> $topips{$a}} keys %topips ) { print "\n " . sprintf("%2s", ($cnt + 1)) . ". " . $ip . " - " . $topips{$ip} . " time(s)"; $cnt++; if($cnt == 10) { last(); } } print "\n"; } exit(0) ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/ftpd-messages0000644000000000000000000000013212664334617021244 xustar0030 mtime=1456585103.199363957 30 atime=1456586568.776190839 30 ctime=1456586568.776190839 ./logwatch-7.4.2/scripts/services/ftpd-messages0000755000175000001440000001731712664334617022354 0ustar00generalusers00000000000000########################################################################## # $Id: ftpd-messages 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## ######################################################## ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; $IgnoreUnmatched = $ENV{'ftpd_ignore_unmatched'} || 0; my $SegFault = 0; while (defined($ThisLine = )) { if ( ( $ThisLine =~ /FTP session closed$/ ) or ( $ThisLine =~ /^getpeername \(in.ftpd\): Transport endpoint is not connected$/ ) or ( $ThisLine =~ /^QUIT$/ ) or ( $ThisLine =~ /^[\w\.]+: connected: IDLE\s\[\d+\]: failed login from/ ) or ( $ThisLine =~ /^lost connection to / ) or ( $ThisLine =~ /^wu-ftpd - TLS settings:/ ) or # The connect info is extracted elsewhere: ( $ThisLine =~ /^USER / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: USER [^ ]+\[\d+\]:/ ) or ( $ThisLine =~ /^PASS / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: IDLE\[\d+\]: PASS password$/ ) or # These are uninteresting: ( $ThisLine =~ /^[^ ]+: [^ ]+: TYPE / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: PORT / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: STOR / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: RNFR / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: RNTO / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: SYST\[\d+\]: SYST$/ ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: QUIT\[\d+\]: QUIT$/ ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: PASV\[\d+\]: PASV$/ ) or # Some people may want these things below, but not in a simple upfront security ( $ThisLine =~ /^[^ ]+: [^ ]+: RETR / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: LIST / ) or ( $ThisLine =~ /^[^ ]+: [^ ]+: NLST / ) or # 62.161.227.69: connected: SYST[27800]: cmd failure - not logged in ( $ThisLine =~ /^[^ ]+: [^ ]+: SYST\[\d+\]: cmd failure - not logged in$/ ) or ( $ThisLine =~ /^User .* timed out after .* seconds at .*$/ ) ) { # We don't care about any of these } elsif ( ($Host,$IP,$Email) = ( $ThisLine =~ /^ANONYMOUS FTP LOGIN FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) { $Temp = " " . $Host . " (" . $IP . "): " . $Email . " - "; $AnonLogins{$Temp}++; } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /FTP LOGIN FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) { $Temp = " " . $Host . " (" . $IP . "): " . $User . " - "; $UserLogins{$Temp}++; } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /^FTP LOGIN REFUSED \(.+\) FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) { $Temp = " " . $Host . " (" . $IP . "): " . $User . " - "; $FailedLogins{$Temp}++; } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /REFUSED .+ from ([^ ]+) \[(.*)\], (.*)$/i ) ) { $Temp = " " . $Host . " (" . $IP . "): " . $User . " - "; $FailedLogins{$Temp}++; } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /^failed login from ([^ ]+) \[(.*)\], (.*)$/ ) ) { $Temp = " " . $Host . " (" . $IP . "): " . $User . " - "; $FailedLogins{$Temp}++; } elsif ( ($Limit,$Class,$Host,$IP) = ( $ThisLine =~ /^ACCESS DENIED \(user limit (.*)\; class (.*)\) TO (.*) \[(.*)\]/ ) ) { $Temp = " " . $Host . " (" . $IP . "): class " . $Class . " (Limit: " . $Limit . ") - "; $FailedLogins{$Temp}++; } elsif ( ($Host,$IP) = ( $ThisLine =~ /^FTP ACCESS REFUSED \(anonymous password not rfc822\) from (.*) \[(.*)\]/ ) ) { $Temp = " " . $Host . " (" . $IP . ") - "; $FailedLogins{$Temp}++; } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /failed login from ([^ ]+) \[(.*)\]$/ ) ) { $Temp = " " . $Host . " (" . $IP . ") - "; $FailedLogins{$Temp}++; } elsif ( ($IP,$Host) = ( $ThisLine =~ /^refused PORT ([\d.]+),\d+ from (.*)$/ ) ) { $Temp = " " . $Host . " (" . $IP . ") - "; $RefusedPorts{$Temp}++; } elsif ( $ThisLine =~ /^exiting on signal 11: Segmentation fault$/ ) { $SegFault++; } elsif ( ($User,$Host,$IP,$File) = ( $ThisLine =~ /^([^ ]+) of ([^ ]*) \[(.*)\] deleted (.*)$/ ) ) { $Temp = " " . $Host . " (" . $IP . "): " . $User . "\n"; $Temp2 = " " . $File . "\n"; push @{$DeletedFiles{$Temp}}, $Temp2; } elsif ( ($User,$Pass,$Host,$IP) = ( $ThisLine =~ /(.*)\((.*)\) of (.*) \[(.*)\] tried to/) ) { $Temp = " " . $Host . " ($IP): " . $User . " ($Pass) - "; $SecurityViolations{$Temp}++; } elsif ( ($Host,$User,$IP) = ( $ThisLine =~ /(.*)\: (.*)\: SITE .* \[(.*)\] tried to/) ) { $Temp = " " . $Host . " ($IP): " . $User . " - "; $SecurityViolations{$Temp}++; } elsif ( ($Host,$IP) = ( $ThisLine =~ /^FTP LOGIN FAILED \(cannot set guest privileges\) for ([^ ]+) \[(.*)\], ftp$/ ) ) { $Temp = " " . $Host . " (" . $IP . "): - "; $RefusedAnonLogins{$Temp}++; } elsif ( ($Host, $User) = ( $ThisLine =~ /^([^ ]+): ([^ ]+): IDLE\[\d+\]: User [^ ]+ timed out after / ) ) { # dhcp024-208-136-047.insight.rr.com: visitor: IDLE[23195]: User visitor timed out after 900 seconds at Mon Jan 13 00:25:24 2003 $TimedOut{" " . $Host . " : " . $User}++; } else { # Report any unmatched entries... push @OtherList,$ThisLine; } } if ( (keys %AnonLogins) and ($Detail >= 10) ) { print "\nAnonymous FTP Logins:\n"; foreach $ThisOne (keys %AnonLogins) { print $ThisOne . $AnonLogins{$ThisOne} . " Time(s)\n"; } } if ((keys %DeletedFiles) and ($Detail >= 10)) { print "\nFiles deleted through FTP:\n"; foreach $ThisOne (keys %DeletedFiles) { print $ThisOne; print @{$DeletedFiles{$ThisOne}}; } } if ((keys %UserLogins) and ($Detail >= 5)) { print "\nUser FTP Logins:\n"; foreach $ThisOne (keys %UserLogins) { print $ThisOne . $UserLogins{$ThisOne} . " Time(s)\n"; } } if (keys %FailedLogins) { print "\nFailed FTP Logins:\n"; foreach $ThisOne (keys %FailedLogins) { print $ThisOne . $FailedLogins{$ThisOne} . " Time(s)\n"; } } if ( (keys %RefusedPorts) and ($Detail >= 10) ) { print "\nRefused PORTs:\n"; foreach $ThisOne (keys %RefusedPorts) { print $ThisOne . $RefusedPorts{$ThisOne} . " Time(s)\n"; } } if (keys %TimedOut) { print "\nConnections timed out:\n"; foreach $ThisOne (keys %TimedOut) { print $ThisOne . $TimedOut{$ThisOne} . " Time(s)\n"; } } if ( (keys %SecurityViolations) and ($Detail >= 5) ) { print "\nFailed filesystem violations:\n"; foreach $ThisOne (keys %SecurityViolations) { print $ThisOne . $SecurityViolations{$ThisOne} . " Time(s)\n"; } } if (keys %RefusedAnonLogins) { print "\nRefused anonymous FTP Logins:\n"; foreach $ThisOne (keys %RefusedAnonLogins) { print $ThisOne . $RefusedAnonLogins{$ThisOne} . " Time(s)\n"; } } if ($SegFault > 0) { print "\nexiting on signal 11: Segmentation fault: $SegFault Time(s)\n"; } if (($#OtherList >= 0) and (not $IgnoreUnmatched)){ print "\n**Unmatched Entries**\n"; print @OtherList; } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/tivoli-smc0000644000000000000000000000013212664334617020570 xustar0030 mtime=1456585103.187364015 30 atime=1456586568.792190759 30 ctime=1456586568.792190759 ./logwatch-7.4.2/scripts/services/tivoli-smc0000755000175000001440000001064612664334617021676 0ustar00generalusers00000000000000#!/usr/bin/perl # Copyright 2013 by Stefan Jakobs ########################################################################### # $Id$ ########################################################################### ######################################################## ## Copyright (c) 2013 Stefan Jakobs ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $Version = "20130212"; my ($ThisLine, %OtherList); my (%IncBackup, %IncBackupFailure); my (%Object, %ObjectSend, %ObjectName); my (%Error, %NoConnection, %File); my $Interrupted; ### functions ### sub print_2xhash($$) { my %hash = %{$_[0]}; my $desc = $_[1]; print "$desc\n"; foreach my $item (keys %hash) { printf(" %-44s\n", $item); foreach my $item2 (keys %{$hash{$item}}) { printf(" %-42s %5d time(s)\n", $item2, $hash{$item}{$item2}); } } print "\n"; } ### main ### while(defined ($ThisLine = )) { chomp $ThisLine; # remove when filter script is done #$ThisLine =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d //; if ( ($ThisLine =~ /^\w+ Could not establish a session with a TSM server or client agent/ ) || ($ThisLine =~ /^\w+ Communication with the TSM server is lost/ ) ) { # ignore } elsif ($ThisLine =~ /(\w+) Incremental backup of '([^']+)' finished with (\d+) failure/) { $IncBackup{"$2"}++; $IncBackupFailure{"$2"}+=$3; } elsif ($ThisLine =~ /(\w+) Sending of object '([^']+)' (.+)/) { $ObjectSend{"$3"}{"$2"}++; } elsif ($ThisLine =~ /(\w+) Object name '([^']+)' (.+)/) { $ObjectName{"$3"}{"$2"}++; } elsif ($ThisLine =~ /(\w+) Object '([^']+)' (.+)/) { $Object{"$3"}{"$2"}++; } elsif ($ThisLine =~ /cuGetBackQryResp: (.*):0,(.*)$/) { $Object{$1}{$2}++; } elsif ($ThisLine =~ /(\w+) An interrupt has occurred/) { $Interrupted++; } elsif ($ThisLine =~ /(\w+) (.+)\.\s+The TSM return code is ([-0-9]+)/) { $Error{$3}{"$2"}++; } elsif ($ThisLine =~ /(\w+) (Session rejected): (.+)/) { $Error{"$2"}{$3}++; } elsif ($ThisLine =~ /(\w+) (Error processing) '([^']+)': (.+)/) { $Error{"$2"}{$4}++; } elsif ($ThisLine =~ /(\w+) Could not establish a TCP\/IP connection with address '([^']+)'\. The TCP\/IP error is '([^']+)'/) { $NoConnection{"$2"}{$3}++; } elsif ($ThisLine =~ /(\w+) (An invalid TCP\/IP address was specified)/) { $Error{"$2"}{$1}++; } elsif ($ThisLine =~ /File '(?:[^']+)' (.*)/) { $File{"$1"}++; } else { chomp($ThisLine); $OtherList{$ThisLine}++; } } # end of while ### generate output ### if (keys %Error) { print_2xhash(\%Error, "Errors:"); } if ($Interrupted) { printf("%-46s %5d time(s)\n\n", "Interrupted", $Interrupted); } if (keys %File) { print "File:\n"; foreach my $msg (keys %File) { printf(" %-44s %5d time(s)\n", $msg, $File{$msg}); } print "\n"; } if (keys %IncBackup) { print "Incremental Backups finished:\n"; foreach my $dir (sort {$IncBackup{$b} <=> $IncBackup{$a}} keys %IncBackup) { printf(" %-44s %5d time(s) with %3d failure(s)\n", $dir, $IncBackup{$dir}, $IncBackupFailure{$dir}); } print "\n"; } if (keys %ObjectSend) { print_2xhash(\%ObjectSend, "Sending of objects:"); } if (keys %ObjectName) { print_2xhash(\%ObjectName, "Object Names:"); } if (keys %Object) { print_2xhash(\%Object, "Object:"); } if (keys %NoConnection) { print_2xhash(\%NoConnection, "NoConnections:"); } if (keys %OtherList) { print "\n**** Unmatched entries ****\n"; foreach my $Error (keys %OtherList) { print " $Error : $OtherList{$Error} Time(s)\n"; } } ### return without a failure ### exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/lvm0000644000000000000000000000013212664334617017300 xustar0030 mtime=1456585103.155364168 30 atime=1456586568.776190839 30 ctime=1456586568.776190839 ./logwatch-7.4.2/scripts/services/lvm0000755000175000001440000000526712664334617020411 0ustar00generalusers00000000000000######################################################## ## Copyright (c) 2014 Orion Poplawski ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $PoolThreshold = $ENV{'pool_threshold'} || 0; my %PoolUsed; my $SnapshotThreshold = $ENV{'snapshot_threshold'} || 0; my %SnapshotUsed; my %MonitoringOn; my %MonitoringOff; my %OtherList; while (defined(my $ThisLine = )) { chomp($ThisLine); if ($ThisLine =~ /^Thin (\S+) is now (\d+)% full/) { $PoolUsed{$1} = $2 if $2 >= $PoolThreshold; } elsif ($ThisLine =~ /^Monitoring thin (\S+)\./) { $MonitoringOn{$1}++; } elsif ($ThisLine =~ /^No longer monitoring thin (\S+)\./) { $MonitoringOff{$1}++; } elsif ($ThisLine =~ /^Snapshot (\S+) is now (\d+)% full/) { $SnapshotUsed{$1} = $2 if $2 >= $SnapshotThreshold; } else { $OtherList{$ThisLine}++; } } if (keys %PoolUsed) { print "Thin Pool Usage:\n"; foreach my $Pool (sort {$a cmp $b} keys %PoolUsed) { print " $Pool: $PoolUsed{$Pool}% full\n"; } print "\n"; } if (keys %SnapshotUsed) { print "Snapshot Usage:\n"; foreach my $Snapshot (sort {$a cmp $b} keys %SnapshotUsed) { print " $Snapshot: $SnapshotUsed{$Snapshot}% full\n"; } print "\n"; } if (keys %MonitoringOn and $Detail) { print "Monitoring started for:\n"; foreach my $Pool (sort {$a cmp $b} keys %MonitoringOn) { print " $Pool: $MonitoringOn{$Pool} Time(s)\n"; } print "\n"; } if (keys %MonitoringOff and $Detail) { print "Monitoring stopped for:\n"; foreach my $Pool (sort {$a cmp $b} keys %MonitoringOff) { print " $Pool: $MonitoringOff{$Pool} Time(s)\n"; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/automount0000644000000000000000000000013212664334617020535 xustar0030 mtime=1456585103.187364015 30 atime=1456586568.768190878 30 ctime=1456586568.768190878 ./logwatch-7.4.2/scripts/services/automount0000755000175000001440000001242412664334617021637 0ustar00generalusers00000000000000 ########################################################################## # $Id: automount 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## ######################################################## # This was written and is maintained by: # Gerald Teschl # # Please send all comments, suggestions, bug reports, # etc, to kirk@kaybee.org. ######################################################## ######################################################## ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; $MountAttempts = 0; while (defined($ThisLine = )) { if ( ($ThisLine =~ /^using kernel protocol version .*$/) or ($ThisLine =~ /^expired .*$/) or ($ThisLine =~ /^lookup\(ldap\): got answer, but no first entry for /) or ($ThisLine =~ /^>>.*mount: .*$/) or ($ThisLine =~ /lookup_read_master: lookup\(nisplus\): couldn't locate? nis\+ table auto.master/) or ($ThisLine =~ /create_(tcp|udp)_client: hostname lookup failed: (No such process|Operation not permitted)/) or ($ThisLine =~ /lookup_mount: exports lookup failed for .*directory/) or ($ThisLine =~ /master_do_mount: failed to startup mount/) ) { # don't care about these } elsif ( ($ThisMount) = ($ThisLine =~ /^attempting to mount entry (.*)$/) ) { # store Mount #$Mount = $ThisMount; somthing is wrong with this -mgt $MountAttempts++; } elsif ($ThisLine =~ /^mount\(nfs\): nfs: mount failure .*:.* on (.*)$/) { $Failed{$1}{'nfsm'}++; } elsif ($ThisLine =~ /^mount\(nfs\): entry (.*) lookup failure$/) { $Failed{$1}{'nfsl'}++; } elsif (( $ThisLine =~ /^mount\(generic\): failed to mount .* on (.*)$/) or ( $ThisLine =~ /^handle_mounts: mount on (.*) failed!/) ) { $Failed{$1}{'mnt'}++; } elsif ( $ThisLine =~ /^failed to mount \/(\w+).*$/) { $Failed{$1}{'mnt'}++; } elsif ( ($ThisMount) = ( $ThisLine =~ /^(.*): mount failed!$/) ) { $FailedStartup{$ThisMount}++; } elsif ( $ThisLine =~ /^lookup\((file|program)\): lookup for (.*) failed$/) { $Failed{$2}{$1}++; } elsif ( ($ThisMount) = ($ThisLine =~ /^starting automounter version .* path = (.*), maptype = .*, mapname = .*$/) ) { $StartStop{$ThisMount}{'start'}++; $StartStop{$ThisMount}{'stop'}+=0; } elsif ( ($ThisMount) = ($ThisLine =~ /^shutting down, path = (.*)$/) ) { $StartStop{$ThisMount}{'stop'}++; } elsif ( ($Key) = ( $ThisLine =~ /^key "(.*)" not found in map source\(s\)\.$/) ) { $KeyNotFound{$Key}++; } else { # Report any unmatched entries... chomp($ThisLine); $OtherList{$ThisLine}++; } } if (keys %FailedStartup) { print "\nFailed Startups:\n"; foreach $ThisOne (keys %FailedStartup) { print " $ThisOne " . $FailedStartup{$ThisOne} . " Time(s)\n"; } } if (keys %Failed) { print "\nFailed mounts:\n"; foreach $ThisOne (sort keys %Failed) { printf (" %-20s", $ThisOne); if ($Failed{$ThisOne}{'nfsm'}) { print "NFS Mount Failure $Failed{$ThisOne}{'nfsm'} Time(s)"; } if ($Failed{$ThisOne}{'nfsl'}) { print "NFS Lookup Failure $Failed{$ThisOne}{'nfsl'} Time(s)"; } if ($Failed{$ThisOne}{'mnt'}) { print "Mount Failure $Failed{$ThisOne}{'mnt'} Time(s)"; } if ($Failed{$ThisOne}{'file'}) { print "File Lookup Failure $Failed{$ThisOne}{'file'} Time(s)"; } if ($Failed{$ThisOne}{'program'}) { print "Program Lookup Failure $Failed{$ThisOne}{'program'} Time(s)"; } print "\n"; } } if ( ($Detail >= 5) and (keys %KeyNotFound) ) { print "\nKeys not found:\n"; foreach $Key (keys %KeyNotFound) { print " $Key: $KeyNotFound{$Key} Time(s)\n"; } } if ( ($Detail >= 10) and (keys %StartStop) ) { print "\nStatistics:\n"; print " Total number of mount attempts: $MountAttempts\n"; foreach $ThisOne (keys %StartStop) { $StartStop{$ThisOne}{'start'} = 0 unless defined $StartStop{$ThisOne}{'start'}; $StartStop{$ThisOne}{'stop'} = 0 unless defined $StartStop{$ThisOne}{'stop'}; print " $ThisOne: Started $StartStop{$ThisOne}{'start'} and stopped $StartStop{$ThisOne}{'stop'} Time(s)\n"; } } if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $ThisOne (keys %OtherList) { print "$ThisOne: $OtherList{$ThisOne} Time(s)\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/puppet0000644000000000000000000000012612664334617020022 xustar0030 mtime=1456585103.179364053 28 atime=1456586568.7841908 28 ctime=1456586568.7841908 ./logwatch-7.4.2/scripts/services/puppet0000644000175000001440000002451312664334617021120 0ustar00generalusers00000000000000#!/usr/bin/perl ########################################################################## # $Id: puppet 188 2014-02-07 13:55:43Z stefjakobs $ ########################################################################## # $Log$ ######################################################## ## Copyright (c) 2011 Nathan Crawford ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution and the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@logwatch.org. ######################################################### # Detail level $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; # Config my $offline = $ENV{'puppet_offline_ok'}; # Init counters $FailedRuns = 0; $SuccessfulRuns = 0; $ResourceFailures = 0; $DependencyFailures = 0; while (defined($ThisLine = )) { chomp($ThisLine); if ( ($ThisLine =~ /Using cached catalog/) or ($ThisLine =~ /Caching catalog for /) or ($ThisLine =~ /Caching node for /) or ($ThisLine =~ /Caught TERM; calling stop/) or ($ThisLine =~ /[sS]hutting down/) or ($ThisLine =~ /Reopening log files/) or ($ThisLine =~ /Starting Puppet client version /) or ($ThisLine =~ /Restarting with.+puppetd/) or ($ThisLine =~ /Caught HUP; calling restart/) or ($ThisLine =~ /Skipping because of failed dependencies/) or ($ThisLine =~ /Failed to generate additional resources/) or ($ThisLine =~ /Could not evaluate: getaddrinfo: Name or service not known/) or ($ThisLine =~ /replacing from source .+ with contents /) or ($ThisLine =~ /Starting catalog run/) or ($ThisLine =~ /Applying configuration version/) or ($ThisLine =~ /Loading facts in/) or ($ThisLine =~ /Retrieving plugin/) or ($ThisLine =~ /FileBucket adding/) or ($ThisLine =~ /^Caching certificate/) or ($ThisLine =~ /^Certificate Request fingerprint/) or ($ThisLine =~ /^Creating state file/) or ($ThisLine =~ /Provider useradd does not support features manages/) ) { # Ignore } elsif (($junk, $failure, $reason) = ($ThisLine =~ /^(\(.*\) |)Could not ([^:]*): (.*)/)) { if ($reason == "getaddrinfo: Name or service not known" && $offline) { $FailedRuns--; } else { $Failures{$failure}->{$reason}++; } } elsif ($ThisLine =~ /Finished catalog run in [0-9]+\.[0-9]+ seconds/) { $SuccessfulRuns++; } elsif ($ThisLine =~ /skipping run/) { $FailedRuns++; } elsif ($ThisLine =~ /(Did not receive certificate)/) { $Errors{$1}++; } elsif (($file) = $ThisLine =~ /Reparsing (.*)/) { $Reparsed{$file}++; } elsif (($fileinfo) = ($ThisLine =~ /Filebucketed (.*)/)) { $FileBucketed{$1}++; } elsif ($ThisLine =~ /Dependency .+\[.+\] has ([0-9]+ |)failure/) { $DependencyFailures++; } elsif ( ($ThisLine =~ /Failed to retrieve current state of resource/) or ($ThisLine =~ /Package.+ensure.+Could not find package/) or ($ThisLine =~ /File\[.+\].+ Could not describe /) or ($ThisLine =~ /File\[.+\].+ No specified sources exist/) ) { $ResourceFailures++; } elsif ($ThisLine =~ /Package\[(.+)\].+ensure changed/) { $ChangedPackages{$1}++; } elsif ($ThisLine =~ /Package\[(.+)\].+ensure\) created/) { $InstalledPackages{$1}++; } elsif ($ThisLine =~ /Package\[(.+)\].+ensure\) removed/) { $RemovedPackages{$1}++; } elsif ($ThisLine =~ /Exec\[(.+)\].+executed successfully/) { $ExecRuns{$1}++; } elsif ($ThisLine =~ /Exec\[(.+)\].+Trigger(?:ing|ed) 'refresh' from [0-9]+ (?:dependencies|events)/) { $ExecRuns{$1}++; } elsif ($ThisLine =~ /Exec\[(.+)\].+Triggered 'refresh' from [0-9]+ events/) { $ExecRuns{$1}++; } elsif ($ThisLine =~ /Service\[(.+)\].+ensure changed \'.+\' to \'running\'/) { $ServiceStarts{$1}++; } elsif ($ThisLine =~ /Service\[(.+)\].+Trigger(?:ing|ed) 'refresh' from [0-9]+ (?:dependencies|events)/) { $ServiceStarts{$1}++; } elsif ($ThisLine =~ /Service\[(.+)\].+Triggered 'refresh' from [0-9]+ events/) { $ServiceStarts{$1}++; } elsif ($ThisLine =~ /Service\[(.+)\].+ensure changed \'.+\' to \'stopped\'/) { $ServiceStops{$1}++; } elsif ($ThisLine =~ /User\[(.+)\].+changed password/) { $PasswordChanged{$1}++; } elsif ($ThisLine =~ /User\[(.+)\].+defined \'expiry\' as \'([0-9-]{10})\'/) { $ExpiryChanged{$1}{$2}++; # Generic rules need to be last } elsif (($type, $name, $attr) = $ThisLine =~ /([^\/]+)\[([^\]]+)\]\/([^\/]+)\) (created|defined content)/) { $Created{$type}->{$name}++; } elsif (($type, $name, $attr) = $ThisLine =~ /([^\/]+)\[([^\]]+)\]\/([^\/]+)\) removed/) { $Removed{$type}->{$name}++; } elsif (($type, $name, $attr, $from, $to) = $ThisLine =~ /([^\/]+)\[([^\]]+)\]\/([^\/]+)\) .+ changed '(.*)' to '(.*)/) { if ($attr eq 'content' or $attr eq 'checksum') { # Only count these types of changes $Changed{$type}->{$name}->{$attr}++; } else { # Get details for all other types of changes $Changed{$type}->{$name}->{$attr}->{'from'} = $from; $Changed{$type}->{$name}->{$attr}->{'to'} = $to; } } elsif (($type, $name, $attr, $from) = $ThisLine =~ /([^\/]+)\[([^\]]+)\]\/([^\/]+)\) undefined '.+' from '(.*)'/) { $Changed{$type}->{$name}->{$attr}->{'from'} = $from; $Changed{$type}->{$name}->{$attr}->{'to'} = 'undefined'; } elsif (($type, $name, $content) = $ThisLine =~ /([^\/]+)\[([^\]]+)\]\/content\)(.*)/) { $content =~ s/#011/\t/g; $content =~ s/#012/\n /g or $content .= "\n "; $Changed{$type}->{$name}->{'contents'} .= $content; } elsif (($source, $target) = $ThisLine =~ /^\(\/(.*)\) Scheduling refresh of (.*)/) { $ScheduledRefresh{"$source -> $target"}++; } else { # Report any unmatched entries... $OtherList{$ThisLine}++; } } ####################################### if ($SuccessfulRuns > 0 && $Detail > 0) { print "\nSuccessful runs: $SuccessfulRuns\n"; } if ($FailedRuns > 0) { print "\nFailed runs: $FailedRuns\n"; } if (keys %Errors) { print "\nERRORS:\n"; foreach $ThisOne (keys %Errors) { print " $ThisOne: $Errors{$ThisOne} Time(s)\n"; } } foreach $failure (sort(keys %Failures)) { print "\nERROR: Could not $failure:\n"; foreach $ThisOne (keys %{$Failures{$failure}}) { print " $ThisOne: $Failures{$failure}->{$ThisOne} Time(s)\n"; } } if ($ResourceFailures > 0) { print "\nResource failures: $ResourceFailures\n"; } if ($DependencyFailures > 0) { print "\nDependency failures: $DependencyFailures\n"; } if (keys %Reparsed) { print "\nReparsed:\n"; foreach $ThisOne (keys %Reparsed) { print " $ThisOne: $Reparsed{$ThisOne} Time(s)\n"; } } if (keys %FileBucketed and $Detail >= 5) { print "\nFileBucketed files:\n"; foreach $ThisOne (keys %FileBucketed) { print " $ThisOne\n"; } } if (keys %InstalledPackages) { print "\nInstalled packages:\n"; foreach $ThisOne (keys %InstalledPackages) { print " $ThisOne: $InstalledPackages{$ThisOne} Time(s)\n"; } } if (keys %ChangedPackages) { print "\nChanged packages:\n"; foreach $ThisOne (keys %ChangedPackages) { print " $ThisOne: $ChangedPackages{$ThisOne} Time(s)\n"; } } if (keys %RemovedPackages) { print "\nRemoved packages:\n"; foreach $ThisOne (keys %RemovedPackages) { print " $ThisOne: $RemovedPackages{$ThisOne} Time(s)\n"; } } if (keys %ExecRuns) { print "\nExec runs:\n"; foreach $ThisOne (keys %ExecRuns) { print " $ThisOne: $ExecRuns{$ThisOne} Time(s)\n"; } } if (keys %ServiceStarts) { print "\nService starts:\n"; foreach $ThisOne (keys %ServiceStarts) { print " $ThisOne: $ServiceStarts{$ThisOne} Time(s)\n"; } } if (keys %ServiceStops) { print "\nService stops:\n"; foreach $ThisOne (keys %ServiceStops) { print " $ThisOne: $ServiceStops{$ThisOne} Time(s)\n"; } } if (keys %PasswordChanged) { print "\nPassword changed:\n"; foreach $ThisOne (keys %PasswordChanged) { print " $ThisOne: $PasswordChanged{$ThisOne} Time(s)\n"; } } if (keys %ExpiryChanged) { print "\nExpiry changed:\n"; foreach $ThisOne (keys %ExpiryChanged) { print " $ThisOne:\n"; foreach $date (keys %{${ExpiryChanged}{$ThisOne}}) { print " $date: $ExpiryChanged{$ThisOne}{$date} Time(s)\n"; } } } foreach $Type (sort(keys %Created)) { print "\n$Type created:\n"; foreach $Name (sort(keys %{$Created{$Type}})) { print " $Name: $Created{$Type}->{$Name} Time(s)\n"; } } foreach $Type (sort(keys %Changed)) { print "\n$Type changed:\n"; foreach $Name (sort(keys %{$Changed{$Type}})) { print " $Name:\n"; foreach $Attr (sort(keys %{$Changed{$Type}->{$Name}})) { if ($Attr eq 'contents') { if ($Detail >= 3) { print " $Attr:"; print "$Changed{$Type}->{$Name}->{$Attr}\n"; } } else { print " $Attr: "; if (defined($Changed{$Type}->{$Name}->{$Attr}->{'from'})) { print "from '$Changed{$Type}->{$Name}->{$Attr}->{from}' to '$Changed{$Type}->{$Name}->{$Attr}->{to}'\n"; } else { print "$Changed{$Type}->{$Name}->{$Attr} Time(s)\n"; } } } } } foreach $Type (sort(keys %Removed)) { print "\n$Type removed:\n"; foreach $Name (sort(keys %{$Removed{$Type}})) { print " $Name: $Removed{$Type}->{$Name} Time(s)\n"; } } if (keys %ScheduledRefresh) { print "\nScheduled refresh:\n"; foreach $ThisOne (keys %ScheduledRefresh) { print " $ThisOne: $ScheduledRefresh{$ThisOne} Time(s)\n"; } } if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $ThisOne (keys %OtherList) { print " $ThisOne: $OtherList{$ThisOne} Time(s)\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/zz-runtime0000644000000000000000000000013212664334617020626 xustar0030 mtime=1456585103.187364015 30 atime=1456586568.792190759 30 ctime=1456586568.792190759 ./logwatch-7.4.2/scripts/services/zz-runtime0000644000175000001440000000330512664334617021723 0ustar00generalusers00000000000000########################################################################## # $Id: zz-runtime 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## # $Log: zz-runtime,v $ # Revision 1.3 2008/03/24 23:31:27 kirk # added copyright/license notice to each script # # Revision 1.2 2007/04/28 23:47:13 bjorn # Added show_runtime variable. # # Revision 1.1 2007/03/17 19:28:42 bjorn # Added zz-runtime for runtime statistics. Currently prints uptime, # per Jason Sjobeck's proposal. # ########################################################################## ####################################################### ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### my $uptime=`uptime`; my $show_uptime = $ENV{'show_uptime'} || 0; if (($ENV{'PRINTING'} eq "y" ) && $show_uptime && $uptime) { print "\nUptime: $uptime\n"; } # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/samba0000644000000000000000000000012612664334617017570 xustar0030 mtime=1456585103.195363976 28 atime=1456586568.7841908 28 ctime=1456586568.7841908 ./logwatch-7.4.2/scripts/services/samba0000755000175000001440000006324312664334617020674 0ustar00generalusers00000000000000########################################################################## # $Id: samba 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## # $Log: samba,v $ # Revision 1.31 2008/05/06 22:29:58 mike # A few more filters -mgt # # Revision 1.30 2008/03/24 23:31:26 kirk # added copyright/license notice to each script # # Revision 1.29 2007/05/18 15:20:44 bjorn # Additional filtering, by MichaÅ‚ Panasiewicz. # # Revision 1.28 2007/05/16 16:37:55 bjorn # Correction on wrong password regexp, by MichaÅ‚ Panasiewicz. # # Revision 1.27 2007/05/15 04:23:49 bjorn # Additional filtering, by MichaÅ‚ Panasiewicz. # # Revision 1.26 2007/05/14 04:11:43 bjorn # Additional filtering, by MichaÅ‚ Panasiewicz. # # Revision 1.25 2007/04/15 19:15:44 bjorn # Improved no-service and added opened-files, by Roman Rybalko. # # Revision 1.24 2006/04/20 00:17:33 bjorn # Additional samba filtering (connections refused, files created) by Ivana # Varekova. # # Revision 1.23 2005/11/22 18:37:56 bjorn # Detecting invalid SID, by Ivana Varekova. # # Revision 1.22 2005/02/24 17:08:05 kirk # Applying consolidated patches from Mike Tremaine # # Revision 1.8 2005/02/21 04:07:36 mgt # Removed ignore for connect -mgt # # Revision 1.7 2005/02/21 03:28:44 mgt # Added patch from Anssi Kolehmained for host connections -mgt # # Revision 1.6 2005/02/16 00:43:28 mgt # Added #vi tag to everything, updated ignore.conf with comments, added emerge and netopia to the tree from Laurent -mgt # # Revision 1.5 2004/10/06 21:39:34 mgt # Patches from Pawel and Kenneth -mgt # # Revision 1.4 2004/07/29 19:33:29 mgt # Chmod and removed perl call -mgt # # Revision 1.3 2004/07/10 01:54:35 mgt # sync with kirk -mgt # # Revision 1.19 2004/06/23 15:01:17 kirk # - Added more patches from blues@ds.pg.gda.pl # # Revision 1.18 2004/02/03 02:45:26 kirk # Tons of patches, and new 'oidentd' and 'shaperd' filters from # Pawe? Go?aszewski" # ########################################################################## ####################################################### ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### $Debug = $ENV{'LOGWATCH_DEBUG'}; $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; $SocketReadError = 0; $SocketWriteError = 0; $DbOpenFail = 0; $DbCorrupt = 0; $GetDomainMasterStatusFail = 0; %SIDnotvalid; %RefConnect; %CrFile; if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside Samba Filter \n\n"; } while (defined($ThisLine = )) { chomp($ThisLine); if ( ($ThisLine =~ /smbd\/server\.c:open_sockets_smbd\(\d+\) Reloading services after SIGHUP/) or ($ThisLine =~ /lib\/util_sock\.c:get_peer_addr\(\d+\) getpeername failed\. Error was (Transport endpoint|Socket) is not connected/) or ($ThisLine =~ /add_domain_logon_names/) or ($ThisLine =~ /become_domain_master/) or ($ThisLine =~ /become_local_master/) or ($ThisLine =~ /become_logon_server/) or ($ThisLine =~ /cli_connect\(783\) Error connecting to [^ ]+ \(Operation already in progress\)$/) or ($ThisLine =~ /closed connection to/) or ($ThisLine =~ /Connection reset by peer/) or ($ThisLine =~ /Connection timed out/) or ($ThisLine =~ /current master browser/) or ($ThisLine =~ /Currently not implemented/) or ($ThisLine =~ /debug_message/) or ($ThisLine =~ /get_socket_addr\(\d+\) getpeername failed. Error was Transport endpoint is not connected$/) or ($ThisLine =~ /Got SIGHUP dumping debug info.$/) or ($ThisLine =~ /Got SIGTERM: going down/) or ($ThisLine =~ /matchname/i) or ($ThisLine =~ /Multiple .+ responses received for a query/) or ($ThisLine =~ /nmbd\/nmbd_incomingdgrams\.c:process_local_master_announce\(\d+\)$/) or ($ThisLine =~ /nmbd_incomingrequests\.c:process_name_refresh_request\([0-9]+\)$/) or ($ThisLine =~ /nmbd_namelistdb\.c:standard_success_release\(\d+\) standard_success_release: Name release for name/) or ($ThisLine =~ /No route to host/) or ($ThisLine =~ /Operation not permitted/) or ($ThisLine =~ /oplock[_ ]break/) or ($ThisLine =~ /process_local_message: unknown UDP message command code \(.+\) - ignoring./) or ($ThisLine =~ /process_name_refresh_request\(184\) Error - should be sent to WINS server$/) or ($ThisLine =~ /Record does not exist/) or ($ThisLine =~ /response packet id \d+ received with no matching record/) or ($ThisLine =~ /Failed to resend packet id \d+ to IP/) or ($ThisLine =~ /smbd\/process\.c:process_smb\(\d+\)$/) or ($ThisLine =~ /smbmount/) or ($ThisLine =~ /start_async_dns/) or ($ThisLine =~ /timeout connecting to/) or ($ThisLine =~ /version .+ started/) or ($ThisLine =~ /lib\/account_pol\.c:account_policy_get\(204\) account_policy_get: tdb_fetch_uint32 failed for field \d+ \(.*\), returning 0/ ) or ($ThisLine =~ /lib\/access\.c:check_access\(\d+\)$/) or ($ThisLine =~ /lib\/access\.c:check_access\(\d+\) Allowed connection from/) or ($ThisLine =~ /smbd\/close\.c:close_normal_file\(\d+\) .+ closed file/) or ($ThisLine =~ /smbd\/open\.c:open_file\(\d+\) .+ opened file/) or ($ThisLine =~ /smbd\/process.c:timeout_processing\(\d+\) Closing idle connection/) or ($ThisLine =~ /nmbd\/nmbd_browsesync\.c:sync_with_dmb\(\d+\) sync_with_dmb: Initiating sync with domain master browser/) or ($ThisLine =~ /param\/loadparm\.c:do_section\(\d+\) Processing section/) or ($ThisLine =~ /lib\/interface\.c:add_interface\(\d+\) added interface/) or ($ThisLine =~ /smbd\/reply\.c:reply_tcon_and_X\(\d+\) Serving .+ as a Dfs root/) or ($ThisLine =~ /smbd\/reply\.c:reply_special\(\d+\) netbios connect: name1=.+ /) or ($ThisLine =~ /nmbd\/nmbd_browsesync\.c:announce_local_master_browser_to_domain_master_browser\(\d+\) announce_local_master_browser_to_domain_master_browser: We are both a domain and a local master browser for workgroup .+ /) or ($ThisLine =~ /auth\/auth\.c:check_ntlm_password\(\d+\) check_ntlm_password: authentication for user \[.+\] -> \[.+\] -> \[.+\] succeeded/) or ($ThisLine =~ /rpc_server\/srv_samr_nt\.c:_samr_lookup_domain\(d+\) Returning domain sid for domain ([^ ]) -> ([^ ])/) or ($ThisLine =~ /===============================================================/) ) { #Don't care about these... } elsif ( ($Host, undef, $Service, undef, $User) = ( $ThisLine =~ /([^ ]+ \([^ ]+\)) (signed |)connect to service ([^ ]+) (initially |)as user ([^ ]+)/) ) { $CurrentHost=$Host; $Connect{$Service}{$User}{$Host}++; } elsif ( ($Host,$NoService) = ( $ThisLine =~ /([^ ]+ \([^ ]+\)) couldn't find service (\S+)/ ) ) { $NoServ{$Host}{$NoService}++; } elsif ($ThisLine =~ s/Denied connection from\s+\((\S+)\)([ *]+|)$/$1/) { $Denied{$ThisLine}++; } elsif ($ThisLine =~ s/ Connection denied from\s+(\S+)$/$1/) { $Denied{$ThisLine}++; } elsif ( ($Where,$Ip,$Browser) = ($ThisLine =~ /(.*) Denied connection from \(([^ ]+)\) Doing a node status request to the domain master browser at IP ([^ ]+) failed. Cannot get workgroup name./ ) ) { $Temp = "$Where ($Ip)"; $Denied{$Temp}++; $CantGetGroup{$Browser}++; } elsif ( ($Where,$Ip,$Name,$Group,$Subnet) = ($ThisLine =~ /(.*) Denied connection from \(([^ ]+)\) [ *]+Samba name server ([^ ]+) is now a local master browser for workgroup ([^ ]+) on subnet ([^ ]+)/ ) or ($Where,$Ip,$Name,$Group,$Subnet) = ($ThisLine =~ /(.*) Denied connection from \(([^ ]+)\) [ *]+Samba name server ([^ ]+) has stopped being a local master browser for workgroup ([^ ]+) on subnet ([^ ]+)/ ) ) { $Temp = "$Where ($Ip)"; $Denied{$Temp}++; $BeLocalMaster{$Subnet}{$Group}{$Name}++; } elsif (($User) = $ThisLine =~ /rejected invalid user ([^ ]+)/ ) { $InvalidUser{$User}++; } elsif (($User) = $ThisLine =~ /Authentication for user ([^ ]+) -> ([^ ]+) FAILED with error NT_STATUS_WRONG_PASSWORD/ ) { $WrongPassword{$User}++; } elsif (($User) = $ThisLine =~ /Couldn't find user '([^ ]+)'/) { $NotFoundUser{$User}++; } elsif (($User) = $ThisLine =~ /pdb_smbpasswd\.c:build_sam_account\(\d+\) build_sam_account: smbpasswd database is corrupt! username ([^ ]+) not in unix passwd database!/ ) { $NotFoundUser{$User}++; $DbOpenFail++; $DbCorrupt++; } elsif (($User) = $ThisLine =~ /Rejecting user '([^ ]+)'/) { $RejectedUser{$User}++; } elsif ( ( $ThisLine =~ /lib\/util_sock.c:read_data\(436\)/ ) ) { # This is due to a nasty bug in samba which causes it to drop connections :-( $SocketReadError++; } elsif ( ( $ThisLine =~ /lib\/util_sock.c:write_socket\(\d+\) write_socket: Error writing \d bytes to socket/ ) or ( $ThisLine =~ /lib\/util_sock.c:write_socket_data\(\d+\) write_socket_data: write failure./ ) or ( $ThisLine =~ /lib\/util_sock.c:send_smb\(\d+\) Error writing \d+ bytes to client. / ) ) { # Something more generic should be here $SocketWriteError++; } elsif ( ( $ThisLine =~ /unable to open passdb database.$/ ) or ( $ThisLine =~ / get_sampwd_entries: Unable to open passdb.$/ ) ) { $DbOpenFail++; } elsif ( ($Name,$Group,$Subnet) = ( $ThisLine =~ /pdb_smbpasswd.c:pdb_getsampwnam\(\d+\) unable to open passdb database\. [ *]+Samba name server ([^ ]+) is now a local master browser for workgroup ([^ ]+) on subnet ([^ ]+) / )) { $Temp = "$Where ($Ip)"; $DbOpenFail++; $BeLocalMaster{$Subnet}{$Group}{$Name}++; } elsif ( ($Server,$Ip,$Group) = ($ThisLine =~ /Server ([^ ]+) at IP ([^ ]+) is announcing itself as a local master browser for workgroup ([^ ]+) and we think we are master. Forcing election.$/ ) ) { $Temp = $Server . "(" . $Ip . ")"; $ForceElection{$Group}{$Temp}++; } elsif ( (undef,$Command,$Server,$Ip,undef) = ($ThisLine =~ /([^ ]+): unicast name ([^ ]+) request received for name ([^ ]+) from IP ([^ ]+) on subnet (.*)\./ ) ) { $Temp = "$Command on subnet $Subnet : $Server ($Ip)"; $Temp = "$Command on subnet $Subnet : $Server ($Ip)"; $UnicastRegister{$Temp}++; } elsif ( ($Group,$Subnet) = ($ThisLine =~ /standard_fail_register: Failed to register\/refresh name ([^ ]+) on subnet ([^ ]+)$/ ) ) { $FailedRegister{$Subnet}{$Group}++; } elsif ( ($Ip,$Group,undef) = ($ThisLine =~ /register_name_response: server at IP ([^ ]+) rejected our name registration of ([^ ]+) with error code ([^ ]+)\.$/ ) ) { $RejectRegister{$Group}{$Ip}++; } elsif ( ($Ip) = ($ThisLine =~ /get_domain_master_name_node_status_fail: Doing a node status request to the domain master browser at IP ([^ ]+) failed\. Cannot get workgroup name\.$/ ) ) { $CantGetGroup{$Ip}++; } elsif ( ($Signal,undef,$Version) = ($ThisLine =~ /INTERNAL ERROR: Signal ([^ ]+) in pid ([^ ]+) \(([^ ]+)\) Please read the file BUGS.txt in the distribution$/ ) ) { $Temp = "Version $Version with signal $Signal"; $Crash{$Temp}++; } elsif ( ($Error) = ($ThisLine =~ /util.c:smb_panic\(\d+\) (PANIC: internal error)$/ ) ) { $Crash{$Error}++; } elsif ( ( $ThisLine =~ /get_domain_master_name_node_status_fail\(([^ ]+)\)/ ) ) { $GetDomainMasterStatusFail++; } elsif ( ($User) = ($ThisLine =~ /pass_check_smb\(552\) Account for user '([^ ]+)' was disabled.$/) ) { $AccountDisabled{$User}++; } elsif ( ($Version) = ($ThisLine =~ /Discarding invalid wins\.dat file \[(.*)\]$/) ) { $DiscardWins{$Version}++; } elsif ( ($user,$ip,$dir) = ($ThisLine =~ /smbd\/service.c:make_connection\([0-9]+\) ([a-zA-Z]+) \(([\d.]+)\) Can't change directory to ([a-zA-Z_\/]+) \(Permission denied\)$/)) { $PermissionDenied{$user}{$ip}{$dir}++; } elsif ( ($user) = ($ThisLine =~ /smbd\/service.c:make_connection\([0-9]+\) make_connection: ([a-zA-Z_-]+) logged in as admin user \(root privileges\)$/)) { $RootLoggedIn{$user}++; } elsif ( ($file,$function) = ($ThisLine =~ /([a-zA-Z_\/():\.0-9-]+) ([a-zA-Z0-9_-]+): Not yet implemented.$/)) { $NotImplemented{$file}{$function}++; } elsif ( ($User,$Ip,$Directory,$Reason) = ($ThisLine =~ /service.c:make_connection\([0-9]+\) ([^ ]+) \(([^ ]+)\) Can't change directory to ([^ ]+) \((.*)\)/)) { $Temp = "Netbios name $User on $Ip"; $CantChangeDir{$Directory}{$Reason}{$Temp}++; } elsif ( ($Signal) = ($ThisLine =~ /open_sockets\([0-9]+\) Reloading services after ([^ ]+)/)) { $ReloadAfter{$Signal}++; } elsif ( ($Signal) = ($ThisLine =~ /open_sockets\([0-9]+\) Got ([^ ]+)/)) { $ReloadAfter{$Signal}++; } elsif ( ($Share,$Reason) = ($ThisLine =~ /cups_printername_ok\([0-9]+\) (Unable to get printer status for [^ ]+) - ([^ ]+)/)) { $PrinterStatus{$Share}{$Reason}++; } elsif ( ($Share,$Reason) = ($ThisLine =~ /cups_queue_get\([0-9]+\) (Unable to get jobs for [^ ]+) - ([^ ]+)/)) { $PrinterStatus{$Share}{$Reason}++; } elsif ( $ThisLine =~ m/main\([0-9]+\) ERROR: Failed when creating subnet lists. Exiting./) { $SubnetFail{"Failed when creating subnet lists"}++; } elsif ( $ThisLine =~ m/create_subnets\([0-9]+\) create_subnets: No local interfaces !/) { $SubnetFail{"No local interfaces"}++; } elsif ( $ThisLine =~ m/reload_interfaces: No subnets to listen to. Shutting down.../) { $SubnetFail{"No subnets to listen to. Shutting down."}++; } elsif ( $ThisLine =~ s/process_get_backup_list_request\([0-9]+\) process_get_backup_list_request: (.*)/$1/) { $GetBacupList{$ThisLine}++; } elsif ( ($Error) = ($ThisLine =~ /brl_init\([0-9]+\) (Failed to open byte range locking database)$/)) { $LockDbError{$Error}++; } elsif ( ($Error) = ($ThisLine =~ /locking_init\([0-9]+\) ERROR: (Failed to initialise locking database)$/)) { $LockDbError{$Error}++; } elsif ( ($SID,$dsid) = ($ThisLine =~ /User administrator has Primary Group SID ([^ ]+), which conflicts with the domain sid ([^ ]+). Failing operation.$/)) { $SIDnotvalid{"$SID,$dsid"}++; } elsif ( ($Addr) = ($ThisLine =~ /libsmb\/cliconnect.c:cli_connect\([0-9]+\) Error connecting to ([0-9.]*) \(Connection refused\)/)) { $RefConnect{$Addr}++; } elsif ( ($Name) = ($ThisLine =~ /passdb\/pdb_smbpasswd.c:startsmbfilepwent\([0-9]+\) startsmbfilepwent_internal: file ([^ ]*) did not exist. File successfully created./)) { $CrFile{$Name}++; } elsif ( ($user,$file,$read,$write) = ($ThisLine =~ /(\S+) opened file (\S+) read=(\w+) write=(\w+)/)) { $OpenFile{$CurrentHost}{$user}{$file}{($read=~/Y/?"R":"").($write=~/Y/?"W":"")}++; } elsif ( ($Location,$Reason) = ($ThisLine =~ /tdb_log\([0-9]+\) tdb\(([^ ]+)\): tdb_reopen: (open failed \([^ ]+\))/)) { $LockDbError{"$Location - $Reason"}++; } else { # Report any unmatched entries... $OtherList{$ThisLine}++; #TODO: #smbd/oplock.c:process_local_message(418) process_local_message: unknown UDP message command code (424d) - ignoring. #smbd/process.c:switch_message(662) Non-SMB packet of length 156. Terminating server #smbd/process.c:switch_message(662) Non-SMB packet of length 133. Terminating server #libsmb/nmblib.c:send_udp(756) Packet send failed to 153.19.207.127(138) ERRNO=Invalid argument #lib/util_sock.c:read_data(436) read_data: read failure for 4. Error = Brak drogi do systemu #lib/util_sock.c:get_peer_addr(1229) getpeername failed. Error was Drugi koniec nie jest po³±czony #lib/util_sock.c:open_socket_out(911) error connecting to 192.168.0.101:445 (Po³±czenie odrzucone) #lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 192.168.0.51. Error = Przekroczony czas oczekiwania na po³±czenie #lib/util_sock.c:write_data(562) write_data: write failure in writing to client 0.0.0.0. Error Po³±czenie zerwane przez drug± stronê #libsmb/cliconnect.c:cli_start_connection(1445) session request to P1 failed (Called name not present) #printing/printing.c:start_background_queue(1419) #printing/printing.c:start_background_queue(1419) Reloading services after SIGHUP #rpc_server/srv_spoolss_nt.c:spoolss_connect_to_client(2551) spoolss_connect_to_client: connection to [P1] failed! #smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources #smbd/utmp.c:sys_utmp_update(419) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp } } ######################################### # if (keys %Crash) { print "\nWARNING!!!!!!\n"; print "Server crashed:\n"; foreach $Dead (sort {$a cmp $b} keys %Crash) { print " $Dead : $Crash{$Dead} Time(s)\n"; } } if (keys %SubnetFail) { print "\nWARNING!!!!!!\n"; print "Errors when creating subnets:\n"; foreach $Error (sort {$a cmp $b} keys %SubnetFail) { print " $Error : $SubnetFail{$Error} Time(s)\n"; } } if (keys %ReloadAfter) { print "\nReloaded services after signal:\n"; foreach $Signal (sort {$a cmp $b} keys %ReloadAfter) { print " $Signal : $ReloadAfter{$Signal} Time(s)\n"; } } if (keys %DiscardWins) { print "\nDiscarded invalid wins.dat file with version:\n"; foreach $Version (sort {$a cmp $b} keys %DiscardWins) { print " $Version : $DiscardWins{$Version} Time(s)\n"; } } if (($Detail >= 5) and (keys %Connect)) { print "\nOpened Sessions:\n"; foreach $Serv (sort {$a cmp $b} keys %Connect) { print " Service $Serv as user:\n"; foreach $Us (sort {$a cmp $b} keys %{$Connect{$Serv}}) { print " $Us " . (" " x (10 - length ($Us))) . "from host"; $size = keys %{$Connect{$Serv}{$Us}}; if ($size >= 2) { print ":\n"; foreach $Ho (sort {$a cmp $b} keys %{$Connect{$Serv}{$Us}}) { print " $Ho : $Connect{$Serv}{$Us}{$Ho} Time(s)\n"; } } else { foreach $Ho (sort {$a cmp $b} keys %{$Connect{$Serv}{$Us}}) { print " $Ho " . (" " x (25 - length($Ho))) . ": $Connect{$Serv}{$Us}{$Ho} Time(s)\n"; } } } } } if (($Detail >= 5) and (keys %OpenFile)) { print "\nOpened Files:\n"; foreach $Host (sort {$a cmp $b} keys %OpenFile) { print " Host $Host:\n"; foreach $User (sort {$a cmp $b} keys %{$OpenFile{$Host}}) { foreach $File (sort {$a cmp $b} keys %{$OpenFile{$Host}{$User}}) { print " File \"$File\""; foreach $Mode (sort {$a cmp $b} keys %{$OpenFile{$Host}{$User}{$File}}) { print " $Mode: $OpenFile{$Host}{$User}{$File}{$Mode} Time(s)"; } print "\n"; } } } } if (keys %Denied) { print "\nConnections Denied:\n"; foreach $Line (sort {$a cmp $b} keys %Denied) { print " $Line : $Denied{$Line} Time(s)\n"; } } if (keys %RefConnect) { print "\nConnections Refused\n"; foreach $Line (keys %RefConnect) { print " Connection refused by $Line : $RefConnect{$Line} Time(s)\n"; } } if (keys %CrFile) { print "\nCreated files\n"; foreach $Line (keys %CrFile) { print " file $Line did not exist. File succesfully created: $CrFile{$Line} Time(s)\n"; } } if (($Detail >= 5) and (keys %PermissionDenied)) { print "\nPermission denied:\n"; foreach $user (sort {$a cmp $b} keys %PermissionDenied) { foreach $ip (sort {$a cmp $b} keys %{$PermissionDenied{$user}}) { foreach $dir (sort {$a cmp $b} keys %{$PermissionDenied{$user}{$ip}}) { print " Permission denied (user $user from $ip) directory $dir: $PermissionDenied{$user}{$ip}{$dir} Time(s)\n"; } } } } if (keys %PrinterStatus) { print "\nPrinter Errors:\n"; foreach $Share (sort {$a cmp $b} keys %PrinterStatus) { print " $Share:\n"; foreach $Reason (sort {$a cmp $b} keys %{$PrinterStatus{$Share}}) { print " $Reason : $PrinterStatus{$Share}{$Reason} Time(s)\n"; } } } if (($Detail >= 5) and (keys %RootLoggedIn)) { print "\nAdmin logins (root privileges):\n"; foreach $user (sort {$a cmp $b} keys %RootLoggedIn) { print " User $user: $RootLoggedIn{$user} Time(s)\n"; } } if (($Detail >= 9) and (keys %NotImplemented)) { print "\nNot implemented functions:\n"; foreach $file (sort {$a cmp $b} keys %NotImplemented) { foreach $func (sort {$a cmp $b} keys %{$NotImplemented{$file}}) { print " Function $func in $file: $NotImplemented{$file}{$func} Time(s)\n"; } } } if (keys %ForceElection) { print "\nForced Election:\n"; foreach $Group (sort {$a cmp $b} keys %ForceElection) { print " In workgroup $Group when announced server was:\n"; foreach $Host (sort {$a cmp $b} keys %{$ForceElection{$Group}}) { print " $Host : $ForceElection{$Group}{$Host} Time(s)\n"; } } } if (keys %BeLocalMaster) { print "\nChanged Local Master Browser:\n"; foreach $Subnet (sort {$a cmp $b} keys %BeLocalMaster) { print " On subnet $Subnet:\n"; foreach $Group (sort {$a cmp $b} keys %{$BeLocalMaster{$Subnet}}) { print " For workgroup $Group:\n"; foreach $Name (sort {$a cmp $b} keys %{$BeLocalMaster{$Subnet}{$Group}}) { print " $Name : $BeLocalMaster{$Subnet}{$Group}{$Name} Time(s)\n"; } } } } if (keys %CantGetGroup) { print "\nCannot get workgroup name from domain name browser:\n"; foreach $Ip (sort {$a cmp $b} keys %CantGetGroup) { print " $Ip : $CantGetGroup{$Ip} Time(s)\n"; } } if ($GetDomainMasterStatusFail > 0) { print "\nFailed to get Domain Master node name: $GetDomainMasterStatusFail Time(s)\n"; } if (keys %GetBacupList) { print "\nBackup list requests:\n"; foreach $Request (sort {$a cmp $b} keys %GetBacupList) { print " $Request : $GetBacupList{$Request} Time(s)\n"; } } if (($Detail >= 5) and (keys %NoServ)) { print "\nCouldn't find services:\n"; foreach $Host (sort {$a cmp $b} keys %NoServ) { print " Host: $Host\n"; foreach $ThisOne (sort {$a cmp $b} keys %{$NoServ{$Host}}) { print " $ThisOne : $NoServ{$Host}{$ThisOne} Time(s)\n"; } } } if (($Detail >= 5) and (keys %UnicastRegister)) { print "\nUnicast name requests:\n"; foreach $ThisOne (sort {$a cmp $b} keys %UnicastRegister) { print " $ThisOne : $UnicastRegister{$ThisOne} Time(s)\n"; } } if (keys %FailedRegister) { print "\nFailed to register/refresh:\n"; foreach $Subnet (sort {$a cmp $b} keys %FailedRegister) { print " On subnet $Subnet:\n"; foreach $Group (sort {$a cmp $b} keys %{$FailedRegister{$Subnet}}) { print " $Group : $FailedRegister{$Subnet}{$Group} Time(s)\n"; } } } if (keys %RejectRegister) { print "\nRejected our name registration:\n"; foreach $Group (sort {$a cmp $b} keys %RejectRegister) { print " Name $Group at IP:\n"; foreach $Ip (sort {$a cmp $b} keys %{$RejectRegister{$Group}}) { print " $Ip : $RejectRegister{$Group}{$Ip} Time(s)\n"; } } } if ($DbOpenFail > 0) { print "\nFailed to open passwd database: $DbOpenFail Time(s)\n"; } if ($DbCorrupt > 0) { print "smbpasswd database corrupt: $DbOpenFail Time(s)\n"; } if (keys %InvalidUser) { print "\nInvalid Users:\n"; foreach $Line (sort {$a cmp $b} keys %InvalidUser) { print " $Line : $InvalidUser{$Line} Time(s)\n"; } } if (keys %WrongPassword) { print "\nWrong Passwords:\n"; foreach $Line (sort {$a cmp $b} keys %WrongPassword) { print " $Line : $WrongPassword{$Line} Time(s)\n"; } } if (keys %NotFoundUser) { print "\nUsers not found in UNIX Database:\n"; foreach $Line (sort {$a cmp $b} keys %NotFoundUser) { print " $Line : $NotFoundUser{$Line} Time(s)\n"; } } if (keys %RejectedUser) { print "\nRejected Users:\n"; foreach $Line (sort {$a cmp $b} keys %RejectedUser) { print " $Line : $RejectedUser{$Line} Time(s)\n"; } } if (keys %AccountDisabled) { print "\nAccounts disabled:\n"; foreach $User (sort {$a cmp $b} keys %AccountDisabled) { print " $User : $AccountDisabled{$User} Time(s)\n"; } } if (keys %CantChangeDir) { print "\nCan't change directory while browsing:\n"; foreach $Directory (sort {$a cmp $b} keys %CantChangeDir) { print " $Directory:\n"; foreach $Reason (sort {$a cmp $b} keys %{$CantChangeDir{$Directory}}) { print " $Reason:\n"; foreach $Entry (sort {$a cmp $b} keys %{$CantChangeDir{$Directory}{$Reason}}) { print " $Entry : $CantChangeDir{$Directory}{$Reason}{$Entry} Time(s)\n"; } } } } if ($SocketReadError > 0) { print "\nSocket Read Error (Samba bug): $SocketReadError Time(s)\n"; } if (keys %LockDbError) { print "\nLocking Database error:\n"; foreach $Error (sort {$a cmp $b} keys %LockDbError) { print " $Error : $LockDbError{$Error} Time(s)\n"; } } if (keys %SIDnotvalid) { print ("\nSID is not valid for the domain\n"); foreach $SIDLog (keys %SIDnotvalid) { ($SID,$dsid) = split(",",$SIDLog); print " User administrator Primary Group SID ($SID) conflicts with the domain sid ($dsid): $SIDnotvalid{$SIDLog} Time(s) \n"; } } if (($Detail >= 10) and keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $Line (sort {$a cmp $b} keys %OtherList) { print "$Line : $OtherList{$Line} Time(s)\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/eximstats0000644000000000000000000000013212664334617020523 xustar0030 mtime=1456585103.143364225 30 atime=1456586568.776190839 30 ctime=1456586568.776190839 ./logwatch-7.4.2/scripts/services/eximstats0000644000175000001440000000370412664334617021623 0ustar00generalusers00000000000000########################################################################## # $Id: eximstats 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## # This is a wrapper for the eximstats program # # Please send all comments, suggestions, bug reports, # etc, to jeff.frost@frostconsultingllc.com and # logwatch-devel@lists.sourceforge.net ######################################################## ######################################################## ## Copyright (c) 2008 Jeff Frost ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use Logwatch ':all'; $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $SearchDate = TimeFilter("%Y-%m-%d %H:%M:%S"); if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside eximstats Filter \n\n"; $DebugCounter = 1; } open(EXIMSTATS,"| $ENV{'eximstats'}"); while (defined($ThisLine = )) { next unless $ThisLine =~ /^$SearchDate /o; if ( $Debug >= 5 ) { print STDERR "DEBUG($DebugCounter): $ThisLine"; $DebugCounter++; } print EXIMSTATS $ThisLine; } close EXIMSTATS; exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/stunnel0000644000000000000000000000013212664334617020172 xustar0030 mtime=1456585103.171364091 30 atime=1456586568.788190779 30 ctime=1456586568.788190779 ./logwatch-7.4.2/scripts/services/stunnel0000755000175000001440000001324312664334617021274 0ustar00generalusers00000000000000#!/usr/bin/perl ########################################################################## # $Id: stunnel 266 2014-11-12 10:29:44Z stefjakobs $ ########################################################################## ####################################################### ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### $^W=1; use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $DebugCounter = 0; my $Top = $ENV{'stunnel_print_top'} || 20; if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside stunnel Filter \n\n"; $DebugCounter = 1; } my @OtherList = (); my %OtherList = (); my %connections = (); my %versioninfo = (); my %errors = (); my %notices = (); my $sockdata = 0; my $ssldata = 0; sub other { my $msg = shift; unless (exists $OtherList{$msg}) { $OtherList{$msg} = 1; push(@OtherList, $msg); } else { $OtherList{$msg}++; } } my $ThisLine; while (defined($ThisLine = )) { $ThisLine =~ s/LOG\d\[\d{1,5}:\d{15}\]: (.*)/$1/; if ( $Debug >= 5 ) { print STDERR "DEBUG($DebugCounter): $ThisLine"; $DebugCounter++; } chomp($ThisLine); my $origline = $ThisLine; if ($ThisLine =~ m/^(.+) connected from (\d+\.\d+\.\d+\.\d+)/) { my $service = $1; my $ip = $2; if (! exists($connections{$service}{$ip})) { $connections{$service}{$ip} = 0; } ++$connections{$service}{$ip}; } elsif ($ThisLine =~ m/^Connection (reset|closed): (\d+) bytes sent to SSL, (\d+) bytes sent to socket/) { $ssldata += $2; $sockdata += $3; } elsif ($ThisLine =~ m/^Connection (reset|closed)/) { # ignore } elsif ($ThisLine =~ m/^connect_blocking: connected/) { # ignore } elsif ($ThisLine =~ m/^connect_blocking: getsockopt ([0-9a-fA-F.:]+: Connection refused) \(\d+\)$/) { $errors{"connect_blocking: $1"}++; } elsif ($ThisLine =~ m/^(?:remote socket|local socket|accept): (Too many open files) \(\d+\)$/) { $errors{"$1: increase the maximum number of open file descriptors"}++; } elsif ($ThisLine =~ m/^Log file reopened$/) { # ignore } elsif ($ThisLine =~ m/^SSL socket closed on SSL_read with \d+ byte\(s\) in buffer$/) { # ignore } elsif ($ThisLine =~ m/^stunnel [\d\.]+ on [\w\-]+ [\w\+]+ with OpenSSL [\w\.]+ \d+ \w+ \d+/) { $versioninfo{$ThisLine} = 1; } elsif ($ThisLine =~ m/^Service (\S+) accepted connection from ([0-9a-fA-F.:]+):\d{1,5}/) { $connections{$1}{$2}++; } elsif ($ThisLine =~ m/^Service (\S+) connected remote server from ([0-9a-fA-F.:]+):\d{1,5}/) { $connections{"remote: $1"}{$2}++; } elsif ($ThisLine =~ m/^Error detected on (SSL|socket) \((read|write)\) file descriptor: (.*) \(\d+\)/) { $errors{"$1 $2 file descriptor: $3"}++; } elsif ($ThisLine =~ m/^(SSL_write: (?:Broken pipe|Connection reset by peer)) \(\d+\)$/) { $errors{"$1"}++; } elsif ($ThisLine =~ m/^transfer: s_poll_wait: TIMEOUTclose exceeded: closing$/) { $notices{"TIMEOUTclose exceeded: closing connection"}++; } elsif ($ThisLine =~ m/^(SSL_(?:accept|read|shutdown): .*|getpeerbyname: .*)(?: \(\d+\))?$/) { $notices{$1}++; } else { # Report any unmatched entries... other($ThisLine); } } if (keys %errors) { print "\nErrors:\n"; foreach my $e (sort keys %errors) { printf " %-50s %6d time(s)\n", $e, $errors{$e}; } } if (keys %notices) { print "\nNotices:\n"; foreach my $n (sort keys %notices) { printf " %-50s %6d time(s)\n", $n, $notices{$n}; } } if (keys %connections) { print "\nconnections:\n"; foreach my $service (sort keys %connections) { print " $service\n"; my $ips = $connections{$service}; my $i = 0; foreach my $ip (sort {$connections{$service}{$b} <=> $connections{$service}{$a}} keys %{$connections{$service}}) { if ($i >= $Top) { printf " %-48s\n", "... only top $Top printed ..."; last; } else { printf " %-48s %6d time(s)\n", $ip, $connections{$service}{$ip}; $i++; } } } } if ($sockdata > 0) { if ($sockdata > 1024*1024) { printf "\n%-48s %10.2f MB\n", "amount of socket data transferred:", $sockdata / 1024 / 1024; } else { printf "\n%-48s %10.2f KB\n", "amount of socket data transferred:", $sockdata / 1024; } } if ($ssldata > 0) { if ($ssldata > 1024*1024) { printf "\n%-48s %10.2f MB\n", "amount of SSL data transferred:", $ssldata / 1024 / 1024; } else { printf "\n%-48s %10.2f KB\n", "amount of SSL data transferred:", $ssldata / 1024; } } if (keys %versioninfo) { print "\nversion information:\n"; foreach my $v (sort keys %versioninfo) { print " $v\n"; } } if (@OtherList) { print "\n**Unmatched Entries**\n"; for (@OtherList) { my $count = $OtherList{$_}; print "($count) $_\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/sendmail-largeboxes0000644000000000000000000000013212664334617022427 xustar0030 mtime=1456585103.147364207 30 atime=1456586568.788190779 30 ctime=1456586568.788190779 ./logwatch-7.4.2/scripts/services/sendmail-largeboxes0000755000175000001440000000507012664334617023530 0ustar00generalusers00000000000000########################################################################## # $Id: sendmail-largeboxes 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## ####################################################### ## Copyright (c) 2008 Colin Smith ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; use POSIX; my $SPOOLDIR = ''; my $sizethresh = defined $ENV{sendmail_largeboxes_size} ? uc $ENV{sendmail_largeboxes_size} : 40960000; my $title = "Large Mailbox threshold: $sizethresh"; my $sizebytes = $sizethresh; if ($sizethresh =~ /^(\d+)TB?$/i) { $sizebytes = $1 * 1024 ** 4; } elsif ($sizethresh =~ /^(\d+)GB?$/i) { $sizebytes = $1 * 1024 ** 3; } elsif ($sizethresh =~ /^(\d+)MB?$/i) { $sizebytes = $1 * 1024 ** 2; } elsif ($sizethresh =~ /^(\d+)KB?$/i) { $sizebytes = $1 * 1024; } $title .= ($sizethresh ne $sizebytes) ? " ($sizebytes bytes)\n" : "\n"; # $hostname may be fully-qualified name my ($OSname, $hostname, $release, $version, $machine) = POSIX::uname(); $hostname =~ s/\..*//; exit (0) if ($ENV{'LOGWATCH_ONLY_HOSTNAME'} and ($ENV{'LOGWATCH_ONLY_HOSTNAME'} ne $hostname)); if (-e "/var/mail") { $SPOOLDIR = "/var/mail"; } elsif ( -e "/var/spool/mail") { $SPOOLDIR = "/var/spool/mail"; } else { print "Can't find spool directory\n"; } if ($SPOOLDIR) { opendir(DIR, "$SPOOLDIR") || die "Can not opendir $SPOOLDIR: $!\n"; my @files = grep {!/^\./} readdir(DIR); closedir DIR; for my $filename (@files) { my $checksize = (stat("$SPOOLDIR/$filename"))[7]; if ($checksize >= $sizebytes) { print "$title Warning: Large mailbox: $filename ($checksize)\n"; $title = ""; # only print at start of report } } } # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: ./logwatch-7.4.2/scripts/services/PaxHeaders.19046/mailscanner0000644000000000000000000000013212664334617020776 xustar0030 mtime=1456585103.199363957 30 atime=1456586568.776190839 30 ctime=1456586568.776190839 ./logwatch-7.4.2/scripts/services/mailscanner0000755000175000001440000006627412664334617022114 0ustar00generalusers00000000000000########################################################################## # $Id: mailscanner 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## ######################################################## # This was written and is maintained by: # Mike Tremaine # # Sophos Support and other improvments by Mark W. Nienberg # MailScan_Spam_Act contributed by Kev Green # # Some more clean up rules based on extensive use of some MailScanner # settings and F-Prot and ClamAV as dual scanners by Hugo van der Kooij # # More F-Prot code from John Wilcock # ######################################################## ##################################################### ## Copyright (c) 2008 Mike Tremaine ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $phishing_detail = $ENV{'mailscanner_phishing_detail'} || 0; my $mailscanner_phishingthreshold = $ENV{'mailscanner_phishingthreshold'} || 0; #Inits my $MailScan_bytes = 0; my $MailScan_Content = 0; my $MailScan_Delivered = 0; my $MailScan_Other = 0; my $MailScan_RBL = 0; my $MailScan_Received = 0; my $MailScan_Spam = 0; my $MailScan_Unscanned = 0; my $MailScan_Virus = 0; my $SA_timeout = 0; my $MailScan_ScannerTimeout = 0; my $MailScan_GoodWatermark = 0; my $MailScan_BadWatermark = 0; my $MailScan_SkipWatermark = 0; my $SpamAssassin_Rule_Actions = 0; my $MailScan_Deleted_pdb = 0; my $MailScan_Found_pdb = 0; my $MailScan_Spam_Virus = 0; while (defined($ThisLine = )) { #($QueueID) = ($ThisLine =~ m/^([a-zA-Z0-9]+): / ); $ThisLine =~ s/^[a-zA-Z0-9]+: //; if ( ( $ThisLine =~ m/^Saved infected/ ) or ( $ThisLine =~ m/^Expanding TNEF archive/ ) or #TNEF Noise remove for now. IF anyone wants this counted just speak up -mgt ( $ThisLine =~ m/has had TNEF winmail.dat removed/ ) or ( $ThisLine =~ m/added TNEF contents/ ) or ( $ThisLine =~ m/^Warned about/ ) or ( $ThisLine =~ m/^Sender Warnings:/ ) or ( $ThisLine =~ m/X-Spam/ ) or ( $ThisLine =~ m/Using locktype = (flock|posix)/ ) or ( $ThisLine =~ m/Creating hardcoded struct_flock subroutine for / ) or ( $ThisLine =~ m/New Batch: Found/ ) or ( $ThisLine =~ m/Attempting to disinfect/ ) or ( $ThisLine =~ m/Rescan found/ ) or ( $ThisLine =~ m/Virus Re-scanning:/ ) or ( $ThisLine =~ m/Content Checks: Fixed awkward MIME boundary for Cyrus IMAP/ ) or ( $ThisLine =~ m/Delete bayes lockfile/ ) or ( $ThisLine =~ m/MailScanner E-Mail Virus Scanner version/ ) or ( $ThisLine =~ m/MailScanner child dying of old age/ ) or ( $ThisLine =~ m/MailScanner child caught a SIGHUP/ ) or ( $ThisLine =~ m/Virus and Content Scanning/ ) or ( $ThisLine =~ m/Virus Scanning: [\w]+ found/ ) or ( $ThisLine =~ m/Virus Scanning: ClamAV Module found [\d]+ infections/ ) or ( $ThisLine =~ m/^ClamAV virus database has been updated/ ) or ( $ThisLine =~ m/^ClamAV update of/ ) or ( $ThisLine =~ m/^ClamAV scanner using unrar command / ) or ( $ThisLine =~ m/Saved entire message to/ ) or ( $ThisLine =~ m/Spam Checks: Starting/ ) or ( $ThisLine =~ m/SophosSAVI .+ recognizing [0-9]+ viruses/ ) or ( $ThisLine =~ m/SophosSAVI using [0-9]+ IDE files/ ) or ( $ThisLine =~ m/Sophos SAVI library has been updated/ ) or ( $ThisLine =~ m/Sophos.*update.* detected, resetting SAVI/ ) or #( $ThisLine =~ m/RBL checks: .+ found in RFC-IGNORANT-POSTMASTER/ ) or ( $ThisLine =~ m/F-Prot found/ ) or ( $ThisLine =~ m/SpamAssassin Bayes database rebuild starting|preparing|completed/ ) or ( $ThisLine =~ m/Rebuilding SpamAssassin Bayes database/ ) or ( $ThisLine =~ m/Skipping SpamAssassin while waiting for Bayes/ ) or ( $ThisLine =~ m/Enabling SpamAssassin auto-whitelist functionality/ ) or ( $ThisLine =~ m/Bayes database rebuild is due/ ) or ( $ThisLine =~ m/Content Checks: Detected and will convert|disarm HTML/ ) or ( $ThisLine =~ m/Content Checks: Detected and have disarmed HTML message/ ) or ( $ThisLine =~ m/Content Checks: Found [0-9]+ problems/ ) or ( $ThisLine =~ m/Read [0-9]+ hostnames from the phishing whitelist/ ) or ( $ThisLine =~ m/completed at [0-9]+ bytes per second/ ) or ( $ThisLine =~ m/Message .+ from .+ to .+ is/ ) or ( $ThisLine =~ m/^[A-F0-9]+\.[A-F0-9]{5} to/ ) or #for postfix Requeue: ( $ThisLine =~ m/^calling custom .* function/ ) or ( $ThisLine =~ m/^Initialising database connection/ ) or ( $ThisLine =~ m/^Finished initialising database connection/ ) or ( $ThisLine =~ m/^Disconnected from the database/ ) or ( $ThisLine =~ m/^ tag found in message/ ) or ( $ThisLine =~ m/^Viruses marked as silent:/ ) or ( $ThisLine =~ m/^Saved archive copies of/ ) or ( $ThisLine =~ m/^Logging message .+ to SQL/ ) or ( $ThisLine =~ m/^Started SQL Logging child/ ) or ( $ThisLine =~ m/^Starting up SQL Whitelist|Blacklist/ ) or ( $ThisLine =~ m/^Read .+ whitelist|blacklist entries/ ) or ( $ThisLine =~ m/^Closing down by-domain spam whitelist|blacklist/ ) or ( $ThisLine =~ m/^Connected to SpamAssassin cache database/ ) or ( $ThisLine =~ m/^Using SpamAssassin results cache/ ) or ( $ThisLine =~ m/^Expired .+ records from the SpamAssassin cache/ ) or ( $ThisLine =~ m/^Batch (\([0-9]+ messages?\) )?processed in .+ seconds/ ) or ( $ThisLine =~ m/^\"Always Looked Up Last\" took .+ seconds/ ) or ( $ThisLine =~ m/^MailScanner child dying after Bayes rebuild/ ) or ( $ThisLine =~ m/^Files hidden in very deeply nested archive/ ) or #IPBlocking -mgt ( $ThisLine =~ m/^Initialising IP blocking/ ) or ( $ThisLine =~ m/^Closing down IP blocking/ ) or ( $ThisLine =~ m/Whitelist refresh time reached/ ) or ( $ThisLine =~ m/Skipping sender of precedence list/ ) or ( $ThisLine =~ m/^Read \d+ IP blocking entries from/ ) or #This for Kaspersky I guess it is duplicated by Content checks, remove if not -mgt ( $ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+SUSPICION/ ) or # New processing database ( $ThisLine =~ m/Connected to [Pp]rocessing(?:-messages| Attempts) [Dd]atabase/ ) or ( $ThisLine =~ m/Found 0 messages in the [Pp]rocessing(?:-messages| Attempts) [Dd]atabase/ ) or ( $ThisLine =~ m/Reading configuration file/ ) or ( $ThisLine =~ m/^SpamAssassin temporary working directory is/ ) or ( $ThisLine =~ m/ignored whitelist, had .+ recipients/ ) ) { # We don't care about these } elsif ( $ThisLine =~ m/New Batch: Scanning ([0-9]+) messages, ([0-9]+) bytes/i) { $MailScan_Received = $MailScan_Received + $1; $MailScan_bytes = $MailScan_bytes + $2; } elsif ( $ThisLine =~ m/New Batch: Forwarding ([0-9]+) unscanned messages, ([0-9]+) bytes/i) { $MailScan_Received = $MailScan_Received + $1; $MailScan_Unscanned = $MailScan_Unscanned + $1; $MailScan_bytes = $MailScan_bytes + $2; } elsif ( $ThisLine =~ m/Delivered ([0-9]+)( cleaned)? messages/) { $MailScan_Delivered = $MailScan_Delivered + $1; } elsif ( $ThisLine =~ m/Spam Checks: Found ([0-9]+) spam messages/) { $MailScan_Spam = $MailScan_Spam + $1; } elsif ( $ThisLine =~ m/Virus Scanning: Found ([0-9]+) viruses/) { $MailScan_Virus = $MailScan_Virus + $1; } elsif ( $ThisLine =~ m/Found spam-virus (\S+) in/i) { $MailScan_Spam_Virus++; $Spam_Virus_Found{$1}++; } elsif ( $ThisLine =~ m/infected message .+ came from (.*)/i) { $MailScan_VirualHost = $MailScan_VirualHost + 1; $Hostlist{$1}++; } elsif ( $ThisLine =~ m/Other Checks: Found ([0-9]+) problems/) { $MailScan_Other = $MailScan_Other + $1; } elsif ($ThisLine =~ m/Contains signature of the worm (.+)/) { $VirusType_Antivir{$1}++; $MailScan_Virus_Antivir++; } elsif ($ThisLine =~ m/:infected: (.+)/i) { #without the leading : this would match Fprot so error on the side of matching to much -mgt $VirusType_BitDefender{$1}++; $MailScan_Virus_BitDefender++; } elsif ( ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+: ([\w\_\-\.\/]+) FOUND/i) or ($ThisLine =~ m/Clamd::INFECTED:: ?(\S+) ::/i) ) { $VirusType_ClamAv{$1}++; $MailScan_Virus_ClamAv++; } elsif ($ThisLine =~ m/ClamAVModule::INFECTED:: ?(.+)::/) { $VirusType_ClamAVModule{$1}++; $MailScan_Virus_ClamAVModule++; } elsif ($ThisLine =~ m/INFECTED:: ?(.+) (FOUND )?::/) { $VirusType_Clamd{$1}++; $MailScan_Virus_Clamd++; } elsif ($ThisLine =~ m/\/.+ Infection: (.+)/i) { $VirusType_Fprot{$1}++; $MailScan_Virus_Fprot++; } elsif ($ThisLine =~ m/\/.+ is a security risk named (.+)/i) { $VirusType_Fprot{$1}++; $MailScan_Virus_Fprot++; } elsif ($ThisLine =~ m/\/.+ is a dropper for (.+)/i) { $VirusType_Fprot{$1}++; $MailScan_Virus_Fprot++; } elsif ($ThisLine =~ m/\/.+ contains (.+)/i) { $VirusType_Fprot{$1}++; $MailScan_Virus_Fprot++; } elsif ($ThisLine =~ m/\/.+ could be/i) { $MailScan_Virus_Fprot++; } elsif ($ThisLine =~ m/Found the (.+) virus !!!/) { $VirusType_McAfee{$1}++; $MailScan_Virus_McAfee++; } elsif ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+INFECTED\s+([\w\_\-\.\/]+)/i) { $VirusType_Kaspersky{$1}++; $MailScan_Virus_Kaspersky++; } elsif ($ThisLine =~ m/infected:\s+([\w\_\-\.\/]+)\^M/i) { $VirusType_Kaspersky{$1}++; $MailScan_Virus_Kaspersky++; } elsif ($ThisLine =~ m/>>> Virus \'(.+)\' found/) { $VirusType_Sophos{$1}++; $MailScan_Virus_Sophos++; } elsif ($ThisLine =~ m/SophosSAVI::INFECTED:: ?(.+)::/) { $VirusType_SophosSavi{$1}++; $MailScan_Virus_SophosSavi++; } elsif ($ThisLine =~ m/Commercial scanner (.+) timed out!/){ $VirusScannerTimeout{$1}++; $MailScan_ScannerTimeout++; } elsif ($ThisLine =~ m/Content Checks: Detected and have disarmed (.+) in HTML message in [\w]+/i) { $ContentType{$1}++; $MailScan_Content++; } elsif ($ThisLine =~ m/Content Checks: Detected (.+) in [\w]+/i) { $ContentType{$1}++; $MailScan_Content++; } elsif ($ThisLine =~ m/Filename Checks: Allowing (.+)/i) { if ($ThisLine =~ m/Allowing.*msg\-[0-9]*\-[0-9]*\.[txt|dat|html]/) { # we don't care about these, regular messages } else { #filter sendmail or postfix tag and "(no rule matched)" my $temp_fc = $1; $temp_fc =~ s/[a-z0-9]{14}\s//i; $temp_fc =~ s/[a-z0-9]{9,12}\.[a-z0-9]{5}\s//i; $temp_fc =~ s/\(no rule matched\)//i; $FilenameAllow{$temp_fc}++; $MailScan_FilenameAllow++; } } elsif ($ThisLine =~ m/Filename Checks: (.+)/i) { #filter sendmail or postfix tag my $temp_fc = lc($1); $temp_fc =~ s/\([a-z0-9]{14}\s/\(/i; $temp_fc =~ s/\([a-z0-9]{9,12}\.[a-z0-9]{5}\s/\(/i; $temp_fc =~ s/\s{10,}/ -space- /; $FilenameType{$temp_fc}++; $MailScan_FilenameBanned++; } elsif ($ThisLine =~ m/Filetype Checks: Allowing (.+)/i) { if ($ThisLine =~ m/Allowing.*msg\-[0-9]*\-[0-9]*\.[txt|dat|html]/) { # we don't care about these, regular messages } else { #filter sendmail or postfix tag and "(no match found)" my $temp_fc = $1; $temp_fc =~ s/[a-z0-9]{14}\s//i; $temp_fc =~ s/[a-z0-9]{9,12}\.[a-z0-9]{5}\s//i; $temp_fc =~ s/\(no match found\)//i; $FiletypeAllow{$temp_fc}++; $MailScan_FiletypeAllow++; } } elsif ($ThisLine =~ m/Filetype Checks: (.+)/i) { #filter sendmail or postfix tag my $temp_fc = lc($1); $temp_fc =~ s/\([a-z0-9]{14}\s/\(/i; $temp_fc =~ s/\([a-z0-9]{9,12}\.[a-z0-9]{5}\s/\(/i; $temp_fc =~ s/\s{10,}/ -space- /; $FiletypeType{$temp_fc}++; $MailScan_FiletypeBanned++; } elsif ($ThisLine =~ m/(Password\-protected archive \(.+\)) in \w+/i) { $MailScan_Other = $MailScan_Other + 1; $FilenameType{$1}++; $MailScan_FilenameBanned++; } elsif ($ThisLine =~ /Spam Actions: .+ actions are (.*)/) { $MailScan_Spam_Act{$1}++; } elsif ($ThisLine =~ /SpamAssassin timed out and was killed/) { $SA_timeout++; } elsif ( $ThisLine =~ m/Message .+ from (.+ \(.+\)) is whitelisted/ ) { $MailScan_Whitelisted++; $Whitelisted_Host{$1}++; } elsif ( $ThisLine =~ m/Message .+ from (.+ \(.+\)) to .+ is spam \(blacklisted\)/ ) { $MailScan_Blacklisted++; $Blacklisted_Host{$1}++; } elsif ($ThisLine =~ m/^Found phishing fraud from (.+) claiming to be (.+) in (.+)/) { $MailScan_Phishing++; #Detailed phishing output set in mailscanner.conf #With variable mailscanner_phishing_detail = 1 if ($phishing_detail) { $PhishingSourceDest{"$1 claiming to be $2 in $3"}++; } else { $PhishingSourceDest{"$1 claiming to be $2"}++; } my $temp_ph = $1; if ($temp_ph =~ m/^https?:\/\/([^\/\? ]+)/i) { $PhishingSource{$1}++; } else { $PhishingSource{$temp_ph}++; } } elsif ($ThisLine =~ m/^Found ip-based phishing fraud from (.+) in/) { $MailScan_Phishing++; my $temp_ph = $1; if ($temp_ph =~ m/^https?:\/\/([\d\.]+)/i) { $PhishingSource{$1}++; } else { $PhishingSource{$temp_ph}++; } $PhishingSource{$1}++; } elsif ($ThisLine =~ m/^Found definite phishing fraud from (.+) in/) { $MailScan_Phishing++; my $temp_ph = $1; if ($temp_ph =~ m/^https?:\/\/([^\/\? ]+)/i) { $PhishingSource{$1}++; } else { $PhishingSource{$temp_ph}++; } } elsif ($ThisLine =~ m/^HTML-Form tag found in message .+ from (.+)/) { $MailScan_FormTag++; $FormTagSource{$1}++; } elsif ($ThisLine =~ m/^HTML-Script tag found in message .+ from (.+)/) { $MailScan_ScriptTag++; $ScriptTagSource{$1}++; } elsif ($ThisLine =~ m/^HTML-IFrame tag found in message .+ from (.+)/) { $MailScan_IframeTag++; $IframeTagSource{$1}++; } elsif ($ThisLine =~ m/^HTML-Object tag found in message .+ from (.+)/) { $MailScan_ObjectTag++; $ObjectTagSource{$1}++; } elsif ($ThisLine =~ m/^HTML Img tag found in message .+ from (.+)/) { $MailScan_ImgTag++; $ImgTagSource{$1}++; } elsif ($ThisLine =~ m/Logged to MailWatch SQL/) { $MailWatchSQL++; } elsif ($ThisLine =~ m/Quarantining modified message for/) { $DisarmedQuarantined++; } elsif ($ThisLine =~ m/SpamAssassin cache hit for message/) { $SACacheHit++; } elsif ($ThisLine =~ m/RBL checks: .+ found in (.+)/i) { $RBLType{$1}++; $MailScan_RBL++; } elsif ($ThisLine =~ m/Valid Watermark HASH found in Message/) { $MailScan_Skipwatermark++; } elsif ($ThisLine =~ m/Message .+ from .+ has valid watermark/) { $MailScan_GoodWatermark++; } elsif ( ($ThisLine =~ m/Message .+ had bad watermark/) || ($ThisLine =~ m/Message .+ from .+ has no \(or invalid\) watermark or sender address/) ) { $MailScan_BadWatermark++; } elsif ($ThisLine =~ m/SpamAssassin Rule Actions: rule ([^ ]*) caused action ([^ ]*) .*in message ([0-9a-f.]*)/i) { $SpamAssassin_Rule_Actions++; $SpamAssassin_Rule{$1}++; $SpamAssassin_Action{$2}++; $SpamAssassin_Message{$3}++; } elsif ($ThisLine =~ m/Deleted (\d+) messages from processing-database/) { $MailScan_Deleted_pdb += $1; } elsif ($ThisLine =~ m/Found (\d+) messages in the [Pp]rocessing(?:-messages| Attempts) [Dd]atabase/) { $MailScan_Found_pdb += $1; } else { chomp($ThisLine); # Report any unmatched entries... $OtherList{$ThisLine}++; } } if ($MailScan_Received > 0) { print "\nMailScanner Status:"; print "\n\t" . $MailScan_Received . ' messages Scanned by MailScanner'; my $size_total = 1 ; if ($MailScan_bytes < 1024) { $size_total = $MailScan_bytes . ' Total Bytes'; } elsif ($MailScan_bytes < 1048576) { $size_total = sprintf("%.1f", ($MailScan_bytes / 1024)) . ' Total KB'; } else { $size_total = sprintf("%.1f", ($MailScan_bytes / 1048576)) . ' Total MB'; } print "\n\t" . $size_total ; } if ($MailScan_Spam > 0) { print "\n\t" . $MailScan_Spam . ' Spam messages detected by MailScanner'; } if (keys %MailScan_Spam_Act) { foreach $ThisOne (sort keys %MailScan_Spam_Act) { if ($MailScan_Spam_Act{$ThisOne} > 0) { print "\n\t\t" . $MailScan_Spam_Act{$ThisOne} . ' Spam messages with action(s) ' .$ThisOne ; } } } if ($SACacheHit > 0) { print "\n\t\t" . $SACacheHit . ' hits from MailScanner SpamAssassin cache'; } #if ($MailScan_Spam_Virus > 0) { # print "\n\t" . $MailScan_Spam_Virus . ' Spam messages detected by Virus signatures'; #} if ($MailScan_Unscanned > 0) { print "\n\t" . $MailScan_Unscanned . ' Messages forwarded unscanned by MailScanner'; } if ($MailScan_Virus > 0) { print "\n\t" . $MailScan_Virus . ' Viruses found by MailScanner'; } if ($MailScan_Other > 0) { print "\n\t" . $MailScan_Other . ' Banned attachments found by MailScanner'; } if ($MailScan_Content > 0) { print "\n\t" . $MailScan_Content . ' Content Problems found by MailScanner'; } if ($MailScan_Deleted_pdb > 0) { print "\n\t" . $MailScan_Deleted_pdb . " Messages deleted from processing-database"; } if ($MailScan_Found_pdb > 0) { print "\n\t" . $MailScan_Found_pdb . " Messages found in processing-database"; } if ($MailScan_Delivered > 0) { print "\n\t" . $MailScan_Delivered . " Messages delivered by MailScanner\n"; } if ($MailWatchSQL > 0) { print "\n\t" . $MailWatchSQL . " Messages logged to MailWatch database\n"; } if ($SA_timeout > 0) { print "\n\t" . $SA_timeout . " SpamAssassin timeout(s)\n"; } if (keys %VirusScannerTimeout) { print "\n\t" . $MailScan_ScannerTimeout . " virus scanner timeout(s)\n"; foreach $ThisOne (sort keys %VirusScannerTimeout) { print "\t " . $ThisOne . ": " . $VirusScannerTimeout{$ThisOne} . " Time(s)\n"; } } if (keys %VirusType_Antivir) { print "\nAntivir Virus Report: (Total Seen = $MailScan_Virus_Antivir)\n"; foreach $ThisOne (sort keys %VirusType_Antivir) { print ' ' . $ThisOne . ': ' . $VirusType_Antivir{$ThisOne} . " Times(s)\n"; } } if (keys %VirusType_BitDefender) { print "\nBitDefender Virus Report: (Total Seen = $MailScan_Virus_BitDefender)\n"; foreach $ThisOne (sort keys %VirusType_BitDefender) { print ' ' . $ThisOne . ': ' . $VirusType_BitDefender{$ThisOne} . " Times(s)\n"; } } if (keys %VirusType_ClamAv) { print "\nClamAV Virus Report: (Total Seen = $MailScan_Virus_ClamAv)\n"; foreach $ThisOne (sort keys %VirusType_ClamAv) { print ' ' . $ThisOne . ': ' . $VirusType_ClamAv{$ThisOne} . " Time(s)\n"; } } if (keys %VirusType_ClamAVModule) { print "\nClamAVModule Virus Report: (Total Seen = $MailScan_Virus_ClamAVModule)\n"; foreach $ThisOne (sort keys %VirusType_ClamAVModule) { print ' ' . $ThisOne . ': ' . $VirusType_ClamAVModule{$ThisOne} . " Time(s)\n"; } } if (keys %VirusType_Clamd) { print "\nClamd Virus Report: (Total Seen = $MailScan_Virus_Clamd)\n"; foreach $ThisOne (sort keys %VirusType_Clamd) { print ' ' . $ThisOne . ': ' . $VirusType_Clamd{$ThisOne} . " Time(s)\n"; } } if (keys %VirusType_Fprot) { print "\nF-Prot Virus Report: (Total Seen = $MailScan_Virus_Fprot)\n"; foreach $ThisOne (sort keys %VirusType_Fprot) { print ' ' . $ThisOne . ': ' . $VirusType_Fprot{$ThisOne} . " Time(s)\n"; } } if (keys %VirusType_Kaspersky) { print "\nKaspersky Virus Report: (Total Seen = $MailScan_Virus_Kaspersky)\n"; foreach $ThisOne (sort keys %VirusType_Kaspersky) { print ' ' . $ThisOne . ': ' . $VirusType_Kaspersky{$ThisOne} . " Time(s)\n"; } } if (keys %VirusType_McAfee) { print "\nMcAfee Virus Report: (Total Seen = $MailScan_Virus_McAfee)\n"; foreach $ThisOne (sort keys %VirusType_McAfee) { print ' ' . $ThisOne . ': ' . $VirusType_McAfee{$ThisOne} . " Time(s)\n"; } } if (keys %VirusType_Sophos) { print "\nSophos Virus Report: (Total Seen = $MailScan_Virus_Sophos)\n"; foreach $ThisOne (sort keys %VirusType_Sophos) { print ' ' . $ThisOne . ': ' . $VirusType_Sophos{$ThisOne} . " Time(s)\n"; } } if (keys %VirusType_SophosSavi) { print "\nSophosSavi Virus Report: (Total Seen = $MailScan_Virus_SophosSavi)\n"; foreach $ThisOne (sort keys %VirusType_SophosSavi) { print ' ' . $ThisOne . ': ' . $VirusType_SophosSavi{$ThisOne} . " Time(s)\n"; } } if (keys %Spam_Virus_Found) { print "\nSpam Virus Report: (Total Seen = $MailScan_Spam_Virus)\n"; foreach $ThisOne (sort keys %Spam_Virus_Found) { print ' ' . $ThisOne . ': ' . $Spam_Virus_Found{$ThisOne} . " Time(s)\n"; } } if (keys %Hostlist) { print "\nVirus Sender Report: (Total Seen = $MailScan_VirualHost)\n"; foreach $ThisOne (sort keys %Hostlist) { print ' ' . $ThisOne . ': ' . $Hostlist{$ThisOne} . " Time(s)\n"; } } if (keys %Whitelisted_Host) { print "\nSpam Whitelisted Host Report: (Total Seen = $MailScan_Whitelisted)\n"; foreach $ThisOne (sort keys %Whitelisted_Host) { print ' ' . $ThisOne . ': ' . $Whitelisted_Host{$ThisOne} . " Time(s)\n"; } } if (keys %Blacklisted_Host) { print "\nSpam Blacklisted Host Report: (Total Seen = $MailScan_Blacklisted)\n"; foreach $ThisOne (sort keys %Blacklisted_Host) { print ' ' . $ThisOne . ': ' . $Blacklisted_Host{$ThisOne} . " Time(s)\n"; } } if (keys %RBLType) { print "\nRBL Report: (Total Seen = $MailScan_RBL)\n"; foreach $ThisOne (sort keys %RBLType) { print ' ' . $ThisOne . ': ' . $RBLType{$ThisOne} . " Time(s)\n"; } } if (keys %ContentType) { print "\nContent Report: (Total Seen = $MailScan_Content)"; if ($DisarmedQuarantined > 0) { print " (Quarantined = $DisarmedQuarantined)"; } print "\n"; foreach $ThisOne (sort keys %ContentType) { print ' ' . $ThisOne . ': ' . $ContentType{$ThisOne} . " Time(s)\n"; } } if (keys %FilenameAllow) { print "\nAllowed Filename Report: (Total Seen = $MailScan_FilenameAllow)\n"; if ($Detail >= 10) { foreach $ThisOne (sort keys %FilenameAllow) { print ' ' . $ThisOne . ': ' . $FilenameAllow{$ThisOne} . " Time(s)\n"; } } else { print ' ' . "Details Suppressed at level $Detail. Level 10 required.\n"; } } if (keys %FilenameType) { print "\nBanned Filename Report: (Total Seen = $MailScan_FilenameBanned)\n"; foreach $ThisOne (sort keys %FilenameType) { print ' ' . $ThisOne . ': ' . $FilenameType{$ThisOne} . " Time(s)\n"; } } if (keys %FiletypeAllow) { print "\nAllowed Filetype Report: (Total Seen = $MailScan_FiletypeAllow)\n"; if ($Detail >= 10) { foreach $ThisOne (sort keys %FiletypeAllow) { print ' ' . $ThisOne . ': ' . $FiletypeAllow{$ThisOne} . " Time(s)\n"; } } else { print ' ' . "Details Suppressed at level $Detail. Level 10 required.\n"; } } if (keys %FiletypeType) { print "\nBanned Filetype Report: (Total Seen = $MailScan_FiletypeBanned)\n"; foreach $ThisOne (sort keys %FiletypeType) { print ' ' . $ThisOne . ': ' . $FiletypeType{$ThisOne} . " Time(s)\n"; } } if ( (keys %PhishingSource) && ($mailscanner_phishingthreshold > 0) ) { print "\nPhishing Report: (Total Seen = $MailScan_Phishing)\n"; foreach $ThisOne (sort keys %PhishingSource) { if ( $PhishingSource{$ThisOne} >= $mailscanner_phishingthreshold ) { print ' ' . $ThisOne . ': ' . $PhishingSource{$ThisOne} . " Time(s)\n"; } }; if ($Detail >= 10) { print "\n Detail:\n"; foreach $ThisOne (sort keys %PhishingSourceDest) { if ( $PhishingSourceDest{$ThisOne} >= $mailscanner_phishingthreshold ) { print ' ' . $ThisOne . ': ' . $PhishingSourceDest{$ThisOne} . " Time(s)\n"; } } } } if (keys %FormTagSource) { print "\nHTML
tag report: (Total Seen = $MailScan_FormTag)\n"; foreach $ThisOne (sort keys %FormTagSource) { print ' ' . $ThisOne . ': ' . $FormTagSource{$ThisOne} . " Time(s)\n"; } } if (keys %ScriptTagSource) { print "\nHTML