Building a log gathering agent

Tom G. Christensen tgc at statsbiblioteket.dk
Tue Mar 6 09:09:13 CET 2007 

Hugo van der Kooij wrote:
> Hi,
> 
> I am attempting to build a more concise overview of infections based on 
> MailScanner logs.
> 
> The first stage is to write an agent to gather the logs. I wrote one 
> that can understand ClamAV, F-Prot and McAfee output as far as I could 
> test it on my logs.
> 
> If you are willing to assist me I would appreciate it if you can get the 
> perl script from: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl
> 
> You need the following perl modules:
>     File::Basename;
>     Getopt::Std;
>     Parse::Syslog;
>     Time::Local;
> (Centos users should be able to get all of the through `yum install` 
> commands. But I will not document it at this time.)
> 
> Please run it against 1 of your logfiles and store the output. If you 
> get anything other than a overview of the number of hits on scanners I 
> would very appriciate it if you could send me the output file along with 
> a filtered output of your logfile by email so I can anticipate other 
> scanners and other detection strings.
> 
> For example:
> ./maillog-virus.pl -l /var/log/maillog.1 > /tmp/hvdkooij-output
> grep "Viruses marked as silent" > /tmp/hvdkooij-syslog
> tar -tzf /tmp/hvdkooij.tar.gz /tmp/hvdkooij-output /tmp/hvdkooij-syslog
> 
> If you use your own initials instead of mine I can keep the seperated 
> more easily.
> 
> I will try to update the script based on your feedback the upcoming week.
> 
I just grabbed the script and ran it on the maillog from my primary MX.
I use ClamAV and Etrust for antivirus and the script fails miserably.

The output just starts of with lines like this:
msg-9239-45.txt contains Email.Img.Gen018.Sanesecurity.06122000
..
and ends like this:
Scanner hits:

Virus hits:
         :                                                      1226
---

Pretty useless :)

Unfortunately I cannot share my logs with you but if there's some 
specific type of logline you'd like to see I can grab and sanitize a few 
examples for you.
I've also attached the script I use locally to generate some stats. The 
script is based on something I picked up from this list in 2002 when 
MailScanner 3.x was current and I've then updated it to work with 4.x 
and extended it to other stuff I have in my logs (like smf-sav).

-tgc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: mailscannerstatsv4x.pl
Type: application/x-perl
Size: 7051 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070306/412ba06e/mailscannerstatsv4x.bin

More information about the MailScanner mailing list