[Logcheck-devel] Bug#594605: logcheck-database: some enhancements to amavisd-new rules for IPv6 support and some other allowed values in the log

Christian Dröge Christian at draugr.de
Fri Aug 27 16:08:02 UTC 2010 

Package: logcheck-database
Version: 1.3.12
Severity: normal

Hi,

I had to create some customized rules for amavisd-new, so that the
logcheck mail is not full of uninteresting log lines. I added the
following changes to the rules:

      * IPv6 support for IP addresses
      * allows PASSED SPAM in log (if amavisd-new is configured to
        forward spam to the user without discarding/bouncing it)
      * optional minus sign (same as #592786, but they probably should
        be optional)
      * optional quarantine in log line (if amavisd-new is configured to
        not quarantine a mail with a virus or a bad header)
      * optional Message-ID (sometimes this header is missing)

Here are the changed rules:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|SPAM),( LOCAL)?( \[(IPv6:)?[[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: ((-)?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (INFECTED \([-._[:alnum:]]+\)|BAD-HEADER),( \[(IPv6:)?[[[:xdigit:].:]{3,39}\]){1,2} <[^>]*> -> <[^>]*>,( quarantine: (virus|badh)-[-+[:alnum:]]+,)? Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: ((-)?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$


I hope, that these changes are helpful and will be incorporated into the current rules. Here are some examples, that are filtered by the changed rules:

IPv6 example:
Aug 23 12:21:02 mail amavis[17286]: (17286-10) Passed CLEAN, [IPv6:2001:41b8:202:deb:213:21ff:fe20:1426] [89.163.160.227] <bounce-debian-security-announce=christian+lists.debian.security-announce=draugr.de at lists.debian.org> -> <christian at draugr.de>, Message-ID: <20100823101246.GA6512 at SD6-Casa.iuculano.it>, Resent-Message-ID: <Mguz-15aQq.A.TG.1mkcMB at liszt>, mail_id: 0Wrgflf-fVBG, Hits: -2.208, size: 11783, queued_as: 680E120E186, 56 ms

Example without "quarantine":
Aug 25 17:43:11 mail amavis[18950]: (18950-05) Passed BAD-HEADER, [91.189.94.204] [96.21.216.144] <ubuntu-security-announce-bounces at lists.ubuntu.com> -> <christian at draugr.de>, Message-ID: <1282750872.2662.8.camel at mdlinux>, mail_id: vgu7UmtJb569, Hits: -2.57, size: 9384, queued_as: A30F120E149, 664 ms

Example without Message-ID:
Aug 27 01:20:45 mail amavis[7739]: (07739-16) Passed CLEAN, LOCAL [88.198.60.116] [88.198.60.116] <root at jabberd.draugr.de> -> <christian at draugr.de>, mail_id: 4NHaobkpxB96, Hits: 0.295, size: 559, queued_as: 15A1220E146, 260 ms


Best regards,
Christian Dröge

More information about the Logcheck-devel mailing list