Universal Log Analyser/vboxadm-sa

Aus crazylinux.de
< Universal Log Analyser
Version vom 28. September 2015, 23:18 Uhr von Jonathan (Diskussion | Beiträge) (Jonathan verschob die Seite Universal Log Analyser/SA nach Universal Log Analyser/vboxadm-sa)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Plugin for Spamassassin (vboxadm/smtp-proxy) (original from spamd.pm)

cron:

#vboxadm spamassissin
/etc/snmp/uloganalyser /var/log/vboxadm/sa.log.1  /var/log/vboxadm/sa.log /var/local/snmp/sa vboxadm-sa

Logfile:

/var/log/vboxadm/sa.log

sample log entries

2015.09.26-18:02:06     VBoxAdm::SMTP::Proxy::SA::is_spam       INFO    clean message <20150926160205.2EA861200A2@mailxxx.de> (-1.90/6.31) from <logcheck@xxx.de> for user@xxx.de in 1.71 s, 771 bytes. rules hit: BAYES_00,NO_RELAYS,URIBL_BLOCKED

2015.09.23-08:00:05       VBoxAdm::SMTP::Proxy::SA::is_spam       INFO    clean message - using cached result for <mailman.2.1442988002.9095.user@xxx.de> (-2.899/6.31) from <somethinh@xxx.de> for owner@xxx.de, 4509 bytes.

2015.09.26-21:16:34     VBoxAdm::SMTP::Proxy::SA::is_spam       INFO    identified spam <20150926-d9e7258c-7b0d-4c76-836d-d5b9a2ead2ba@bb013359bfd873> (10.67/6.31) from <bounce@xxx.com> for info@xxx.de in 2.19 s, 44612 bytes. rules hit: BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_FONT_FACE_BAD,HTML_IMAGE_RATIO_02,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,SPF_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM,URIBL_JP_SURBL

vboxadm-sa.pm

#!/usr/bin/perl
use strict;
use warnings;
# process the mail log and place the results in a file

# Copyright (C) 2012  Glen Pitt-Pladdy
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
#
# See: https://www.pitt-pladdy.com/blog/_20091122-164951%2B0000%20Postfix%20stats%20on%20Cacti%20%28via%20SNMP%29/
#
package sa;
our $VERSION = 20120421;
our $REQULOGANALYSER = 20120420;
#
# Thanks for ideas, unhandled log lines, patches and feedback to:
#
# "oneloveamaru"


sub register {
        my ( $lines, $ends, $uloganalyserver ) = @_;
        push @$lines, \&analyse;
        if ( ! defined $uloganalyserver or $uloganalyserver < $REQULOGANALYSER ) {
                die __FILE__.": FATAL - Requeire uloganalyser version $REQULOGANALYSER or higher\n";
        }
}



our $time = 0;
our $messages = 0;
sub analyse {
        my ( $line, $number, $log, $stats ) = @_;
        my $origline = $line;
        if ( $line !~ s/^.+is_spam\s+// ) { return; }
        # spamd making this noise so let's look closer
        # ignore server, connection, setuid, creating, processing
        if ( $line =~ /(Skipping this message|Skipped too large)/ ) { return; }
        # it's something we are interested in
        if ( $line =~ s/^.+[>|\)] \(([\-\d\.]+)\/([\d\.]+)\) from .+ for .+ in ([\d\.]+) s, \d+ bytes\..+$//  or
         $line =~ s/^.+[>|\)] \(([\-\d\.]+)\/([\d\.]+)\) from .+ for .+, \d+ bytes\..*$// ) {
                ++$$stats{'spamd:total'};
                #my ( $verdict, $score, $threshold, $proctime ) = ( $1, $2, $3, $4 );
                my ( $score, $threshold, $proctime ) = ( $1, $2, $3 );
                if ( $score >= $threshold * 3 ) {
                        ++$$stats{'spamd:spam3'};
                } elsif ( $score >= $threshold * 2 ) {
                        ++$$stats{'spamd:spam2'};
                } elsif ( $score >= $threshold ) {
                        ++$$stats{'spamd:spam1'};
                } elsif ( $score > 0 ) {
                        ++$$stats{'spamd:spam0'};
                } elsif ( $score <= -$threshold * 2 ) {
                        ++$$stats{'spamd:ham2'};
                } elsif ( $score <= -$threshold ) {
                        ++$$stats{'spamd:ham1'};
                } else {
                        ++$$stats{'spamd:ham0'};
                }
                #for cached values, we do not have proctime
                if (!$proctime) {
                       $proctime = 0 ;
                }
                # work out average processing time
                $time += $proctime;
                ++$messages;
                $$stats{'spamd:avproctime'} = $time / $messages;
        } elsif ( $line =~ s/result: (.) ([\-\d]+) -\s+// ) {
                # this tells us less that we know from above - ignore it for now
        } else {
                ++$$stats{'spamd:other'};
                print STDERR __FILE__." $VERSION:".__LINE__." $log:$number unknown: $origline\n";
        }
        return 1;
}

\&register;