On 2/28/2011 7:08 AM, Mark Martinec wrote:
> Bill,
>
>> I have been noticing for quite some time that amavisd-new logs test
>> results messages to the maillog differently at time. For example:
>>
>> Feb 27 14:22:06 mail amavis[27931]: (27931-08) Passed CLEAN
>> Feb 27 14:22:56 mail ch4-03611-04)[3611]: (03611-04) Passed CLEAN
>>
>> These are 2 different message that amavisd-new tested and reported to
>> the maillog as "Passed CLEAN". However, notice that the first log entry
>> clearly shows it came from "amavis", but the second log entry show it
>> came from "ch4-03611-04)". Note that there is also a closing ")" is the
>> second log entry but no opening "(".
>>
>> Any ideas why this is happening and what I can do to fix it? I am
>> currently running amavisd-new-2.6.4 (20090625).
>
> What syslog variant are you using?
> Looks like part of a process name ($0) ends up as a syslog ident.
Hi Mark,
I'm running Fedora 12:
uname -a
Linux mail.inetmsg.com 2.6.32.26-175.fc12.i686.PAE #1 SMP Wed Dec 1
21:45:50 UTC 2010 i686 athlon i386 GNU/Linux
And syslog is:
rsyslogd -v
rsyslogd 4.4.2, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
Atomic operations supported: No
Runtime Instrumentation (slow code): No
> The $syslog_ident is 'amavis' by default and is never changed
> by amavisd itself. It is passed as an argument to openlog(),
> so this is the string you should be seing in a syslog.
> A custom hook is allowed to change the $syslog_ident
> (e.g. in a policy bank), so this would be reflected in a syslog
> for entries written when using such a policy bank.
The only policy bank I use is (the rest are commented out):
=====
$interface_policy{'SOCK'} = 'AM.PDP-SOCK';
$policy_bank{'AM.PDP-SOCK'} = {
protocol => 'AM.PDP', # select Amavis policy delegation protocol
auth_required_release => 0, # don't require secret_id for
amavisd-release
};
=====
I searched my amaviad.conf file and only find one entry for
$syslog_ident, included in this section of the config file:
=====
$log_level = 0;
$LOGFILE = undef;
$DO_SYSLOG = 1; # same as 0
$syslog_ident = 'amavis';
$syslog_facility = 'mail'; # after-default, derived from $SYSLOG_LEVEL
$syslog_priority = 'debug'; # after-default, derived from $SYSLOG_LEVEL
$SYSLOG_LEVEL = 'mail.debug'; # obsolete variable
=====
I am running a custom logging section that you provided awhile back:
=====
$log_templ = <<'EOD';
[?%#D|#|Passed #
[? [:ccat|major] |OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\
UNCHECKED|BANNED (%F)|INFECTED (%V)]#
, [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%D|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: %m]#
[? %r ||, Resent-Message-ID: %r]#
, mail_id: %i#
, Hits: [:SCORE]#
, size: %z#
[~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\
[remote_mta_smtp_response|[~%x|["queued as ([0-9A-Z]+)$"]|["%1"]|["%0"]]|/]#
[? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]#
[? [:header_field|From] ||, From: [:uquote|[:header_field|From]]]#
[? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]#
[? %#T ||, Tests: \[[%T|,]\]]#
[ ? [:AUTOLEARN] ||, autolearn=[:AUTOLEARN]]#
, %y ms#
]
[?%#O|#|Blocked #
[? [:ccat|major|blocking] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\
UNCHECKED|BANNED (%F)|INFECTED (%V)]#
, [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%O|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: %m]#
[? %r ||, Resent-Message-ID: %r]#
, mail_id: %i#
, Hits: [:SCORE]#
, size: %z#
#, smtp_resp: [:smtp_response]#
[? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]#
[? [:header_field|From] ||, From: [:uquote|[:header_field|From]]]#
[? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]#
[? %#T ||, Tests: \[[%T|,]\]]#
[? [:AUTOLEARN] ||, autolearn=[:AUTOLEARN]]#
, %y ms#
]
EOD
=====
> Your string "ch4-03611-04)" looks very much like the process
> name ($0), except that it is missing the "amavisd (" prefix.
> Could it be that your syslog is being creative and tries to use
> a process name in place of a syslog ident?
Hmmm, maybe, but I don't really know why it would be doing that, it's
really just a basic install of Fedora 12. Here is what my maillog shows
thus far today:
grep -c "mail ch" /var/log/maillog
301
grep -c "mail amavis" /var/log/maillog
2319
As you can see, most log entries use "amavis", but certainly not all.
Any ideas on where to look next?
Thanks!
Bill
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot
org
