Log analyzer
Steve Freegard
steve.freegard at LBSLTD.CO.UK
Fri Jun 25 11:17:05 IST 2004
John,
> Oh... hm. Except for the php and mysql parts, yeah :-}
>
> I'll have to think more about it though. Maybe it wouldn't be such a
> bad thing to run it that way. It just wasn't the way I was
> thinking of
> running it (I was thinking of basic perl script that runs against
> syslog output only (no database) and spits out a textual report).
>
Fine - concievably with a bit of work you could get rid of the PHP/Apache
parts and run the MySQL database on a separate box and have MailScanner log
to that, then take all the SQL from the MailWatch reports and use Perl to
query the database and produce text-based reports instead.
> When you say "does almost everything", which part(s) does it not do?
I'm rather cautious of saying 'it does everything' - but the only things
from your list it doesn't do exactly are:
>> 3) did it have a virus, and if the log knows, which one? and
>> if it did, was it deleted as a silent virus?
> (and how did you go about determining when viruses were being deleted?
> or do you still deliver silent viruses? I'm thinking I might start
> doing that.)
It will show the virus name if infected but I don't check if it's a silent
virus or not - however, if you are using Sendmail - then you can tell if a
message was delivered and when or where to as the MailWatch add-on
'sendmail_relay' records all the relay lines scraped in real-time from the
maillog (I'm actually about to CVS commit a new version that records relay
information, RBL rejections, Unknown Users and Unresolveable Domains which
will be in the next release).
Why the fascination with silent viruses - personally I can't think of a good
reason to want to report on these??
>> 6) what spam actions were applied to it?
It does this - providing you don't use a ruleset as currently I haven't been
brave enough to try and write a MailScanner ruleset parser.
<SNIP>
>> So, then I can run a report which will tell me, with absolute
>> certainty,
>> exactly what happened to each and every message.
</SNIP>
Again using the sendmail_relay add-on - this is easy as each message then
carries a log of when it was sent, where it was sent (hostname of the
destination MX), which host sent the message (if you have multiple scanners
logging to a single database) and what the response was from the remote
sever (e.g. 'Message queued for delivery (id=i23489dfsd)').
>> And, from that, I can
>> perhaps do a grep (or something) that will look for messages that had
>> certain characteristics, or determine my average spam
>> score (which I
>> can't do now, because MS only reports messages that were marked as
>> spam), or see that "the reason this message never arrived is
>> because it
>> contained a virus" or something. Or, tell me "W messages in,
>> X messages
>> delivered/relayed, Y messages still processing or in the mqueue, Z
>> messages missing." and then tell me _which_ messages are
> missing (so I
>> can inform the sender and maybe the original recipients).
>>
Erm - I've *never* seen MailScanner 'loose' a message - from the dual MTA
design it isn't possible.
On the top of every page you can see the daily total of number of process
messages, spam, top virus etc., the Incoming and Outgoing mail queue lengths
and the current load average.
Kind regards,
Steve.
--
This message has been scanned for viruses and dangerous content by MailScanner.
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list