Package: logcheck-database
Version: 1.3.12
Severity: normal
Hi,
I had to create some customized rules for amavisd-new, so that the
logcheck mail is not full of uninteresting log lines. I added the
following changes to the rules:
* IPv6 support for IP addresses
* allows PASSED SPAM in log (if amavisd-new is configured to
forward spam to the user without discarding/bouncing it)
* optional minus sign (same as #592786, but they probably should
be optional)
* optional quarantine in log line (if amavisd-new is configured to
not quarantine a mail with a virus or a bad header)
* optional Message-ID (sometimes this header is missing)
Here are the changed rules:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]:
\([-[:digit:]]+\) Passed (CLEAN|SPAM),( LOCAL)?(
\[(IPv6:)?[[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,(
Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?(
Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits:
((-)?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK
id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]:
\([-[:digit:]]+\) Passed (INFECTED \([-._[:alnum:]]+\)|BAD-HEADER),(
\[(IPv6:)?[[[:xdigit:].:]{3,39}\]){1,2} <[^>]*> -> <[^>]*>,( quarantine:
(virus|badh)-[-+[:alnum:]]+,)? Message-ID: <[^>]+>( \((added
by[^)]+|sfid-[_[:xdigit:]]+)\))?,( Resent-Message-ID: <[^>]+>,)? mail_id:
[-+[:alnum:]]+, Hits: ((-)?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as:
[[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
I hope, that these changes are helpful and will be incorporated into the
current rules. Here are some examples, that are filtered by the changed rules:
IPv6 example:
Aug 23 12:21:02 mail amavis[17286]: (17286-10) Passed CLEAN,
[IPv6:2001:41b8:202:deb:213:21ff:fe20:1426] [89.163.160.227]
<bounce-debian-security-announce=christian+lists.debian.security-announce=draugr...@lists.debian.org>
-> <christ...@draugr.de>, Message-ID:
<20100823101246.ga6...@sd6-casa.iuculano.it>, Resent-Message-ID:
<mguz-15aqq.a.tg.1mk...@liszt>, mail_id: 0Wrgflf-fVBG, Hits: -2.208, size:
11783, queued_as: 680E120E186, 56 ms
Example without "quarantine":
Aug 25 17:43:11 mail amavis[18950]: (18950-05) Passed BAD-HEADER,
[91.189.94.204] [96.21.216.144]
<ubuntu-security-announce-boun...@lists.ubuntu.com> -> <christ...@draugr.de>,
Message-ID: <1282750872.2662.8.ca...@mdlinux>, mail_id: vgu7UmtJb569, Hits:
-2.57, size: 9384, queued_as: A30F120E149, 664 ms
Example without Message-ID:
Aug 27 01:20:45 mail amavis[7739]: (07739-16) Passed CLEAN, LOCAL
[88.198.60.116] [88.198.60.116] <r...@jabberd.draugr.de> ->
<christ...@draugr.de>, mail_id: 4NHaobkpxB96, Hits: 0.295, size: 559,
queued_as: 15A1220E146, 260 ms
Best regards,
Christian Dröge
_______________________________________________
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
