<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16705" name=GENERATOR>
<STYLE>@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-compose
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=125330917-01102008><FONT face=Arial
color=#0000ff size=2>Don't know about FreeBSD but plain 'ole grep -A would be
what you are looking for. grep -A 4 something maillog will return what you are
looking for plus the next four lines. If there is more than one match the
matches will be separated by a line of "---" chars. Of course you can redirect
output to a file as normal, or you can pipe through tee if you want it going to
stdout and a file(s)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=125330917-01102008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=125330917-01102008><FONT face=Arial
color=#0000ff size=2>Rick</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B>
mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of </B>Josh
Kidd<BR><B>Sent:</B> Wednesday, October 01, 2008 12:00 PM<BR><B>To:</B>
mailscanner@lists.mailscanner.info<BR><B>Subject:</B> GREPing
Maillog<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal>May not be the best place to submit this question but
wondered if anyone had any suggestions on how I could find an entry in my
maillog and then copy that line and the next 4 lines into a text file.
<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>I know I can grep on the string I’m looking for, “grep
Message delivery request rate limit exceeded /var/log/maillog”, but I also
want to record the statistics after that then somehow copy all of it into a
file that I can access to show me what IPs may be abusing our server (don’t
mind the limit below it’s low for testing). I’m using the Postfix anvil
daemon to record these statistics, that seems to be working fine but we want
to know if there is a computer that is sending out more than our
pre-determined limit in case that computer has been infected. <o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>The server is FreeBSD 7, with Postfix, MailScanner (ClamAV
and SA), and MailWatch. The log entries I’m looking for are
these.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Sep 28 17:41:24 fred postfix/smtpd[38086]: warning: Message
delivery request rate limit exceeded: 6 from unknown[10.30.0.11] for service
smtp<o:p></o:p></P>
<P class=MsoNormal>Sep 28 17:41:24 fred postfix/smtpd[38086]: disconnect from
unknown[10.30.0.11]<o:p></o:p></P>
<P class=MsoNormal>Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max
connection rate 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24<o:p></o:p></P>
<P class=MsoNormal>Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max
connection count 1 for (smtp:10.30.0.11) at Sep 28 17:41:24<o:p></o:p></P>
<P class=MsoNormal>Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max
message rate 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24<o:p></o:p></P>
<P class=MsoNormal><I><SPAN
style="FONT-SIZE: 13.5pt; FONT-FAMILY: 'Tahoma','sans-serif'"><o:p> </o:p></SPAN></I></P>
<P class=MsoNormal><o:p> </o:p></P></DIV><BR>-- <BR>This message has been
scanned for viruses and <BR>dangerous content by <A
href="http://www.mailscanner.info/"><B>MailScanner</B></A>, and is
<BR>believed to be clean. </BLOCKQUOTE></BODY><br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</HTML>