+++ /dev/null
-<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/loose.dtd">
-<html> <head>
-<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
-<title> Man page: postfix-logwatch(1) </title>
-</head> <body> <pre>
-POSTFIX-LOGWATCH(1) General Commands Manual POSTFIX-LOGWATCH(1)
-
-
-
-<b>NAME</b>
- postfix-logwatch - A Postfix log parser and analysis utility
-
-<b>SYNOPSIS</b>
- <b>postfix-logwatch</b> [<i>options</i>] [<i>logfile ...</i>]
-
-<b>DESCRIPTION</b>
- The <b>postfix-logwatch</b>(1) utility is a Postfix MTA log parser that pro-
- duces summaries, details, and statistics regarding the operation of
- Postfix.
-
- This utility can be used as a standalone program, or as a Logwatch fil-
- ter module to produce Postfix summary and detailed reports from within
- Logwatch.
-
- <b>Postfix-logwatch</b> is able to produce a wide range of reports with data
- grouped and sorted as much as possible to reduce noise and highlight
- patterns. Brief summary reports provide a quick overview of general
- Postfix operations and message delivery, calling out warnings that may
- require attention. Detailed reports provide easy to scan, hierarchi-
- cally-arranged and organized information, with as much or little detail
- as desired.
-
- <b>Postfix-logwatch</b> outputs two principal sections: a <b>Summary</b> section and
- a <b>Detailed</b> section. For readability and quick scanning, all event or
- hit counts appear in the left column, followed by brief description of
- the event type, and finally additional statistics or count representa-
- tions may appear in the rightmost column.
-
- The following segment from a sample Summary report illustrates:
-
- ****** Summary ********************************************
-
- 81 *Warning: Connection rate limit reached (anvil)
- 146 Warned
-
- 68.310M Bytes accepted 71,628,177
- 97.645M Bytes delivered 102,388,245
- ======== ================================================
-
- 3464 Accepted 41.44%
- 4895 Rejected 58.56%
- -------- ------------------------------------------------
- 8359 Total 100.00%
- ======== ================================================
-
- The report warns that anvil's connection rate was hit 81 times, a Post-
- fix access check WARN action was logged 146 times, and a total of
- 68.310 megabytes (71,628,177 bytes) were accepted into the Postfix sys-
- tem, delivering 97.645 megabytes of data (due to multiple recipients).
- The Accepted and Rejected lines show that Postfix accepted 3464 (41.44%
- of the total messages) and rejected 4895 (the remaining 58.56%) of the
- 8359 total messages (temporary rejects show up elsewhere).
-
- There are dozens of sub-sections available in the <b>Detailed</b> report, each
- of whose output can be controlled in various ways. Each sub-section
- attempts to group and present the most meaningful data at superior lev-
- els, while pushing less useful or <i>noisy</i> data towards inferior levels.
- The goal is to provide as much benefit as possible from smart grouping
- of data, to allow faster report scanning, pattern identification, and
- problem solving. Data is always sorted in descending order by count,
- and then numerically by IP address or alphabetically as appropriate.
-
- The following MX errors segment from a sample <b>Detailed</b> report illus-
- trates the basic hierarchical level structure of <b>postfix-logwatch</b>:
-
- ****** Detailed *******************************************
-
- 261 MX errors --------------------------------------
- 261 Unable to look up MX host
- 222 Host not found
- 73 foolishspammer.local
- 60 completely.bogus.domain.example
- 11 friend.example.com
- 39 No address associated with hostname
- 23 dummymx.sample.net
- 16 pushn.spam.sample.com
-
-
- The <b>postfix-logwatch</b> utility reads from STDIN or from the named Postfix
- <i>logfile</i>. Multiple <i>logfile</i> arguments may be specified, each processed
- in order. The user running <b>postfix-logwatch</b> must have read permission
- on each named log file.
-
- <b>Options</b>
- The options listed below affect the operation of <b>postfix-logwatch</b>.
- Options specified later on the command line override earlier ones. Any
- option may be abbreviated to an unambiguous length.
-
-
- <b>-f</b> <i>config</i><b>_</b><i>file</i>
- <b>--config_file</b> <i>config</i><b>_</b><i>file</i>
- Use an alternate configuration file <i>config</i><b>_</b><i>file</i> instead of the
- default. This option may be used more than once. Multiple con-
- figuration files will be processed in the order presented on the
- command line. See <b>CONFIGURATION FILE</b> below.
-
- <b>--debug</b> <i>keywords</i>
- Output debug information during the operation of <b>postfix-log-</b>
- <b>watch</b>. The parameter <i>keywords</i> is one or more comma or space
- separated keywords. To obtain the list of valid keywords, use
- --debug xxx where xxx is any invalid keyword.
-
- <b>--[no]delays</b>
- Enables (disables) output of the message delays percentiles
- report. The delays percentiles report shows percentiles for
- each of the 4 delivery latency times reported by Postfix (avail-
- able in version 2.3 and later) in the form <b>delays=</b><i>a</i>/<i>b</i>/<i>c</i>/<i>d</i>, where
- <i>a</i> is the amount of time before the active queue (includes time
- for previous delivery attempts and time in the deferred queue),
- <i>b</i> is the amount of time in the active queue up to delivery agent
- handoff, <i>c</i> is the amount of time spent making connections
- (including DNS, HELO and TLS) and <i>d</i> is the amount of time spent
- delivering the message. The total delay shown comes from the
- <b>delay=</b> field in a message delivery log line.
-
- <b>Note:</b> This report may consume a large amount of memory; if you
- have no use for it, disable the delays report.
-
-
- <b>--delays_percentiles</b> <i>p1 [p2 ...]</i>
- Specifies the percentiles to be used in the message delays per-
- centiles report. The percentiles <i>p1</i>, <i>p2</i>, <i>...</i> range from 0 to
- 100, inclusively. The order of the list is not sorted - the
- report will output the percentiles columns in the order you
- specify.
-
- <b>--detail</b> <i>level</i>
- Sets the maximum detail level for <b>postfix-logwatch</b> to <i>level</i>.
- This option is global, overriding any other output limiters
- described below.
-
- The <b>postfix-logwatch</b> utility produces a <b>Summary</b> section, a
- <b>Detailed</b> section, and additional report sections. With <i>level</i>
- less than 5, <b>postfix-logwatch</b> will produce only the <b>Summary</b> sec-
- tion. At <i>level</i> 5 and above, the <b>Detailed</b> section, and any addi-
- tional report sections are candidates for output. Each incre-
- mental increase in <i>level</i> generates one additional hierarchical
- sub-level of output in the <b>Detailed</b> section of the report. At
- <i>level</i> 10, all levels are output. Lines that exceed the maximum
- report width (specified with <b>max_report_width</b>) will be cut.
- Setting <i>level</i> to 11 will prevent lines in the report from being
- cut (see also <b>--line_style</b>).
-
- <b>--help</b> Print usage information and a brief description about command
- line options.
-
- <b>--ignore_service</b> <i>pattern</i>
- Ignore log lines that contain the postfix service name <b>post-</b>
- <b>fix/</b><i>service</i>. The parameter <i>service</i> is a regular expression.
-
- <b>Note:</b> if you use parenthesis in your regular expression, be sure
- they are cloistering and not capturing: use <b>(?:</b><i>pattern</i><b>)</b> instead
- of <b>(</b><i>pattern</i><b>)</b>.
-
- <b>--ipaddr_width</b> <i>width</i>
- Specifies that IP addresses in address/hostname pairs should be
- printed with a field width of <i>width</i> characters. Increasing the
- default may be useful for systems using long IPv6 addresses.
-
- <b>-l limiter=levelspec</b>
- <b>--limit limiter=levelspec</b>
- Sets the level limiter <i>limiter</i> with the specification <i>levelspec</i>.
-
- <b>--line_style</b> <i>style</i>
- Specifies how to handle long report lines. Three styles are
- available: <b>full</b>, <b>truncate</b>, and <b>wrap</b>. Setting <i>style</i> to <b>full</b> will
- prevent cutting lines to <b>max_report_width</b>; this is what occurs
- when <b>detail</b> is 11 or higher. When <i>style</i> is <b>truncate</b> (the
- default), long lines will be truncated according to
- <b>max_report_width</b>. Setting <i>style</i> to <b>wrap</b> will wrap lines longer
- than <b>max_report_width</b> such that left column hit counts are not
- obscured. This option takes precedence over the line style
- implied by the <b>detail</b> level. The options <b>--full</b>, <b>--truncate</b>,
- and <b>--wrap</b> are synonyms.
-
- <b>--[no]long_queue_ids</b>
- Enables (disables) interpretation of long queue IDs in Postfix
- (>= 2.9) logs.
-
- <b>--nodetail</b>
- Disables the <b>Detailed</b> section of the report, and all supplemen-
- tal reports. This option provides a convenient mechanism to
- quickly disable all sections under the <b>Detailed</b> report, where
- subsequent command line options may re-enable one or more sec-
- tions to create specific reports.
-
- <b>--[no]summary</b>
-
- <b>--show_summary</b>
- Enables (disables) displaying of the the <b>Summary</b> section of the
- report. The variable Posfix_Show_Summary in used in a configu-
- ration file.
-
- <b>--recipient_delimiter</b> <i>delimiter</i>
- Split email delivery addresses using the recipient delimiter
- character <i>delimiter</i>. This should generally match the <b>recipi-</b>
- <b>ent_delimiter</b> specified in the Postfix parameter file <b>main.cf</b>,
- or the default value indicated in <b>postconf -d recipient_delim-</b>
- <b>iter</b>. This is very useful for obtaining per-alias statistics
- when a recipient delimeter is used for mail delivery.
-
- <b>--reject_reply_patterns</b> <i>r1 [r2 ...]</i>
- Specifies the list of reject reply patterns used to create
- reject groups. Each entry in the list <i>r1 [r2 ...]</i> must be
- either a three character regular expression reply code of the
- form [45][0-9.][0-9.], or the word "Warn". The "." in the regu-
- lar expression is a literal dot which matches any reject reply
- subcode; this wildcarding allows creation of broad rejects
- groups. List order is preserved, in that reject reports will be
- output in the same order as the entries in the list. Specific
- reject reply codes will take priority over wildcard patterns,
- regardless of the list order.
-
- The default list is "5.. 4.. Warn", which creates three groups
- of rejects: permanent rejects, temporary reject failures, and
- reject warnings (as in warn_if_reject).
-
- This feature allows, for example, distinguishing 421 transmis-
- sion channel closures from 45x errors (eg. 450 mailbox unavail-
- able, 451 local processing errors, 452 insufficient storage).
- Such a grouping would be configured with the list: "421 4.. 5..
- Warn". See RFC 2821 for more information about reply codes.
-
- See also <b>CONFIGURATION FILE</b> regarding using <b>reject_reply_pat-</b>
- <b>terns</b> within a configuration file.
-
- <b>--[no]sect_vars</b>
- <b>--show_sect_vars</b> <i>boolean</i>
- Enables (disables) supplementing each <b>Detailed</b> section title
- with the name of that section's level limiter. The name dis-
- played is the command line option (or configuration file vari-
- able) used to limit that section's output. With the large num-
- ber of level limiters available in <b>postfix-logwatch</b>, this a con-
- venient mechanism for determining exactly which level limiter
- affects a section.
-
- <b>--syslog_name</b> <i>namepat</i>
- Specifies the syslog service name that <b>postfix-logwatch</b> uses to
- match syslog lines. Only log lines whose service name matches
- the perl regular expression <i>namepat</i> will be used by <b>postfix-log-</b>
- <b>watch</b>; all non-matching lines are silently ignored. This is
- useful when a pre-installed Postfix package uses a name other
- than the default (<b>postfix</b>), or when multiple Postfix instances
- are in use and per-instance reporting is desired.
-
- The pattern <i>namepat</i> should match the <b>syslog_name</b> configuration
- parameter specified in the Postfix parameter file <b>main.cf</b>, the
- master control file <b>master.cf</b>, or the default value as indicated
- by the output of <b>postconf -d syslog_name</b>.
-
- <b>Note:</b> if you use parenthesis in your regular expression, be sure
- they are cloistering and not capturing: use <b>(?:</b><i>pattern</i><b>)</b> instead
- of <b>(</b><i>pattern</i><b>)</b>.
-
- <b>--[no]unknown</b>
- <b>--show_unknown</b> <i>boolean</i>
- Enables (disables) display of the postfix-generated name of
- 'unknown' in formated IP/hostname pairs in <b>Detailed</b> reports.
- Default: enabled.
-
- <b>--version</b>
- Print <b>postfix-logwatch</b> version information.
-
- <b>Level Limiters</b>
- The output of every section in the <b>Detailed</b> report is controlled by a
- level limiter. The name of the level limiter variable will be output
- when the <b>sect_vars</b> option is set. Level limiters are set either via
- command line in standalone mode with <b>--limit</b> <i>limiter</i><b>=</b><i>levelspec</i> option,
- or via configuration file variable <b>$postfix_</b><i>limiter</i><b>=</b><i>levelspec</i>. Each
- limiter requires a <i>levelspec</i> argument, which is described below in
- <b>LEVEL CONTROL</b>.
-
- The list of level limiters is shown below.
-
- There are several level limiters that control reject sub-sections (eg.
- <b>rejectbody</b>, <b>rejectsender</b>, etc.). Because the list of reject variants
- is not known until runtime after <b>reject_reply_patterns</b> is seen, these
- reject limiters are shown below generically, with the prefix <b>###</b>. To
- use one of these reject limiters, substitute <b>###</b> with one of the reject
- reply codes in effect, replacing each dot with an <b>x</b> character. For
- example, using the default <b>reject_reply_patterns</b> list of "5.. 4..
- Warn", three <b>rejectbody</b> variants are valid: <b>--limit 5xxrejectbody</b>,
- <b>--limit 4xxrejectbody</b> and <b>--limit warnrejectbody</b>. As a convenience,
- you may entirely eliminate the <b>###</b> prefix, and instead use the bare
- <b>reject</b><i>XXX</i> option, and all reject level limiter variations will be auto-
- generated based on the <b>reject_reply_patterns</b> list. For example, the
- command line segment:
-
- ... --reject_reply_patterns "421 5.." \
- --limit rejectrbl="1:10:"
-
- would automatically become:
-
- ... --reject_reply_patterns "421 5.." \
- --limit 421rejectrbl="1:10:" --limit 5xxrejectrbl="1:10:"
-
- See <b>reject_reply_patterns</b> above, and comments in the configuration file
- <b>postfix-logwatch.conf</b>.
-
-
- [ THIS SECTION IS NOT YET COMPLETE ]
-
- <b>AttrError</b>
- Errors obtaining attribute data from service.
- <b>BCCed</b> Messages that triggered access, header_checks or body_checks BCC
- action. (postfix 2.6 experimental branch)
- <b>BounceLocal</b>
- <b>BounceRemote</b>
- Local and remote bounces. A bounce is considered a local bounce
- if the relay was one of none, local, virtual, avcheck, maildrop
- or 127.0.0.1.
- <b>ByIpRejects</b>
- Regrouping by client host IP address of all 5xx (permanent)
- reject variants.
- <b>CommunicationError</b>
- Postfix errors talking to one of its services.
- <b>Anvil</b> Anvil rate or concurrency limits.
- <b>ConnectionInbound</b>
- Connections made to the <b>smtpd</b> server.
- <b>ConnectionLostInbound</b>
- Connections lost to the <b>smtpd</b> server.
- <b>ConnectionLostOutbound</b>
- Connections lost during <b>smtp</b> communications with remote MTA.
- <b>ConnectToFailure</b>
- Failures reported by <b>smtp</b> when connecting to remote MTA.
- <b>DatabaseGeneration</b>
- Warnings noted when binary database map file requires <b>postmap</b>
- update from newer source file.
- <b>Deferrals</b>
- <b>Deferred</b>
- Message delivery deferrals. A single <b>deferred</b> message will have
- one or more <b>deferrals</b> many times.
- <b>Deliverable</b>
- Address verification indicates recipient address is deliverable.
- <b>Delivered</b>
- Number of messages handed-off to a delivery agent such as local
- or virtual.
- <b>Discarded</b>
- Messages that triggered access, header_checks or body_checks
- DISCARD action.
- <b>DNSError</b>
- Any one of several errors encounted during DNS lookups.
- <b>EnvelopeSenderDomains</b>
- List of sending domains. (2 levels: envelope sender domain,
- localpart)
- <b>EnvelopeSenders</b>
- List of envelope senders. (1 level: envelope sender)
- <b>Error</b> Postfix general <b>error</b> messages.
- <b>FatalConfigError</b>
- Fatal main.cf or master.cf configuration errors.
- <b>FatalError</b>
- Postfix general <b>fatal</b> messages.
- <b>Filtered</b>
- Messages that triggered access, header_checks or body_checks
- FILTER action.
- <b>Forwarded</b>
- Messages forwarded by MDA for one address class to another (eg.
- local -> virtual).
- <b>HeloError</b>
- XXXXXXXXXXX
- <b>Hold</b> Messages that were placed on hold by postsuper, or triggered by
- access, header_checks or body_checks HOLD action.
- <b>HostnameValidationError</b>
- Invalid hostname detected.
- <b>HostnameVerification</b>
- Lookup of hostname does not map back to the IP of the peer (ie.
- the remote system connecting to <b>smtpd</b>). Also known as forward-
- confirmed reverse DNS (FCRDNS). When the reverse name has no
- DNS entry, the message "host not found, try again" is included;
- otherwise, it is not (e.g. when the reverse has some IP address,
- but not the one Postfix expects).
- <b>IllegalAddrSyntax</b>
- Illegal syntax in an email address provided during the MAIL FROM
- or RCPT TO dialog.
- <b>LdapError</b>
- Any LDAP errors during LDAP lookup.
- <b>MailerLoop</b>
- An MX lookup for the best mailer to use to deliver mail would
- result in a sending to ourselves.
- <b>MapProblem</b>
- Problem with an access table map that needs correcting.
- <b>MessageWriteError</b>
- Postfix encountered an error when trying to create a message
- file somewhere in the spool directory.
- <b>NumericHostname</b>
- A hostname was found that was numeric, instead of alphabetic.
- <b>PanicError</b>
- Postfix general <b>panic</b> messages.
- <b>PixWorkaround</b>
- Workarounds were enabled to avoid remote Cisco PIX SMTP "fix-
- ups".
- <b>PolicydWeight</b>
- Summarization of policyweight/policydweight results.
- <b>PolicySpf</b>
- Summarization of PolicySPF results.
- <b>Postgrey</b>
- Summarization of Postgrey results.
- <b>Postscreen</b>
- Summarization of 2.7's postscreen and verify services.
- <b>DNSBLog</b>
- Summarization of 2.7's dnsblog service.
- <b>Prepended</b>
- Messages that triggered header_checks or body_checks PREPEND
- action.
- <b>ProcessExit</b>
- Postfix services that exited unexpectedly.
- <b>ProcessLimit</b>
- A Postfix service has reached or exceeded the maximum number of
- processes allowed.
- <b>QueueWriteError</b>
- Problems writing a Postfix queue file.
- <b>RblError</b>
- Lookup errors for RBLs.
- <b>Redirected</b>
- Messages that triggered access, header_checks or body_checks RE-
- DIRECT action.
- <b>###RejectBody</b>
- Messages that triggered body_checks REJECT action.
- <b>###RejectClient</b>
- Messages rejected by client access controls
- (smtpd_client_restrictions).
- <b>###RejectConfigError</b>
- Message rejected due to server configuration errors.
- <b>###RejectContent</b>
- Messages rejected by message_reject_characters.
- <b>###RejectData</b>
- Messages rejected at DATA stage in SMTP conversation
- (smtpd_data_restrictions).
- <b>###RejectEtrn</b>
- Messages rejected at ETRN stage in SMTP conversation
- (smtpd_etrn_restrictions).
- <b>###RejectHeader</b>
- Messages that triggered header_checks REJECT action.
- <b>###RejectHelo</b>
- Messages rejected at HELO/EHLO stage in SMTP conversation
- (smtpd_helo_restrictions).
- <b>###RejectInsufficientSpace</b>
- Messages rejected due to insufficient storage space.
- <b>###RejectLookupFailure</b>
- Messages rejected due to temporary DNS lookup failures.
- <b>###RejectMilter</b>
- Milter rejects. No reject reply code is available for these
- rejects, but an extended 5.7.1 DSN is provided. These rejects
- are forced into the generic 5xx rejects group. If you redefine
- <b>reject_reply_patterns</b> such that it does not contain the pattern
- <b>5..</b>, milter rejects will not be output.
- <b>###RejectRbl</b>
- Messages rejected by an RBL hit.
- <b>###RejectRecip</b>
- Messages rejected by recipient access controls (smtpd_recipi-
- ent_restrictions).
- <b>###RejectRelay</b>
- Messages rejected by relay access controls.
- <b>###RejectSender</b>
- Messages rejected by sender access controls
- (smtpd_sender_restrictions).
- <b>###RejectSize</b>
- Messages rejected due to excessive message size.
- <b>###RejectUnknownClient</b>
- Messages rejected by unknown client access controls.
- <b>###RejectUnknownReverseClient</b>
- Messages rejected by unknown reverse client access controls.
- <b>###RejectUnknownUser</b>
- Messages rejected by unknown user access controls.
- <b>###RejectUnverifiedClient</b>
- Messages rejected by unverified client access controls.
- <b>###RejectVerify</b>
- Messages rejected dueo to address verification failures.
- <b>Replaced</b>
- Messages that triggered header_checks or body_checks REPLACE
- action.
- <b>ReturnedToSender</b>
- Messages returned to sender due to exceeding queue lifetime
- (maximal_queue_lifetime).
- <b>SaslAuth</b>
- SASL authentication successes, includes SASL method, username,
- and sender when present.
- <b>SaslAuthFail</b>
- SASL authentication failures.
- <b>Sent</b> Messages sent via the SMTP delivery agent.
- <b>SentLmtp</b>
- Messages sent via the LMTP delivery agent.
- <b>SmtpConversationError</b>
- Errors during the SMTP/ESMTP dialog.
- <b>SmtpProtocolViolation</b>
- Protocol violation during the SMTP/ESMTP dialog.
- <b>StartupError</b>
- Errors during Postfix server startup.
- <b>TimeoutInbound</b>
- Connections to <b>smtpd</b> that timed out.
- <b>TlsClientConnect</b>
- TLS client connections.
- <b>TlsOffered</b>
- TLS communication offerred.
- <b>TlsServerConnect</b>
- TLS server connections.
- <b>TlsUnverified</b>
- Unverified TLS connections.
- <b>Undeliverable</b>
- Address verification indicates recipient address is undeliver-
- able.
- <b>Warn</b> Messages that triggered access, header_checks or body_checks
- WARN action.
- <b>WarnConfigError</b>
- Warnings regarding Postfix configuration errors.
- <b>WarningsOther</b>
- Postfix general <b>warning</b> messages.
-
-
-<b>LEVEL CONTROL</b>
- The <b>Detailed</b> section of the report consists of a number of sub-sec-
- tions, each of which is controlled both globally and independently.
- Two settings influence the output provided in the <b>Detailed</b> report: a
- global detail level (specified with <b>--detail</b>) which has final (big ham-
- mer) output-limiting control over the <b>Detailed</b> section, and sub-section
- specific detail settings (small hammer), which allow further limiting
- of the output for a sub-section. Each sub-section may be limited to a
- specific depth level, and each sub-level may be limited with top N or
- threshold limits. The <i>levelspec</i> argument to each of the level limiters
- listed above is used to accomplish this.
-
- It is probably best to continue explanation of sub-level limiting with
- the following well-known outline-style hierarchy, and some basic exam-
- ples:
-
- level 0
- level 1
- level 2
- level 3
- level 4
- level 4
- level 2
- level 3
- level 4
- level 4
- level 4
- level 3
- level 4
- level 3
- level 1
- level 2
- level 3
- level 4
-
- The simplest form of output limiting suppresses all output below a
- specified level. For example, a <i>levelspec</i> set to "2" shows only data
- in levels 0 through 2. Think of this as collapsing each sub-level 2
- item, thus hiding all inferior levels (3, 4, ...), to yield:
-
- level 0
- level 1
- level 2
- level 2
- level 1
- level 2
-
- Sometimes the volume of output in a section is too great, and it is
- useful to suppress any data that does not exceed a certain threshold
- value. Consider a dictionary spam attack, which produces very lengthy
- lists of hit-once recipient email or IP addresses. Each sub-level in
- the hierarchy can be threshold-limited by setting the <i>levelspec</i> appro-
- priately. Setting <i>levelspec</i> to the value "2::5" will suppress any data
- at level 2 that does not exceed a hit count of 5.
-
- Perhaps producing a top N list, such as top 10 senders, is desired. A
- <i>levelspec</i> of "3:10:" limits level 3 data to only the top 10 hits.
-
- With those simple examples out of the way, a <i>levelspec</i> is defined as a
- whitespace- or comma-separated list of one or more of the following:
-
- <i>l</i> Specifies the maximum level to be output for this sub-section,
- with a range from 0 to 10. if <i>l</i> is 0, no levels will be output,
- effectively disabling the sub-section (level 0 data is already
- provided in the Summary report, so level 1 is considered the
- first useful level in the <b>Detailed</b> report). Higher values will
- produce output up to and including the specified level.
-
- <i>l</i><b>.</b><i>n</i> Same as above, with the addition that <i>n</i> limits this section's
- level 1 output to the top <i>n</i> items. The value for <i>n</i> can be any
- integer greater than 1. (This form of limiting has less utility
- than the syntax shown below. It is provided for backwards com-
- patibility; users are encouraged to use the syntax below).
-
- <i>l</i><b>:</b><i>n</i><b>:</b><i>t</i> This triplet specifies level <i>l</i>, top <i>n</i>, and minimum threshold <i>t</i>.
- Each of the values are integers, with <i>l</i> being the level limiter
- as described above, <i>n</i> being a top <i>n</i> limiter for the level <i>l</i>, and
- <i>t</i> being the threshold limiter for level <i>l</i>. When both <i>n</i> and <i>t</i>
- are specified, <i>n</i> has priority, allowing top <i>n</i> lists (regardless
- of threshold value). If the value of <i>l</i> is omitted, the speci-
- fied values for <i>n</i> and/or <i>t</i> are used for all levels available in
- the sub-section. This permits a simple form of wildcarding (eg.
- place minimum threshold limits on all levels). However, spe-
- cific limiters always override wildcard limiters. The first
- form of level limiter may be included in <i>levelspec</i> to restrict
- output, regardless of how many triplets are present.
-
- All three forms of limiters are effective only when <b>postfix-logwatch</b>'s
- detail level is 5 or greater (the <b>Detailed</b> section is not activated
- until detail is at least 5).
-
- See the <b>EXAMPLES</b> section for usage scenarios.
-
-<b>CONFIGURATION FILE</b>
- <b>Postfix-logwatch</b> can read configuration settings from a configuration
- file. Essentially, any command line option can be placed into a con-
- figuration file, and these settings are read upon startup.
-
- Because <b>postfix-logwatch</b> can run either standalone or within Logwatch,
- to minimize confusion, <b>postfix-logwatch</b> inherits Logwatch's configura-
- tion file syntax requirements and conventions. These are:
-
- <b>o</b> White space lines are ignored.
-
- <b>o</b> Lines beginning with <b>#</b> are ignored
-
- <b>o</b> Settings are of the form:
-
- <i>option</i> <b>=</b> <i>value</i>
-
-
- <b>o</b> Spaces or tabs on either side of the <b>=</b> character are ignored.
-
- <b>o</b> Any <i>value</i> protected in double quotes will be case-preserved.
-
- <b>o</b> All other content is reduced to lowercase (non-preserving, case
- insensitive).
-
- <b>o</b> All <b>postfix-logwatch</b> configuration settings must be prefixed with
- "<b>$postfix_</b>" or <b>postfix-logwatch</b> will ignore them.
-
- <b>o</b> When running under Logwatch, any values not prefixed with "<b>$post-</b>
- <b>fix_</b>" are consumed by Logwatch; it only passes to <b>postfix-logwatch</b>
- (via environment variable) settings it considers valid.
-
- <b>o</b> The values <b>True</b> and <b>Yes</b> are converted to 1, and <b>False</b> and <b>No</b> are
- converted to 0.
-
- <b>o</b> Order of settings is not preserved within a configuration file
- (since settings are passed by Logwatch via environment variables,
- which have no defined order).
-
- To include a command line option in a configuration file, prefix the
- command line option name with the word "<b>$postfix_</b>". The following con-
- figuration file setting and command line option are equivalent:
-
- <b>$postfix_Line_Style = Truncate</b>
-
- <b>--line_style Truncate</b>
-
- Level limiters are also prefixed with <b>$postfix_</b>, but on the command
- line are specified with the <b>--limit</b> option:
-
- <b>$postfix_Sent = 2</b>
-
- <b>--limit Sent=2</b>
-
-
-
- The order of command line options and configuration file processing
- occurs as follows: 1) The default configuration file is read if it
- exists and no <b>--config_file</b> was specified on a command line. 2) Con-
- figuration files are read and processed in the order found on the com-
- mand line. 3) Command line options override any options already set
- either via command line or from any configuration file.
-
- Command line options are interpreted when they are seen on the command
- line, and later options will override previously set options. The
- notable exception is with limiter variables, which are interpreted in
- the order found, but only after all other options have been processed.
- This allows <b>--reject_reply_patterns</b> to determine the dynamic list of
- the various reject limiters.
-
- See also <b>--reject_reply_patterns</b>.
-
-<b>EXIT STATUS</b>
- The <b>postfix-logwatch</b> utility exits with a status code of 0, unless an
- error occurred, in which case a non-zero exit status is returned.
-
-<b>EXAMPLES</b>
- <b>Running Standalone</b>
- <b>Note: postfix-logwatch</b> reads its log data from one or more named Post-
- fix log files, or from STDIN. For brevity, where required, the exam-
- ples below use the word <i>file</i> as the command line argument meaning
- <i>/path/to/postfix.log</i>. Obviously you will need to substitute <i>file</i> with
- the appropriate path.
-
- To run <b>postfix-logwatch</b> in standalone mode, simply run:
-
- <b>postfix-logwatch</b> <i>file</i>
-
- A complete list of options and basic usage is available via:
-
- <b>postfix-logwatch --help</b>
-
- To print a summary only report of Postfix log data:
-
- <b>postfix-logwatch --detail 1</b> <i>file</i>
-
- To produce a summary report and a one-level detail report for May 25th:
-
- <b>grep 'May 25'</b> <i>file</i> <b>| postfix-logwatch --detail 5</b>
-
- To produce only a top 10 list of Sent email domains, the summary report
- and detailed reports are first disabled. Since commands line options
- are read and enabled left-to-right, the Sent section is re-enabled to
- level 1 with a level 1 top 10 limiter:
-
- <b>postfix-logwatch --nosummary --nodetail --limit sent='1 1:10:'</b> <i>file</i>
-
- The following command and its sample output shows a more complex level
- limiter example. The command gives the top 3 Sent email addresses from
- the top 5 domains, in addition, all level 3 items with a hit count of 2
- or less are suppressed (in the Sent sub-section, this happens to be
- email's Original To address). Ellipses indicate top N or threshold-
- limited data:
-
- <b>postfix-logwatch --nosummary --nodetail \</b>
- <b>--limit sent '1:5: 2:3: 3::2'</b> <i>file</i>
-
- 1762 Sent via SMTP -----------------------------------
- 352 example.com
- 310 joe
- 255 joe.bob@virtdomain.example.com
- 7 info@virtdomain.example.com
- 21 pooryoda3
- 11 hot93uh
- ...
- 244 sample.net
- 97 buzz
- 26 leroyjones
- 14 sally
- ...
- 152 example.net
- 40 jim_jameson
- 23 sam_sampson
- 19 paul_paulson
- ...
- 83 sample.us
- 44 root
- 39 jenny1
- 69 dom3.example.us
- 10 kay
- 7 ron
- 6 mrsmith
- ...
- ...
-
- The next command uses both <b>reject_reply_patterns</b> and level limiters to
- see 421 RBL rejects, threshold-limiting level 2 output to hits greater
- than 5 (level 2 in the Reject RBL sub-section is the client's IP
- address / hostname pair). This makes for a very nice RBL offenders
- list, shown in the sample output (note the use of the unambiguous,
- abbreviated command line option reject_reply_pat):
-
- <b>postfix-logwatch --reject_reply_pat '421 4.. 5.. Warn' \</b>
- <b>--nosummary --nodetail --limit 421rejectrbl='2 2::5'</b> <i>file</i>
-
- 300 421 Reject RBL ---------------------------------------
- 243 zen.spamhaus.org=127.0.0.2
- 106 10.0.0.129 129.0.0.example.com
- 41 192.168.10.70 hostx10.sample.net
- 40 192.168.42.39 hostz42.sample.net
- 15 10.1.1.152 dsl-10-1-1-152.example.us
- 14 10.10.10.122 mail122.sample.com
- 7 192.168.3.44 smalltime-spammer.example.com
- ...
- 48 zen.spamhaus.org=127.0.0.4
- 17 10.29.124.92 10-29-124-92.adsl-static.sample.us
- ...
- 8 zen.spamhaus.org=127.0.0.11
- ...
- 1 zen.spamhaus.org=127.0.0.10
- ...
-
- <b>Running within Logwatch</b>
- <b>Note:</b> Logwatch versions prior to 7.3.6, unless configured otherwise,
- required the <b>--print</b> option to print to STDOUT instead of sending
- reports via email. Since version 7.3.6, STDOUT is the default output
- destination, and the <b>--print</b> option has been replaced by <b>--output std-</b>
- <b>out</b>. Check your configuration to determine where report output will be
- directed, and add the appropriate option to the commands below.
-
- To print a summary report for today's Postfix log data:
-
- <b>logwatch --service postfix --range today --detail 1</b>
-
- To print a report for today's Postfix log data, with one level
- of detail in the <b>Detailed</b> section:
-
- <b>logwatch --service postfix --range today --detail 5</b>
-
- To print a report for yesterday, with two levels of detail in the
- <b>Detailed</b> section:
-
- <b>logwatch --service postfix --range yesterday --detail 6</b>
-
- To print a report from Dec 12th through Dec 14th, with four levels of
- detail in the <b>Detailed</b> section:
-
- <b>logwatch --service postfix --range \</b>
- <b>'between 12/12 and 12/14' --detail 8</b>
-
- To print a report for today, with all levels of detail:
-
- <b>logwatch --service postfix --range today --detail 10</b>
-
- Same as above, but leaves long lines uncut:
-
- <b>logwatch --service postfix --range today --detail 11</b>
-
-
-<b>ENVIRONMENT</b>
- The <b>postfix-logwatch</b> program uses the following (automatically set)
- environment variables when running under Logwatch:
-
- <b>LOGWATCH_DETAIL_LEVEL</b>
- This is the detail level specified with the Logwatch command
- line argument <b>--detail</b> or the <b>Detail</b> setting in the ...conf/ser-
- vices/postfix.conf configuration file.
-
- <b>LOGWATCH_DEBUG</b>
- This is the debug level specified with the Logwatch command line
- argument <b>--debug</b>.
-
- <b>postfix_</b><i>xxx</i>
- The Logwatch program passes all settings <b>postfix_</b><i>xxx</i> in the con-
- figuration file ...conf/services/postfix.conf to the <b>postfix</b>
- filter (which is actually named .../scripts/services/postfix)
- via environment variable.
-
-<b>FILES</b>
- <b>Standalone mode</b>
- /usr/local/bin/postfix-logwatch
- The <b>postfix-logwatch</b> program
-
- /usr/local/etc/postfix-logwatch.conf
- The <b>postfix-logwatch</b> configuration file in standalone mode
-
- <b>Logwatch mode</b>
- /etc/logwatch/scripts/services/postfix
- The Logwatch <b>postfix</b> filter
-
- /etc/logwatch/conf/services/postfix.conf
- The Logwatch <b>postfix</b> filter configuration file
-
-<b>SEE ALSO</b>
- logwatch(8), system log analyzer and reporter
-
-<b>README FILES</b>
- README, an overview of <b>postfix-logwatch</b>
- Changes, the version change list history
- Bugs, a list of the current bugs or other inadequacies
- Makefile, the rudimentary installer
- LICENSE, the usage and redistribution licensing terms
-
-<b>LICENSE</b>
- Covered under the included MIT/X-Consortium License:
- http://www.opensource.org/licenses/mit-license.php
-
-<b>AUTHOR(S)</b>
- Mike Cappella
-
- The original <b>postfix</b> Logwatch filter was written by Kenneth Porter, and
- has had many contributors over the years. They are entirely not
- responsible for any errors, problems or failures since the current
- author's hands have touched the source code.
-
-
-
- POSTFIX-LOGWATCH(1)
-</pre> </body> </html>
projects / postfix-logwatch.git / commitdiff