On Tue, 9 Dec 2003, Jack Gostl wrote:
> I sent you the error message, I'm pretty sure there was no user associated
> with it. There were tens of thousands of those errors in the log. I'm not
> sure how to pinpoint the culprit. I guess I'll have to go to each user and
> rebuild their database.
Yes, you did but did not include the -other- lines associated with that
particular spamd run which had the information that you seek.
I tried to point you to what you are looking for but evidently you didn't
understand.
Intro to Syslog Interp 101
Think of syslog interpretation like trying to follow a converstation
at a crowded party. Everybody is talking at once, you hear 'snippets'
of speech, so you need to be able to thread together the groups of
words to extract a complete and comprehensable converstation.
On a Unix system syslog gathers gathers report messages from programs
and stores them with identifying info as lines of text in a log file.
Each message is only a single line of text so if the program has a lot
of info to log, it will report it as multiple messages. These may
(probably) will end up interspersed with reports from other programs
logging at the same time on a busy system.
So you need to look at the identifying info to find all the lines that
relate to one specific program and it's job, to be able to thread them
together for the full report.
Each line in a syslog file has a standardized format:
date time host program[PID]: text-of-message-from-program
You need to match up the program-name and Process-ID to find all the
lines of text that relate to one program job.
So the line:
Dec 8 23:44:53 argos spamd[766]: checking message <[EMAIL PROTECTED]> for
(jbuser):115.
Was logged on the host "argos" at 23:44:3, Dec 8, by the 'spamd' program
with the Process-ID of 766.
(Some lines may not follow this precise format; the PID is optional and a
client process may not choose to provide it, if the message comes from a
system level (kernel), there will not be a process name assocaited).
Now looking at a snippet from a real syslog file on a mail server you
would see lines like:
Nov 8 01:09:44 server13 sm-mta[2541]: hA879g3Z002541: from=<[EMAIL PROTECTED]>,
size=23558, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA,
relay=discovery.neiu.edu [66.99.13.30]
Nov 8 01:09:44 server13 spamd[2542]: checking message <[EMAIL PROTECTED]> for
(unknown):115.
Nov 8 01:09:46 server13 spamd[2540]: clean message (-9.0/6.0) for (unknown):115 in
13.9 seconds, 7892 bytes.
Nov 8 01:09:47 server13 miltrassassin[1786]: hA879T3Z002531: spamlevel=-90
Nov 8 01:09:47 server13 sm-mta[2531]: hA879T3Z002531: to=<[EMAIL PROTECTED]>,
delay=00:00:14, mailer=lrelay, pri=3580, stat=queued
Nov 8 01:09:47 server13 spamd[2530]: clean message (-3.3/6.0) for (unknown):115 in
24.0 seconds, 16016 bytes.
Nov 8 01:09:47 server13 miltrassassin[1786]: hA879M3Y002527: spamlevel=-33
Nov 8 01:09:47 server13 sm-mta[2527]: hA879M3Y002527: to=<[EMAIL PROTECTED]>,
delay=00:00:21, mailer=lrelay, pri=3441, stat=queued
Nov 8 01:09:55 server13 sm-mta[2543]: NOQUEUE: connect from
swfirewall1.andersencorp.com [65.217.82.3]
Nov 8 01:09:55 server13 sm-mta[2543]: hA879t3Y002543: swfirewall1.andersencorp.com
[65.217.82.3] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Nov 8 01:09:58 server13 sm-mta[2544]: NOQUEUE: connect from moon.its.uiowa.edu
[128.255.56.76]
Nov 8 01:09:58 server13 sm-mta[2544]: hA879w3Y002544: from=<[EMAIL PROTECTED]>,
size=17075, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA,
relay=moon.its.uiowa.edu [128.255.56.76]
Nov 8 01:09:58 server13 spamd[2545]: checking message <[EMAIL PROTECTED]> for
(unknown):115.
Nov 8 01:10:02 server13 spamd[2542]: clean message (-3.5/6.0) for (unknown):115 in
17.7 seconds, 24235 bytes.
Nov 8 01:10:02 server13 miltrassassin[1786]: hA879g3Z002541: spamlevel=-35
Nov 8 01:10:02 server13 sm-mta[2541]: hA879g3Z002541: to=<[EMAIL PROTECTED]>,
delay=00:00:18, mailer=lrelay, pri=3859, stat=queued
Nov 8 01:10:14 server13 spamd[2545]: clean message (1.4/6.0) for (unknown):115 in
15.2 seconds, 17494 bytes.
Nov 8 01:10:14 server13 miltrassassin[1786]: hA879w3Y002544: spamlevel=14
Nov 8 01:10:14 server13 sm-mta[2544]: hA879w3Y002544: to=<[EMAIL PROTECTED]>,
delay=00:00:16, mailer=lrelay, pri=3919, stat=queued
Note that there are a number of messages from different processes
intermingled in there.
If we pick out one particular spamd run (say PID[2545]) we will find:
Nov 8 01:09:58 server13 spamd[2545]: checking message <[EMAIL PROTECTED]> for
(unknown):115.
Nov 8 01:10:14 server13 spamd[2545]: clean message (1.4/6.0) for (unknown):115 in
15.2 seconds, 17494 bytes.
If there had been an error logged it would have been something like:
Nov 8 01:10:10 server13 spamd[2545]: Use of uninitialized value in numeric eq (==) at
/usr/local/....
So you would use the PID to tie it to the line that has the user name,
as I told you how to identify.
So now that you know what to look for, go back to those logs and you
can find the offending users.
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
