]> gitweb.michael.orlitzky.com - amavis-logwatch.git/blob - amavis-logwatch.1.html
projects / amavis-logwatch.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ignore errors from the File::LibMagic describe_filename function.
[amavis-logwatch.git] / amavis-logwatch.1.html
1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
3 <html> <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
5 <title> Man page: amavis-logwatch(1) </title>
6 </head> <body> <pre>
7 AMAVIS-LOGWATCH(1) General Commands Manual AMAVIS-LOGWATCH(1)
8
9
10
11 <b>NAME</b>
12 amavis-logwatch - An Amavisd-new log parser and analysis utility
13
14 <b>SYNOPSIS</b>
15 <b>amavis-logwatch</b> [<i>options</i>] [<i>logfile ...</i>]
16
17 <b>DESCRIPTION</b>
18 The <b>amavis-logwatch</b>(1) utility is an Amavisd-new log parser that pro-
19 duces summaries, details, and statistics regarding the operation of
20 Amavisd-new (henceforth, simply called Amavis).
21
22 This utility can be used as a standalone program, or as a Logwatch fil-
23 ter module to produce Amavisd-new summary and detailed reports from
24 within Logwatch.
25
26 <b>Amavis-logwatch</b> is able to produce a wide range of reports with data
27 grouped and sorted as much as possible to reduce noise and highlight
28 patterns. Brief summary reports provide a quick overview of general
29 Amavis operations and message delivery, calling out warnings that may
30 require attention. Detailed reports provide easy to scan, hierarchi-
31 cally-arranged and organized information, with as much or little detail
32 as desired.
33
34 Much of the interesting data is available when Amavis' $log_level is
35 set to at least 2. See <b>Amavis Log Level</b> below.
36
37 <b>Amavis-logwatch</b> outputs two principal sections: a <b>Summary</b> section and a
38 <b>Detailed</b> section. For readability and quick scanning, all event or hit
39 counts appear in the left column, followed by brief description of the
40 event type, and finally additional statistics or count representations
41 may appear in the rightmost column.
42
43 The following segment from a sample Summary report illustrates:
44
45 ****** Summary ********************************************
46
47 9 Miscellaneous warnings
48
49 20313 Total messages scanned ---------------- 100.00%
50 1008.534M Total bytes scanned 1,057,524,252
51 ======== ================================================
52
53 1190 Blocked ------------------------------- 5.86%
54 18 Malware blocked 0.09%
55 4 Banned name blocked 0.02%
56 416 Spam blocked 2.05%
57 752 Spam discarded (no quarantine) 3.70%
58
59 19123 Passed -------------------------------- 94.14%
60 47 Bad header passed 0.23%
61 19076 Clean passed 93.91%
62 ======== ================================================
63
64 18 Malware ------------------------------- 0.09%
65 18 Malware blocked 0.09%
66
67 4 Banned -------------------------------- 0.02%
68 4 Banned file blocked 0.02%
69
70 1168 Spam ---------------------------------- 5.75%
71 416 Spam blocked 2.05%
72 752 Spam discarded (no quarantine) 3.70%
73
74 19123 Ham ----------------------------------- 94.14%
75 47 Bad header passed 0.23%
76 19076 Clean passed 93.91%
77 ======== ================================================
78
79 1982 SpamAssassin bypassed
80 32 Released from quarantine
81 2 DSN notification (debug supplemental)
82 2 Bounce unverifiable
83 2369 Whitelisted
84 2 Blacklisted
85 12 MIME error
86 58 Bad header (debug supplemental)
87 40 Extra code modules loaded at runtime
88
89 The report indicates there were 9 general warnings, and <b>Amavis</b> scanned
90 a total of 20313 messages for a total of 1008.53 megabytes or
91 1,057,524,252 bytes. The next summary groups shows the Blocked /
92 Passed overview, with 1190 Blocked messages (broken down as 18 messages
93 blocked as malware, 4 messages with banned names, 416 spam messages,
94 and 752 discarded messages), and 19123 Passed messages (47 messages
95 with bad headers and 19076 clean messages).
96
97 The next (optional) summary grouping shows message disposition by con-
98 tents category. There were 18 malware messages and 4 banned file mes-
99 sages (all blocked), 1168 Spam messages, of which 416 were blocked
100 (quarantined) and 752 discarded. Finally, there were 19123 messages
101 consdidered to be Ham (i.e. not spam), 47 of which contained bad head-
102 ers.
103
104 Additional count summaries for a variety of events are also listed.
105
106 There are dozens of sub-sections available in the <b>Detailed</b> report, each
107 of whose output can be controlled in various ways. Each sub-section
108 attempts to group and present the most meaningful data at superior lev-
109 els, while pushing less useful or <i>noisy</i> data towards inferior levels.
110 The goal is to provide as much benefit as possible from smart grouping
111 of data, to allow faster report scanning, pattern identification, and
112 problem solving. Data is always sorted in descending order by count,
113 and then numerically by IP address or alphabetically as appropriate.
114
115 The following Spam blocked segment from a sample <b>Detailed</b> report illus-
116 trates the basic hierarchical level structure of <b>amavis-logwatch</b>:
117
118 ****** Detailed *******************************************
119
120 19346 Spam blocked -----------------------------------
121 756 from@example.com
122 12 10.0.0.2
123 12 &lt;&gt;
124 12 192.168.2.2
125 12 &lt;&gt;
126 5 192.168.2.1
127 ...
128
129
130 The <b>amavis-logwatch</b> utility reads from STDIN or from the named Amavis
131 <i>logfile</i>. Multiple <i>logfile</i> arguments may be specified, each processed
132 in order. The user running <b>amavis-logwatch</b> must have read permission
133 on each named log file.
134
135 <b>Options</b>
136 The options listed below affect the operation of <b>amavis-logwatch</b>.
137 Options specified later on the command line override earlier ones. Any
138 option may be abbreviated to an unambiguous length.
139
140
141 <b>--[no]autolearn</b>
142 <b>--show_autolearn</b> <i>boolean</i>
143 Enables (disables) output of the autolearn report. This report
144 is only available if the default Amavis <b>$log_templ</b> has been mod-
145 ified to provide autolearn results in log entries. This can be
146 done by uncommenting two lines in the Amavis program itself
147 (where the default log templates reside), or by correctly adding
148 the <b>$log_templ</b> variable to the <b>amavisd.conf</b> file. See Amavis'
149 <b>README.customize</b> and search near the end of the Amavisd program
150 for "autolearn".
151
152 <b>--[no]by_ccat_summary</b>
153 <b>--show_by_ccat_summary</b> <i>boolean</i>
154 Enables (disables) the by contents category summary in the <b>Sum-</b>
155 <b>mary</b> section. Default: enabled.
156
157 <b>-f</b> <i>config</i><b>_</b><i>file</i>
158 <b>--config_file</b> <i>config</i><b>_</b><i>file</i>
159 Use an alternate configuration file <i>config</i><b>_</b><i>file</i> instead of the
160 default. This option may be used more than once. Multiple con-
161 figuration files will be processed in the order presented on the
162 command line. See <b>CONFIGURATION FILE</b> below.
163
164 <b>--debug</b> <i>keywords</i>
165 Output debug information during the operation of <b>amavis-log-</b>
166 <b>watch</b>. The parameter <i>keywords</i> is one or more comma or space
167 separated keywords. To obtain the list of valid keywords, use
168 --debug xxx where xxx is any invalid keyword.
169
170 <b>--detail</b> <i>level</i>
171 Sets the maximum detail level for <b>amavis-logwatch</b> to <i>level</i>.
172 This option is global, overriding any other output limiters
173 described below.
174
175 The <b>amavis-logwatch</b> utility produces a <b>Summary</b> section, a
176 <b>Detailed</b> section, and additional report sections. With <i>level</i>
177 less than 5, <b>amavis-logwatch</b> will produce only the <b>Summary</b> sec-
178 tion. At <i>level</i> 5 and above, the <b>Detailed</b> section, and any addi-
179 tional report sections are candidates for output. Each incre-
180 mental increase in <i>level</i> generates one additional hierarchical
181 sub-level of output in the <b>Detailed</b> section of the report. At
182 <i>level</i> 10, all levels are output. Lines that exceed the maximum
183 report width (specified with <b>max_report_width</b>) will be cut.
184 Setting <i>level</i> to 11 will prevent lines in the report from being
185 cut (see also <b>--line_style</b>).
186
187 <b>--[no]first_recip_only</b>
188 <b>--show_first_recip_only</b> <i>boolean</i>
189 Specifies whether or not to sort by, and show, only the first
190 recipient when a scanned messages contains multiple recipients.
191
192 <b>--help</b> Print usage information and a brief description about command
193 line options.
194
195 <b>--ipaddr_width</b> <i>width</i>
196 Specifies that IP addresses in address/hostname pairs should be
197 printed with a field width of <i>width</i> characters. Increasing the
198 default may be useful for systems using long IPv6 addresses.
199
200 <b>-l limiter=levelspec</b>
201 <b>--limit limiter=levelspec</b>
202 Sets the level limiter <i>limiter</i> with the specification <i>levelspec</i>.
203
204 <b>--line_style</b> <i>style</i>
205 Specifies how to handle long report lines. Three styles are
206 available: <b>full</b>, <b>truncate</b>, and <b>wrap</b>. Setting <i>style</i> to <b>full</b> will
207 prevent cutting lines to <b>max_report_width</b>; this is what occurs
208 when <b>detail</b> is 11 or higher. When <i>style</i> is <b>truncate</b> (the
209 default), long lines will be truncated according to
210 <b>max_report_width</b>. Setting <i>style</i> to <b>wrap</b> will wrap lines longer
211 than <b>max_report_width</b> such that left column hit counts are not
212 obscured. This option takes precedence over the line style
213 implied by the <b>detail</b> level. The options <b>--full</b>, <b>--truncate</b>,
214 and <b>--wrap</b> are synonyms.
215
216
217 <b>--nodetail</b>
218 Disables the <b>Detailed</b> section of the report, and all supplemen-
219 tal reports. This option provides a convenient mechanism to
220 quickly disable all sections under the <b>Detailed</b> report, where
221 subsequent command line options may re-enable one or more sec-
222 tions to create specific reports.
223
224 <b>--sarules</b> `<i>S,H</i>'
225 <b>--sarules default</b>
226 Enables the SpamAssassin Rules Hit report. The comma-separated
227 <i>S</i> and <i>H</i> arguments are top N values for the Spam and Ham reports,
228 respectively, and can be any integer greater than or equal to 0,
229 or the keyword <b>all</b>. The keyword <b>default</b> uses the built-in
230 default values.
231
232 <b>--nosarules</b>
233 Disables the SpamAssassin Rules Hit report.
234
235 <b>--sa_timings</b> <i>nrows</i>
236 Enables the SpamAssassin Timings percentiles report. The report
237 can be limited to the top N rows with the <i>nrows</i> argument. This
238 report requires Amavis 2.6+ and SpamAssassin 3.3+.
239
240 <b>--sa_timings_percentiles</b> `<i>P1 [P2 ...]</i>'
241 Specifies the percentiles shown in the SpamAssassin Timings
242 report. The arguments <i>P1 ...</i> are integers from 0 to 100 inclu-
243 sive. Their order will be preserved in the report.
244
245 <b>--nosa_timings</b>
246 Disables the SpamAssassin Timings report.
247
248 <b>--version</b>
249 Print <b>amavis-logwatch</b> version information.
250
251 <b>--score_frequencies</b> `<i>B1 [B2 ...]</i>'
252 <b>--score_frequencies default</b>
253 Enables the Spam Score Frequency report. The arguments <i>B1 ...</i>
254 are frequency distribution buckets, and can be any real numbers.
255 Their order will be preserved in the report. The keyword
256 <b>default</b> uses the built-in default values.
257
258 <b>--noscore_frequencies</b>
259 Disables the Spam Score Frequency report.
260
261 <b>--score_percentiles</b> `<i>P1 [P2 ...]</i>'
262 <b>--score_percentiles default</b>
263 Enables the Spam Score Percentiles report. The arguments <i>P1 ...</i>
264 specify the percentiles shown in the report, and are integers
265 from 0 to 100 inclusive. The keyword <b>default</b> uses the built-in
266 default values.
267
268 <b>--noscore_percentiles</b>
269 Disables the Spam Score Percentiles report.
270
271
272 <b>--[no]sect_vars</b>
273 <b>--show_sect_vars</b> <i>boolean</i>
274 Enables (disables) supplementing each <b>Detailed</b> section title
275 with the name of that section's level limiter. The name dis-
276 played is the command line option (or configuration file vari-
277 able) used to limit that section's output. With the large num-
278 ber of level limiters available in <b>amavis-logwatch</b>, this a con-
279 venient mechanism for determining exactly which level limiter
280 affects a section.
281
282 <b>--[no]startinfo</b>
283 <b>--show_startinfo</b> <i>boolean</i>
284 Enables (disables) the Amavis startup report showing most recent
285 Amavis startup details.
286
287 <b>--[no]summary</b>
288
289 <b>--show_summary</b>
290 Enables (disables) displaying of the the <b>Summary</b> section of the
291 report. The variable Amavis_Show_Summary in used in a configu-
292 ration file.
293
294 <b>--syslog_name</b> <i>namepat</i>
295 Specifies the syslog service name that <b>amavis-logwatch</b> uses to
296 match syslog lines. Only log lines whose service name matches
297 the perl regular expression <i>namepat</i> will be used by <b>amavis-log-</b>
298 <b>watch</b>; all non-matching lines are silently ignored. This is
299 useful when a pre-installed Amavis package uses a name other
300 than the default (<b>amavis</b>).
301
302 <b>Note:</b> if you use parenthesis in your regular expression, be sure
303 they are cloistering and not capturing: use <b>(?:</b><i>pattern</i><b>)</b> instead
304 of <b>(</b><i>pattern</i><b>)</b>.
305
306 <b>--timings</b> <i>percent</i>
307 Enables the Amavis Scan Timings percentiles report. The report
308 can be top N-percent limited with the <i>percent</i> argument.
309
310 <b>--timings_percentiles</b> `<i>P1 [P2 ...]</i>'
311 Specifies the percentiles shown in the Scan Timings report. The
312 arguments <i>P1 ...</i> are integers from 0 to 100 inclusive. Their
313 order will be preserved in the report.
314
315 <b>--notimings</b>
316 Disables the Amavis Scan Timings report.
317
318 <b>--version</b>
319 Print <b>amavis-logwatch</b> version information.
320
321
322 <b>Level Limiters</b>
323 The output of every section in the <b>Detailed</b> report is controlled by a
324 level limiter. The name of the level limiter variable will be output
325 when the <b>sect_vars</b> option is set. Level limiters are set either via
326 command line in standalone mode with <b>--limit</b> <i>limiter</i><b>=</b><i>levelspec</i> option,
327 or via configuration file variable <b>$amavis_</b><i>limiter</i><b>=</b><i>levelspec</i>. Each
328 limiter requires a <i>levelspec</i> argument, which is described below in
329 <b>LEVEL CONTROL</b>.
330
331 The list of level limiters is shown below.
332
333
334 Amavis major contents category (ccatmajor) sections, listed in order of
335 priority: VIRUS, BANNED, UNCHECKED, SPAM, SPAMMY, BADH, OVERSIZED, MTA,
336 CLEAN.
337
338 <b>MalwareBlocked</b>
339 <b>MalwarePassed</b>
340 Blocked or passed messages that contain malware (ccatmajor:
341 VIRUS).
342
343 <b>BannedNameBlocked</b>
344 <b>BannedNamePassed</b>
345 Blocked or passed messages that contain banned names in MIME
346 parts (ccatmajor: BANNED).
347
348 <b>UncheckedBlocked</b>
349 <b>UncheckedPassed</b>
350 Blocked or passed messages that were not checked by a virus
351 scanner or SpamAssassin (Amavis ccatmajor: UNCHECKED).
352
353 <b>SpamBlocked</b>
354 <b>SpamPassed</b>
355 Blocked or passed messages that were considered spam that
356 reached kill level (Amavis ccatmajor: SPAM)
357
358 <b>SpammyBlocked</b>
359 <b>SpammyPassed</b>
360 Blocked or passed messages that were considered spam, but did
361 not reach kill level (Amavis ccatmajor: SPAMMY)
362
363 <b>BadHeaderBlocked</b>
364 <b>BadHeaderPassed</b>
365 Blocked or passed messages that contain bad mail headers (ccat-
366 major: BAD-HEADER).
367
368 <b>OversizedBlocked</b>
369 <b>OversizedPassed</b>
370 Blocked or passed messages that were considered oversized
371 (Amavis ccatmajor: OVERSIZED).
372
373 <b>MtaBlocked</b>
374 <b>MtaPassed</b>
375 Blocked or passed messages due to failure to re-inject to MTA
376 (Amavis ccatmajor: MTA-BLOCKED). Occurrences of this event
377 indicates a configuration problem. [ note: I don't believe mta-
378 passed occurs, but exists for completeness.]
379
380 <b>OtherBlocked</b>
381 <b>OtherPassed</b>
382 Blocked or passed messages that are not any of other major con-
383 tents categories (Amavis ccatmajor: OTHER).
384
385
386 <b>TempFailBlocked</b>
387 <b>TempfailPassed</b>
388 Blocked or passed messages that had a temporary failure (Amavis
389 ccatmajor: TEMPFAIL)
390
391 <b>CleanBlocked</b>
392 <b>CleanPassed</b>
393 Messages blocked or passed which were considered clean (Amavis
394 ccatmajor: CLEAN; i.e. non-spam, non-viral).
395
396 Other sections, arranged alphabetically:
397
398 <b>AvConnectFailure</b>
399 Problems connecting to Anti-Virus scanner(s).
400
401 <b>AvTimeout</b>
402 Timeouts awaiting responses from Anti-Virus scanner(s).
403
404 <b>ArchiveExtract</b>
405 Archive extraction problems.
406
407 <b>BadHeaderSupp</b>
408 Supplemental debug information regarding messages containing bad
409 mail headers.
410
411 <b>Bayes</b> Messages frequencies by Bayesian probability buckets.
412
413 <b>BadAddress</b>
414 Invalid mail address syntax.
415
416 <b>Blacklisted</b>
417 Messages that were (soft-)blacklisted. See also Whitelisted
418 below.
419
420 <b>BounceKilled</b>
421 <b>BounceRescued</b>
422 <b>BounceUnverifiable</b>
423 Disposition of incoming bounce messages (DSNs).
424
425 <b>ContentType</b>
426 MIME attachment breakdown by type/subtype.
427
428 <b>DccError</b>
429 Errors encountered with or returned by DCC.
430
431 <b>DefangError</b>
432 Errors encountered during defang process.
433
434 <b>Defanged</b>
435 Messages defanged (rendered harmless).
436
437 <b>DsnNotification</b>
438 Errors encountered during attempt to send delivery status noti-
439 fication.
440
441 <b>DsnSuppressed</b>
442 Delivery status notification (DSN) intentionally suppressed.
443
444 <b>ExtraModules</b>
445 Additional code modules Amavis loaded during runtime.
446
447 <b>FakeSender</b>
448 Forged sender addresses, as determimed by Amavis.
449
450 <b>Fatal</b> Fatal events. These are presented at the top of the report, as
451 they may require attention.
452
453 <b>LocalDeliverySkipped</b>
454 Failures delivering to a local address.
455
456 <b>MalwareByScanner</b>
457 Breakdown of malware by scanner(s) that detected the malware.
458
459 <b>MimeError</b>
460 Errors encountered during MIME extraction.
461
462 <b>Panic</b> Panic events. These are presented at the top of the report, as
463 they may require attention.
464
465 <b>p0f</b> Passive fingerprint (p0f) hits, grouped by mail contents type
466 (virus, unchecked, banned, spam, ham), next by operating system
467 genre, and finally by IP address. Note: Windows systems are
468 refined by Windows OS version, whereas versions of other operat-
469 ing systems are grouped generically.
470
471 <b>Released</b>
472 Messages that were released from Amavis quarantine.
473
474 <b>SADiags</b>
475 Diagnostics as reported from SpamAssassin.
476
477 <b>SmtpResponse</b>
478 SMTP responses received during dialog with MTA. These log
479 entries are primarly debug.
480
481 <b>TmpPreserved</b>
482 Temporary directories preserved by Amavis when some component
483 encounters a problem or failure. Directories listed and their
484 corresponding log entries should be evaluated for problems.
485
486 <b>VirusScanSkipped</b>
487 Messages that could not be scanned by a virus scanner.
488
489 <b>Warning</b>
490 Warning events not categorized in specific warnings below.
491 These are presented at the top of the report, as they may
492 require attention.
493
494 <b>WarningAddressModified</b>
495 Incomplete email addresses modified by Amavis for safety.
496
497 <b>WarningNoQuarantineId</b>
498 Attempts to release a quarantined message that did not contain
499 an X-Quarantine-ID header.
500
501 <b>WarningSecurity</b> <i>levelspec</i>
502 Insecure configuration or utility used by Amavis.
503
504 <b>WarningSmtpShutdown</b>
505 Failures during SMTP conversation with MTA.
506
507 <b>WarningSql</b>
508 Failures to communicate with, or error replies from, SQL ser-
509 vice.
510
511 <b>Whitelisted</b>
512 Messages that were (soft-)whitelisted. See also Blacklisted
513 above.
514
515
516 <b>LEVEL CONTROL</b>
517 The <b>Detailed</b> section of the report consists of a number of sub-sec-
518 tions, each of which is controlled both globally and independently.
519 Two settings influence the output provided in the <b>Detailed</b> report: a
520 global detail level (specified with <b>--detail</b>) which has final (big ham-
521 mer) output-limiting control over the <b>Detailed</b> section, and sub-section
522 specific detail settings (small hammer), which allow further limiting
523 of the output for a sub-section. Each sub-section may be limited to a
524 specific depth level, and each sub-level may be limited with top N or
525 threshold limits. The <i>levelspec</i> argument to each of the level limiters
526 listed above is used to accomplish this.
527
528 It is probably best to continue explanation of sub-level limiting with
529 the following well-known outline-style hierarchy, and some basic exam-
530 ples:
531
532 level 0
533 level 1
534 level 2
535 level 3
536 level 4
537 level 4
538 level 2
539 level 3
540 level 4
541 level 4
542 level 4
543 level 3
544 level 4
545 level 3
546 level 1
547 level 2
548 level 3
549 level 4
550
551 The simplest form of output limiting suppresses all output below a
552 specified level. For example, a <i>levelspec</i> set to "2" shows only data
553 in levels 0 through 2. Think of this as collapsing each sub-level 2
554 item, thus hiding all inferior levels (3, 4, ...), to yield:
555
556 level 0
557 level 1
558 level 2
559 level 2
560 level 1
561 level 2
562
563 Sometimes the volume of output in a section is too great, and it is
564 useful to suppress any data that does not exceed a certain threshold
565 value. Consider a dictionary spam attack, which produces very lengthy
566 lists of hit-once recipient email or IP addresses. Each sub-level in
567 the hierarchy can be threshold-limited by setting the <i>levelspec</i> appro-
568 priately. Setting <i>levelspec</i> to the value "2::5" will suppress any data
569 at level 2 that does not exceed a hit count of 5.
570
571 Perhaps producing a top N list, such as top 10 senders, is desired. A
572 <i>levelspec</i> of "3:10:" limits level 3 data to only the top 10 hits.
573
574 With those simple examples out of the way, a <i>levelspec</i> is defined as a
575 whitespace- or comma-separated list of one or more of the following:
576
577 <i>l</i> Specifies the maximum level to be output for this sub-section,
578 with a range from 0 to 10. if <i>l</i> is 0, no levels will be output,
579 effectively disabling the sub-section (level 0 data is already
580 provided in the Summary report, so level 1 is considered the
581 first useful level in the <b>Detailed</b> report). Higher values will
582 produce output up to and including the specified level.
583
584 <i>l</i><b>.</b><i>n</i> Same as above, with the addition that <i>n</i> limits this section's
585 level 1 output to the top <i>n</i> items. The value for <i>n</i> can be any
586 integer greater than 1. (This form of limiting has less utility
587 than the syntax shown below. It is provided for backwards com-
588 patibility; users are encouraged to use the syntax below).
589
590 <i>l</i><b>:</b><i>n</i><b>:</b><i>t</i> This triplet specifies level <i>l</i>, top <i>n</i>, and minimum threshold <i>t</i>.
591 Each of the values are integers, with <i>l</i> being the level limiter
592 as described above, <i>n</i> being a top <i>n</i> limiter for the level <i>l</i>, and
593 <i>t</i> being the threshold limiter for level <i>l</i>. When both <i>n</i> and <i>t</i>
594 are specified, <i>n</i> has priority, allowing top <i>n</i> lists (regardless
595 of threshold value). If the value of <i>l</i> is omitted, the speci-
596 fied values for <i>n</i> and/or <i>t</i> are used for all levels available in
597 the sub-section. This permits a simple form of wildcarding (eg.
598 place minimum threshold limits on all levels). However, spe-
599 cific limiters always override wildcard limiters. The first
600 form of level limiter may be included in <i>levelspec</i> to restrict
601 output, regardless of how many triplets are present.
602
603 All three forms of limiters are effective only when <b>amavis-logwatch</b>'s
604 detail level is 5 or greater (the <b>Detailed</b> section is not activated
605 until detail is at least 5).
606
607 See the <b>EXAMPLES</b> section for usage scenarios.
608
609 <b>CONFIGURATION FILE</b>
610 <b>Amavis-logwatch</b> can read configuration settings from a configuration
611 file. Essentially, any command line option can be placed into a con-
612 figuration file, and these settings are read upon startup.
613
614 Because <b>amavis-logwatch</b> can run either standalone or within Logwatch,
615 to minimize confusion, <b>amavis-logwatch</b> inherits Logwatch's configura-
616 tion file syntax requirements and conventions. These are:
617
618 <b>o</b> White space lines are ignored.
619
620 <b>o</b> Lines beginning with <b>#</b> are ignored
621
622 <b>o</b> Settings are of the form:
623
624 <i>option</i> <b>=</b> <i>value</i>
625
626
627 <b>o</b> Spaces or tabs on either side of the <b>=</b> character are ignored.
628
629 <b>o</b> Any <i>value</i> protected in double quotes will be case-preserved.
630
631 <b>o</b> All other content is reduced to lowercase (non-preserving, case
632 insensitive).
633
634 <b>o</b> All <b>amavis-logwatch</b> configuration settings must be prefixed with
635 "<b>$amavis_</b>" or <b>amavis-logwatch</b> will ignore them.
636
637 <b>o</b> When running under Logwatch, any values not prefixed with
638 "<b>$amavis_</b>" are consumed by Logwatch; it only passes to <b>amavis-log-</b>
639 <b>watch</b> (via environment variable) settings it considers valid.
640
641 <b>o</b> The values <b>True</b> and <b>Yes</b> are converted to 1, and <b>False</b> and <b>No</b> are
642 converted to 0.
643
644 <b>o</b> Order of settings is not preserved within a configuration file
645 (since settings are passed by Logwatch via environment variables,
646 which have no defined order).
647
648 To include a command line option in a configuration file, prefix the
649 command line option name with the word "<b>$amavis_</b>". The following con-
650 figuration file setting and command line option are equivalent:
651
652 <b>$amavis_Line_Style = Truncate</b>
653
654 <b>--line_style Truncate</b>
655
656 Level limiters are also prefixed with <b>$amavis_</b>, but on the command line
657 are specified with the <b>--limit</b> option:
658
659 <b>$amavis_SpamBlocked = 2</b>
660
661 <b>--limit SpamBlocked=2</b>
662
663
664
665 The order of command line options and configuration file processing
666 occurs as follows: 1) The default configuration file is read if it
667 exists and no <b>--config_file</b> was specified on a command line. 2) Con-
668 figuration files are read and processed in the order found on the com-
669 mand line. 3) Command line options override any options already set
670 either via command line or from any configuration file.
671
672 Command line options are interpreted when they are seen on the command
673 line, and later options will override previously set options.
674
675
676
677 <b>EXIT STATUS</b>
678 The <b>amavis-logwatch</b> utility exits with a status code of 0, unless an
679 error occurred, in which case a non-zero exit status is returned.
680
681 <b>EXAMPLES</b>
682 <b>Running Standalone</b>
683 <b>Note: amavis-logwatch</b> reads its log data from one or more named Amavis
684 log files, or from STDIN. For brevity, where required, the examples
685 below use the word <i>file</i> as the command line argument meaning
686 <i>/path/to/amavis.log</i>. Obviously you will need to substitute <i>file</i> with
687 the appropriate path.
688
689 To run <b>amavis-logwatch</b> in standalone mode, simply run:
690
691 <b>amavis-logwatch</b> <i>file</i>
692
693 A complete list of options and basic usage is available via:
694
695 <b>amavis-logwatch --help</b>
696
697 To print a summary only report of Amavis log data:
698
699 <b>amavis-logwatch --detail 1</b> <i>file</i>
700
701 To produce a summary report and a one-level detail report for May 25th:
702
703 <b>grep 'May 25'</b> <i>file</i> <b>| amavis-logwatch --detail 5</b>
704
705 To produce only a top 10 list of Sent email domains, the summary report
706 and detailed reports are first disabled. Since commands line options
707 are read and enabled left-to-right, the Sent section is re-enabled to
708 level 1 with a level 1 top 10 limiter:
709
710 <b>amavis-logwatch --nosummary --nodetail \</b>
711 <b>--limit spamblocked '1 1:10:'</b> <i>file</i>
712
713 The following command and its sample output shows a more complex level
714 limiter example. The command gives the top 4 spam blocked recipients
715 (level 1), and under with each recipient the top 2 sending IPs (level
716 2) and finally below that, only envelope from addresses (level 3) with
717 hit counts greater than 6. Ellipses indicate top N or threshold-lim-
718 ited data:
719
720 <b>amavis-logwatch --nosummary --nodetail \</b>
721 <b>--limit spamblocked '1:4: 2:2: 3::6'</b> <i>file</i>
722
723 19346 Spam blocked -----------------------------------
724 756 joe@example.com
725 12 10.0.0.1
726 12 &lt;&gt;
727 12 10.99.99.99
728 12 &lt;&gt;
729 ...
730 640 fred@example.com
731 8 10.0.0.1
732 8 &lt;&gt;
733 8 192.168.3.19
734 8 &lt;&gt;
735 ...
736 595 peter@sample.net
737 8 10.0.0.1
738 8 &lt;&gt;
739 7 192.168.3.3
740 7 &lt;&gt;
741 ...
742 547 paul@example.us
743 8 192.168.3.19
744 8 &lt;&gt;
745 7 10.0.0.1
746 7 &lt;&gt;
747 ...
748 ...
749
750 <b>Running within Logwatch</b>
751 <b>Note:</b> Logwatch versions prior to 7.3.6, unless configured otherwise,
752 required the <b>--print</b> option to print to STDOUT instead of sending
753 reports via email. Since version 7.3.6, STDOUT is the default output
754 destination, and the <b>--print</b> option has been replaced by <b>--output std-</b>
755 <b>out</b>. Check your configuration to determine where report output will be
756 directed, and add the appropriate option to the commands below.
757
758 To print a summary report for today's Amavis log data:
759
760 <b>logwatch --service amavis --range today --detail 1</b>
761
762 To print a report for today's Amavis log data, with one level
763 of detail in the <b>Detailed</b> section:
764
765 <b>logwatch --service amavis --range today --detail 5</b>
766
767 To print a report for yesterday, with two levels of detail in the
768 <b>Detailed</b> section:
769
770 <b>logwatch --service amavis --range yesterday --detail 6</b>
771
772 To print a report from Dec 12th through Dec 14th, with four levels of
773 detail in the <b>Detailed</b> section:
774
775 <b>logwatch --service amavis --range \</b>
776 <b>'between 12/12 and 12/14' --detail 8</b>
777
778 To print a report for today, with all levels of detail:
779
780 <b>logwatch --service amavis --range today --detail 10</b>
781
782 Same as above, but leaves long lines uncropped:
783
784 <b>logwatch --service amavis --range today --detail 11</b>
785
786 <b>Amavis Log Level</b>
787 Amavis provides additional log information when the variable <b>$log_level</b>
788 is increased above the default 0 value. This information is used by
789 the <b>amavis-logwatch</b> utility to provide additional reports, not avail-
790 able with the default <b>$log_level</b>=0 value. A <b>$log_level</b> of 2 is sug-
791 gested.
792
793 If you prefer not to increase the noise level in your main mail or
794 Amavis logs, you can configure syslog to log Amavis' output to multiple
795 log files, where basic log entries are routed to your main mail log(s)
796 and more detailed entries routed to an Amavis-specific log file used to
797 feed the <b>amavis-logwatch</b> utility.
798
799 A convenient way to accomplish this is to change the Amavis configura-
800 tion variables in <b>amavisd.conf</b> as shown below:
801
802 amavisd.conf:
803 $log_level = 2;
804 $syslog_facility = 'local5';
805 $syslog_priority = 'debug';
806
807
808 This increases <b>$log_level</b> to 2, and sends Amavis' log entries to an
809 alternate syslog facility (eg. <b>local5</b>, user), which can then be routed
810 to one or more log files, including your main mail log file:
811
812 syslog.conf:
813 #mail.info -/var/log/maillog
814 mail.info;local5.notice -/var/log/maillog
815
816 local5.info -/var/log/amavisd-info.log
817
818
819 <b>Amavis</b>' typical <b>$log_level</b> 0 messages will be directed to both your
820 maillog and to the <b>amavisd-info.log</b> file, but higher <b>$log_level</b> mes-
821 sages will only be routed to the <b>amavisd-info.log</b> file. For additional
822 information on Amavis' logging, search the file <b>RELEASE_NOTES</b> in the
823 Amavis distribution for:
824
825 "syslog priorities are now dynamically derived"
826
827
828 <b>ENVIRONMENT</b>
829 The <b>amavis-logwatch</b> program uses the following (automatically set)
830 environment variables when running under Logwatch:
831
832 <b>LOGWATCH_DETAIL_LEVEL</b>
833 This is the detail level specified with the Logwatch command
834 line argument <b>--detail</b> or the <b>Detail</b> setting in the ...conf/ser-
835 vices/amavis.conf configuration file.
836
837 <b>LOGWATCH_DEBUG</b>
838 This is the debug level specified with the Logwatch command line
839 argument <b>--debug</b>.
840
841 <b>amavis_</b><i>xxx</i>
842 The Logwatch program passes all settings <b>amavis_</b><i>xxx</i> in the con-
843 figuration file ...conf/services/amavis.conf to the <b>amavis</b> fil-
844 ter (which is actually named .../scripts/services/amavis) via
845 environment variable.
846
847 <b>FILES</b>
848 <b>Standalone mode</b>
849 /usr/local/bin/amavis-logwatch
850 The <b>amavis-logwatch</b> program
851
852 /usr/local/etc/amavis-logwatch.conf
853 The <b>amavis-logwatch</b> configuration file in standalone mode
854
855 <b>Logwatch mode</b>
856 /etc/logwatch/scripts/services/amavis
857 The Logwatch <b>amavis</b> filter
858
859 /etc/logwatch/conf/services/amavis.conf
860 The Logwatch <b>amavis</b> filter configuration file
861
862 <b>SEE ALSO</b>
863 logwatch(8), system log analyzer and reporter
864
865 <b>README FILES</b>
866 README, an overview of <b>amavis-logwatch</b>
867 Changes, the version change list history
868 Bugs, a list of the current bugs or other inadequacies
869 Makefile, the rudimentary installer
870 LICENSE, the usage and redistribution licensing terms
871
872 <b>LICENSE</b>
873 Covered under the included MIT/X-Consortium License:
874 http://www.opensource.org/licenses/mit-license.php
875
876
877 <b>AUTHOR(S)</b>
878 Mike Cappella
879
880 The original <b>amavis</b> Logwatch filter was written by Jim O'Halloran, and
881 has had many contributors over the years. They are entirely not
882 responsible for any errors, problems or failures since the current
883 author's hands have touched the source code.
884
885
886
887 AMAVIS-LOGWATCH(1)
888 </pre> </body> </html>
Maintained fork of amavis-logwatch from the "logreporters" project.