Hi, I recently wrote a small script that can add geoip info to qmail log lines of several formats.
Maybe someone else finds it useful as well. I hereby release it under the GPL, version 3 or later. It works as a filter; you pipe the original log in, and out comes the extended log. It's not terribly fast, because it's written in zsh and uses "while read; do ...; done", but at least it avoids using external sed and grep. I use it as part of a system that alerts me to unusual log entries; this script allows me to ignore RBL matches of clients from countries I know we don't really correspond with. Watch out, some of the lines in the script are long. #!/bin/zsh # # Add geoip country to every relevant line, if possible # [[ -r /var/lib/geoip/GeoIP.dat.gz ]] || exec cat [[ -x /usr/bin/geoiplookup ]] || exec cat function countrylookup() { country=$(geoiplookup -d /var/lib/geoip "$1") \ && echo -n "${country/*: /}" || echo -n "--, unknown" } while read line; do case "$line" in # This first clause catches log lines generated by my patched qmail *": S:"*) case "$line" in *C:*) echo "$line" # Already have country info ;; *) IP="${${line/*S:/}/:*/}" echo "$line C:$(countrylookup "$IP")" ;; esac ;; # spamdyke lines *origin_ip:*) IP="${${line/*origin_ip: /}/ */}" country=$(countrylookup "$IP") line1="${line/ origin_rdns:*/}" line2="${line/*origin_rdns:/origin_rdns:}" echo "$line1 ($country) $line2" ;; # rblsmtpd lines *rblsmtpd:*) IP="${${line/*rblsmtpd: /}/ */}" country=$(countrylookup "$IP") line1="${line/ pid */}" line2="${line/* pid/pid}" echo "$line1 ($country) $line2" ;; *) echo "$line" ;; esac done The output can be customised in various obvious ways. Sample before: @400000004814c1980b8eafd4 DENIED_RBL_MATCH from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 91.76.144.183 origin_rdns: ppp91-76-144-183.pppoe.mtu-net.ru auth: (unknown) After: @400000004814c1980b8eafd4 DENIED_RBL_MATCH from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 91.76.144.183 (RU, Russian Federation) origin_rdns: ppp91-76-144-183.pppoe.mtu-net.ru auth: (unknown) Andras -- Andras Korn <korn at chardonnay.math.bme.hu> <http://chardonnay.math.bme.hu/~korn/> QOTD: Can you tell the age of an onion by counting its rings? _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users