On Tue, 9 Dec 2003, Jack Gostl wrote:
> I sent you the error message, I'm pretty sure there was no user associated > with it. There were tens of thousands of those errors in the log. I'm not > sure how to pinpoint the culprit. I guess I'll have to go to each user and > rebuild their database. Yes, you did but did not include the -other- lines associated with that particular spamd run which had the information that you seek. I tried to point you to what you are looking for but evidently you didn't understand. Intro to Syslog Interp 101 Think of syslog interpretation like trying to follow a converstation at a crowded party. Everybody is talking at once, you hear 'snippets' of speech, so you need to be able to thread together the groups of words to extract a complete and comprehensable converstation. On a Unix system syslog gathers gathers report messages from programs and stores them with identifying info as lines of text in a log file. Each message is only a single line of text so if the program has a lot of info to log, it will report it as multiple messages. These may (probably) will end up interspersed with reports from other programs logging at the same time on a busy system. So you need to look at the identifying info to find all the lines that relate to one specific program and it's job, to be able to thread them together for the full report. Each line in a syslog file has a standardized format: date time host program[PID]: text-of-message-from-program You need to match up the program-name and Process-ID to find all the lines of text that relate to one program job. So the line: Dec 8 23:44:53 argos spamd[766]: checking message <[EMAIL PROTECTED]> for (jbuser):115. Was logged on the host "argos" at 23:44:3, Dec 8, by the 'spamd' program with the Process-ID of 766. (Some lines may not follow this precise format; the PID is optional and a client process may not choose to provide it, if the message comes from a system level (kernel), there will not be a process name assocaited). Now looking at a snippet from a real syslog file on a mail server you would see lines like: Nov 8 01:09:44 server13 sm-mta[2541]: hA879g3Z002541: from=<[EMAIL PROTECTED]>, size=23558, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA, relay=discovery.neiu.edu [66.99.13.30] Nov 8 01:09:44 server13 spamd[2542]: checking message <[EMAIL PROTECTED]> for (unknown):115. Nov 8 01:09:46 server13 spamd[2540]: clean message (-9.0/6.0) for (unknown):115 in 13.9 seconds, 7892 bytes. Nov 8 01:09:47 server13 miltrassassin[1786]: hA879T3Z002531: spamlevel=-90 Nov 8 01:09:47 server13 sm-mta[2531]: hA879T3Z002531: to=<[EMAIL PROTECTED]>, delay=00:00:14, mailer=lrelay, pri=3580, stat=queued Nov 8 01:09:47 server13 spamd[2530]: clean message (-3.3/6.0) for (unknown):115 in 24.0 seconds, 16016 bytes. Nov 8 01:09:47 server13 miltrassassin[1786]: hA879M3Y002527: spamlevel=-33 Nov 8 01:09:47 server13 sm-mta[2527]: hA879M3Y002527: to=<[EMAIL PROTECTED]>, delay=00:00:21, mailer=lrelay, pri=3441, stat=queued Nov 8 01:09:55 server13 sm-mta[2543]: NOQUEUE: connect from swfirewall1.andersencorp.com [65.217.82.3] Nov 8 01:09:55 server13 sm-mta[2543]: hA879t3Y002543: swfirewall1.andersencorp.com [65.217.82.3] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Nov 8 01:09:58 server13 sm-mta[2544]: NOQUEUE: connect from moon.its.uiowa.edu [128.255.56.76] Nov 8 01:09:58 server13 sm-mta[2544]: hA879w3Y002544: from=<[EMAIL PROTECTED]>, size=17075, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=moon.its.uiowa.edu [128.255.56.76] Nov 8 01:09:58 server13 spamd[2545]: checking message <[EMAIL PROTECTED]> for (unknown):115. Nov 8 01:10:02 server13 spamd[2542]: clean message (-3.5/6.0) for (unknown):115 in 17.7 seconds, 24235 bytes. Nov 8 01:10:02 server13 miltrassassin[1786]: hA879g3Z002541: spamlevel=-35 Nov 8 01:10:02 server13 sm-mta[2541]: hA879g3Z002541: to=<[EMAIL PROTECTED]>, delay=00:00:18, mailer=lrelay, pri=3859, stat=queued Nov 8 01:10:14 server13 spamd[2545]: clean message (1.4/6.0) for (unknown):115 in 15.2 seconds, 17494 bytes. Nov 8 01:10:14 server13 miltrassassin[1786]: hA879w3Y002544: spamlevel=14 Nov 8 01:10:14 server13 sm-mta[2544]: hA879w3Y002544: to=<[EMAIL PROTECTED]>, delay=00:00:16, mailer=lrelay, pri=3919, stat=queued Note that there are a number of messages from different processes intermingled in there. If we pick out one particular spamd run (say PID[2545]) we will find: Nov 8 01:09:58 server13 spamd[2545]: checking message <[EMAIL PROTECTED]> for (unknown):115. Nov 8 01:10:14 server13 spamd[2545]: clean message (1.4/6.0) for (unknown):115 in 15.2 seconds, 17494 bytes. If there had been an error logged it would have been something like: Nov 8 01:10:10 server13 spamd[2545]: Use of uninitialized value in numeric eq (==) at /usr/local/.... So you would use the PID to tie it to the line that has the user name, as I told you how to identify. So now that you know what to look for, go back to those logs and you can find the offending users. Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk