Loading...

logwatch@logwatch.org

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Logwatch] new postfix reporting filter MrC Mon Jan 22 18:17:53 2007

> I think logwatch is counting postfix inbound connections 
> twice because I am using amavisd-new. It seems to count the 
> connection from the initial mail server and also from connect 
> from localhost.localdomain[127.0.0.1]. Is there a way to 
> count these separate? I have included code from the new 
> postfix reporting filter that I am attempting to modify 
> below. I may be going about it all wrong.
> 
> --------------------------------------------------------------
> 
> # common log entries up front
> 
>    if ($ThisLine =~ /^connect from/) {
> 
>       #TD25 connect from sample.net[10.0.0.1]
> 
>       $Totals{'ConnectionInbound'}++;
> 
>  
> 
>    elseif ($ThisLine =~ /^connect from 
> localhost.localdomain[127.0.0.1]/) {
> 
>       #TD25 connect from localhost.localdomain[127.0.0.1]
> 
>       $Totals{'LocalhostConnections'}++;
> 
> --------------------------------------------------------------


Hello Steve,

Yes, this is a generic issue with content filters and the reinsertion to
postfix.  The same issue occurs with pflogsumm (the postfix log summarizer),
and is pretty well described there.

One person has attempted to work around this by preprocessing the log files
to remove the second instance of the postfix-related lines ( see prepflog at
http://web.tiscali.it/postfix/ ).  It requires some intelligent processing,
as it has to collect numerous lines to maintain state about how postfix is
processing the mail.

Since neither logwatch or the postfix filter have any idea about the second
calling of postfix, it cannot take such lines into consideration and ignore
them.  Your workaround to remove "connect from localhost..." lines does not
take into consideration any SMTP connections occurring from the server
itself (... but you may not have any of these), nor additional log lines
that are related to the reinsertion.

If the prepflog filter above works for you, you could certainly use it as a
pre-processor of your log files, using as a Service in the postfix.conf
file.  That would be the better solution than trying to catch all the log
lines related to the reinsertion into postfix.  Please take a look at it, to
understand better how much work will be required to modify the logwatch
filter to process as you desire.  I decided long ago that this is the wrong
solution, as it is very complex.

An even better solution is to create a second postfix instance, which allows
a different syslog service name (eg. postfix2), and you could call logwatch
twice, once for the first instance of postfix, once for the second.  This
really gives you what you want.

Make sense?
MrC

_______________________________________________
Logwatch mailing list
[EMAIL PROTECTED]
http://www2.list.logwatch.org:81/mailman/listinfo/logwatch