<div dir="ltr"><br><br><div class="gmail_quote">2008/10/1 Josh Kidd <span dir="ltr"><<a href="mailto:jkidd@afflink.com">jkidd@afflink.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p>May not be the best place to submit this question but
wondered if anyone had any suggestions on how I could find an entry in my
maillog and then copy that line and the next 4 lines into a text file. </p>
<p> </p>
<p>I know I can grep on the string I'm looking for, "grep
Message delivery request rate limit exceeded /var/log/maillog", but I
also want to record the statistics after that then somehow copy all of it into
a file that I can access to show me what IPs may be abusing our server (don't
mind the limit below it's low for testing). I'm using the
Postfix anvil daemon to record these statistics, that seems to be working fine
but we want to know if there is a computer that is sending out more than our
pre-determined limit in case that computer has been infected. </p>
<p> </p>
<p>The server is FreeBSD 7, with Postfix, MailScanner (ClamAV
and SA), and MailWatch. The log entries I'm looking for are these.</p>
<p> </p>
<p>Sep 28 17:41:24 fred postfix/smtpd[38086]: warning: Message
delivery request rate limit exceeded: 6 from unknown[<a href="http://10.30.0.11" target="_blank">10.30.0.11</a>] for service
smtp</p>
<p>Sep 28 17:41:24 fred postfix/smtpd[38086]: disconnect from
unknown[<a href="http://10.30.0.11" target="_blank">10.30.0.11</a>]</p>
<p>Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max
connection rate 6/30s for (smtp:<a href="http://10.30.0.11" target="_blank">10.30.0.11</a>) at Sep 28 17:41:24</p>
<p>Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max
connection count 1 for (smtp:<a href="http://10.30.0.11" target="_blank">10.30.0.11</a>) at Sep 28 17:41:24</p>
<p>Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max
message rate 6/30s for (smtp:<a href="http://10.30.0.11" target="_blank">10.30.0.11</a>) at Sep 28 17:41:24</p>
<p><i><span style="font-size: 13.5pt;"> </span></i></p></div></div></blockquote><div>Try with awk<br><br><font face="Helvetica, Arial, sans-serif"><small>grep "statistics: max rate" /var/log/maillog | awk -F "smtp:" '{print
$2}' | awk -F ")" '{print $1}' | tr "[:upper:]" "[:lower:]" | awk
'{freq[$1]++} END { for (ip in freq) printf "%s\t%d\n", ip,
freq[ip] }'</small></font> <br><br>this doesn't work, you have to tune the awk's but, i use something similar to collect greylisting rejects.<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US"><div><p><i><span style="font-size: 13.5pt;"></span></i></p>
<p> </p>
</div>
</div>
<br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br></div>