Universal Log Analyser/vboxadm-sa
Zur Navigation springen
Zur Suche springen
Plugin for Spamassassin (vboxadm/smtp-proxy) (original from spamd.pm)
cron:
#vboxadm spamassissin /etc/snmp/uloganalyser /var/log/vboxadm/sa.log.1.gz /var/log/vboxadm/sa.log /var/local/snmp/sa sa
Logfile:
/var/log/vboxadm/sa.log
sample log entries
2015.09.26-18:02:06 VBoxAdm::SMTP::Proxy::SA::is_spam INFO clean message <20150926160205.2EA861200A2@mailxxx.de> (-1.90/6.31) from <logcheck@xxx.de> for user@xxx.de in 1.71 s, 771 bytes. rules hit: BAYES_00,NO_RELAYS,URIBL_BLOCKED
2015.09.23-08:00:05 VBoxAdm::SMTP::Proxy::SA::is_spam INFO clean message - using cached result for <mailman.2.1442988002.9095.user@xxx.de> (-2.899/6.31) from <somethinh@xxx.de> for owner@xxx.de, 4509 bytes.
2015.09.26-21:16:34 VBoxAdm::SMTP::Proxy::SA::is_spam INFO identified spam <20150926-d9e7258c-7b0d-4c76-836d-d5b9a2ead2ba@bb013359bfd873> (10.67/6.31) from <bounce@xxx.com> for info@xxx.de in 2.19 s, 44612 bytes. rules hit: BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_FONT_FACE_BAD,HTML_IMAGE_RATIO_02,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,SPF_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM,URIBL_JP_SURBL
sa.pm
#!/usr/bin/perl
use strict;
use warnings;
# process the mail log and place the results in a file
# Copyright (C) 2012 Glen Pitt-Pladdy
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
# See: https://www.pitt-pladdy.com/blog/_20091122-164951%2B0000%20Postfix%20stats%20on%20Cacti%20%28via%20SNMP%29/
#
package sa;
our $VERSION = 20120421;
our $REQULOGANALYSER = 20120420;
#
# Thanks for ideas, unhandled log lines, patches and feedback to:
#
# "oneloveamaru"
sub register {
my ( $lines, $ends, $uloganalyserver ) = @_;
push @$lines, \&analyse;
if ( ! defined $uloganalyserver or $uloganalyserver < $REQULOGANALYSER ) {
die __FILE__.": FATAL - Requeire uloganalyser version $REQULOGANALYSER or higher\n";
}
}
our $time = 0;
our $messages = 0;
sub analyse {
my ( $line, $number, $log, $stats ) = @_;
my $origline = $line;
if ( $line !~ s/^.+is_spam\s+// ) { return; }
# spamd making this noise so let's look closer
# ignore server, connection, setuid, creating, processing
if ( $line =~ /(Skipping this message|Skipped too large)/ ) { return; }
# if ( $line =~ /^(server|connection from|setuid to|creating default_prefs:|failed to create readable default_prefs:|processing message|handle_user|still running as root:|
handled cleanup of child pid)\s+/ ) { return; }
# it's something we are interested in
if ( $line =~ s/^.+[>|\)] \(([\-\d\.]+)\/([\d\.]+)\) from .+ for .+ in ([\d\.]+) s, \d+ bytes\..+$// or
$line =~ s/^.+[>|\)] \(([\-\d\.]+)\/([\d\.]+)\) from .+ for .+, \d+ bytes\..*$// ) {
++$$stats{'spamd:total'};
#my ( $verdict, $score, $threshold, $proctime ) = ( $1, $2, $3, $4 );
my ( $score, $threshold, $proctime ) = ( $1, $2, $3 );
if ( $score >= $threshold * 3 ) {
++$$stats{'spamd:spam3'};
} elsif ( $score >= $threshold * 2 ) {
++$$stats{'spamd:spam2'};
} elsif ( $score >= $threshold ) {
++$$stats{'spamd:spam1'};
} elsif ( $score > 0 ) {
++$$stats{'spamd:spam0'};
} elsif ( $score <= -$threshold * 2 ) {
++$$stats{'spamd:ham2'};
} elsif ( $score <= -$threshold ) {
++$$stats{'spamd:ham1'};
} else {
++$$stats{'spamd:ham0'};
}
#for cached values, we do not have proctime
if (!$proctime) {
$proctime = 0 ;
}
# work out average processing time
$time += $proctime;
++$messages;
$$stats{'spamd:avproctime'} = $time / $messages;
} elsif ( $line =~ s/result: (.) ([\-\d]+) -\s+// ) {
# this tells us less that we know from above - ignore it for now
} else {
++$$stats{'spamd:other'};
print STDERR __FILE__." $VERSION:".__LINE__." $log:$number unknown: $origline\n";
}
return 1;
}
\®ister;