[spamdyke-users] Contributing script: geoip lookups for log analysis

Sun, 27 Apr 2008 16:24:41 -0700 

Hi,

I recently wrote a small script that can add geoip info to qmail log lines
of several formats.

Maybe someone else finds it useful as well. I hereby release it under the
GPL, version 3 or later.

It works as a filter; you pipe the original log in, and out comes the
extended log. It's not terribly fast, because it's written in zsh and uses
"while read; do ...; done", but at least it avoids using external sed and
grep.

I use it as part of a system that alerts me to unusual log entries; this
script allows me to ignore RBL matches of clients from countries I know we
don't really correspond with.

Watch out, some of the lines in the script are long.

#!/bin/zsh
#
# Add geoip country to every relevant line, if possible
#
[[ -r /var/lib/geoip/GeoIP.dat.gz ]] || exec cat
[[ -x /usr/bin/geoiplookup ]] || exec cat

function countrylookup() {
        country=$(geoiplookup -d /var/lib/geoip "$1") \
        && echo -n "${country/*: /}" || echo -n "--, unknown"
}

while read line; do
        case "$line" in
                # This first clause catches log lines generated by my patched 
qmail
                *": S:"*)
                        case "$line" in
                                *C:*)
                                        echo "$line" # Already have country info
                                        ;;
                                *)
                                        IP="${${line/*S:/}/:*/}"
                                        echo "$line C:$(countrylookup "$IP")"
                                        ;;
                        esac
                        ;;
                # spamdyke lines
                *origin_ip:*)
                        IP="${${line/*origin_ip: /}/ */}"
                        country=$(countrylookup "$IP")
                        line1="${line/ origin_rdns:*/}"
                        line2="${line/*origin_rdns:/origin_rdns:}"
                        echo "$line1 ($country) $line2"
                        ;;
                # rblsmtpd lines
                *rblsmtpd:*)
                        IP="${${line/*rblsmtpd: /}/ */}"
                        country=$(countrylookup "$IP")
                        line1="${line/ pid */}"
                        line2="${line/* pid/pid}"
                        echo "$line1 ($country) $line2"
                        ;;
                *)
                        echo "$line"
                        ;;
        esac
done

The output can be customised in various obvious ways.

Sample before:

@400000004814c1980b8eafd4 DENIED_RBL_MATCH from: [EMAIL PROTECTED] to: [EMAIL 
PROTECTED] origin_ip: 91.76.144.183 origin_rdns: 
ppp91-76-144-183.pppoe.mtu-net.ru auth: (unknown)

After:

@400000004814c1980b8eafd4 DENIED_RBL_MATCH from: [EMAIL PROTECTED] to: [EMAIL 
PROTECTED] origin_ip: 91.76.144.183 (RU, Russian Federation) origin_rdns: 
ppp91-76-144-183.pppoe.mtu-net.ru auth: (unknown)

Andras

-- 
                 Andras Korn <korn at chardonnay.math.bme.hu>
                 <http://chardonnay.math.bme.hu/~korn/> QOTD:
            Can you tell the age of an onion by counting its rings?
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to