[Logcheck-devel] small amavisd logcheck match

John Clements clements at brinckerhoff.org
Sun Jul 10 00:00:01 UTC 2011 

I've read the guidelines on submitting updates... and I'm ignoring them. Feel free to respond by ignoring this message.  I don't have time to do it right, so I figured that sending this message would be at least somewhat better than not sending it. Apologies in advance.

It turns out that on my machine, amavisd-new doesn't necessarily include a "Message-ID" field in its log lines.  Also, it now appears to place quarantined messages into subdirectories indexed by a single character. 

Accordingly, I added this modification of an existing amavisd rule to my set:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (INFECTED \([-._[:alnum:]]+\)|BAD-HEADER),( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){1,2} <[^>]*> -> <[^>]*>,( quarantine: [[:alnum:]]/(virus|badh)-[-+[:alnum:]]+,)?( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$


This is observed to match lines such as this:

Jul  9 13:04:00 computer amavis[12388]: (12388-04) Passed BAD-HEADER, [125.206.180.148] [125.206.180.148] <> -> <anika at example.com>, quarantine: e/badh-ezZ9dnor96RO, mail_id: ezZ9dnor96RO, Hits: 5.11, size: 3338, queued_as: BDA623F8006, 1832 ms
Jul  9 13:04:05 computer amavis[12388]: (12388-05) Passed BAD-HEADER, [114.147.41.68] [114.147.41.68] <> -> <anika at example.com>, quarantine: X/badh-XZ9Y+RVNX2fU, mail_id: XZ9Y+RVNX2fU, Hits: 5.11, size: 3328, queued_as: 135383F8006, 912 ms
Jul  9 15:51:56 computer amavis[15778]: (15778-04) Passed BAD-HEADER, [77.238.177.19] [77.238.177.19] <> -> <anika at example.com>, quarantine: t/badh-tLMrWbmW9Wcx, mail_id: tLMrWbmW9Wcx, Hits: 0.859, size: 4531, queued_as: 24D563F8006, 716 ms

... which the existing rule did not.

Hope this is useful, and apologies again for not bothering to submit a git patch.

John Clements

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4624 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20110709/c9235214/attachment.bin>

More information about the Logcheck-devel mailing list