Building a log gathering agent

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Mon Mar 5 16:11:51 CET 2007 

Hugo van der Kooij a écrit :
> Hi,
>
> I am attempting to build a more concise overview of infections based 
> on MailScanner logs.
>
> The first stage is to write an agent to gather the logs. I wrote one 
> that can understand ClamAV, F-Prot and McAfee output as far as I could 
> test it on my logs.
>
> If you are willing to assist me I would appreciate it if you can get 
> the perl script from: 
> http://hugo.vanderkooij.org/email/stats/maillog-virus.pl
>
> You need the following perl modules:
>     File::Basename;
>     Getopt::Std;
>     Parse::Syslog;
>     Time::Local;
> (Centos users should be able to get all of the through `yum install` 
> commands. But I will not document it at this time.)
>
> Please run it against 1 of your logfiles and store the output. If you 
> get anything other than a overview of the number of hits on scanners I 
> would very appriciate it if you could send me the output file along 
> with a filtered output of your logfile by email so I can anticipate 
> other scanners and other detection strings.
>
> For example:
> ./maillog-virus.pl -l /var/log/maillog.1 > /tmp/hvdkooij-output
> grep "Viruses marked as silent" > /tmp/hvdkooij-syslog
> tar -tzf /tmp/hvdkooij.tar.gz /tmp/hvdkooij-output /tmp/hvdkooij-syslog
>
> If you use your own initials instead of mine I can keep the seperated 
> more easily.
>
> I will try to update the script based on your feedback the upcoming week.
>
> Thanks,
> Hugo.
>
Hi Hugo,

It's awfully slow on my 471,455 lines maillog: 3m36.936s;  I have a 
similar script that goes through the same file in 0m0.196s!

Besides it doesn't seems to know about "ClamAV Module:" nor 
"Bitdefender:" (but you didn't mention this one as supported).

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/e0568f8a/smime.bin

More information about the MailScanner mailing list