Christian Dröge
2010-Aug-27 16:08 UTC
[Logcheck-devel] Bug#594605: logcheck-database: some enhancements to amavisd-new rules for IPv6 support and some other allowed values in the log
Package: logcheck-database
Version: 1.3.12
Severity: normal
Hi,
I had to create some customized rules for amavisd-new, so that the
logcheck mail is not full of uninteresting log lines. I added the
following changes to the rules:
* IPv6 support for IP addresses
* allows PASSED SPAM in log (if amavisd-new is configured to
forward spam to the user without discarding/bouncing it)
* optional minus sign (same as #592786, but they probably should
be optional)
* optional quarantine in log line (if amavisd-new is configured to
not quarantine a mail with a virus or a bad header)
* optional Message-ID (sometimes this header is missing)
Here are the changed rules:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]:
\([-[:digit:]]+\) Passed (CLEAN|SPAM),( LOCAL)?(
\[(IPv6:)?[[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> ->
<[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( \((added
by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)?
mail_id: [-+[:alnum:]]+, Hits: ((-)?[.[:digit:]]*)+, size: [[:xdigit:]]+,
queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]:
\([-[:digit:]]+\) Passed (INFECTED \([-._[:alnum:]]+\)|BAD-HEADER),(
\[(IPv6:)?[[[:xdigit:].:]{3,39}\]){1,2} <[^>]*> ->
<[^>]*>,( quarantine: (virus|badh)-[-+[:alnum:]]+,)? Message-ID:
<[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,( Resent-Message-ID:
<[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: ((-)?[.[:digit:]]*)+, size:
[[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
I hope, that these changes are helpful and will be incorporated into the current
rules. Here are some examples, that are filtered by the changed rules:
IPv6 example:
Aug 23 12:21:02 mail amavis[17286]: (17286-10) Passed CLEAN,
[IPv6:2001:41b8:202:deb:213:21ff:fe20:1426] [89.163.160.227]
<bounce-debian-security-announce=christian+lists.debian.security-announce=draugr.de
at lists.debian.org> -> <christian at draugr.de>, Message-ID:
<20100823101246.GA6512 at SD6-Casa.iuculano.it>, Resent-Message-ID:
<Mguz-15aQq.A.TG.1mkcMB at liszt>, mail_id: 0Wrgflf-fVBG, Hits: -2.208,
size: 11783, queued_as: 680E120E186, 56 ms
Example without "quarantine":
Aug 25 17:43:11 mail amavis[18950]: (18950-05) Passed BAD-HEADER,
[91.189.94.204] [96.21.216.144] <ubuntu-security-announce-bounces at
lists.ubuntu.com> -> <christian at draugr.de>, Message-ID:
<1282750872.2662.8.camel at mdlinux>, mail_id: vgu7UmtJb569, Hits: -2.57,
size: 9384, queued_as: A30F120E149, 664 ms
Example without Message-ID:
Aug 27 01:20:45 mail amavis[7739]: (07739-16) Passed CLEAN, LOCAL
[88.198.60.116] [88.198.60.116] <root at jabberd.draugr.de> ->
<christian at draugr.de>, mail_id: 4NHaobkpxB96, Hits: 0.295, size: 559,
queued_as: 15A1220E146, 260 ms
Best regards,
Christian Dr?ge
Debian Bug Tracking System
2010-Sep-03 08:51 UTC
[Logcheck-devel] Bug#594605: marked as done (logcheck-database: some enhancements to amavisd-new rules for IPv6 support and some other allowed values in the log)
Your message dated Fri, 03 Sep 2010 08:48:27 +0000 with message-id <E1OrRwh-0005gO-5f at franck.debian.org> and subject line Bug#594605: fixed in logcheck 1.3.13 has caused the Debian Bug report #594605, regarding logcheck-database: some enhancements to amavisd-new rules for IPv6 support and some other allowed values in the log to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 594605: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594605 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: =?utf-8?q?Christian_Dr=C3=B6ge?= <Christian at draugr.de> Subject: logcheck-database: some enhancements to amavisd-new rules for IPv6 support and some other allowed values in the log Date: Fri, 27 Aug 2010 18:08:02 +0200 Size: 4910 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100903/b3eac8bb/attachment-0002.eml> -------------- next part -------------- An embedded message was scrubbed... From: Hannes von Haugwitz <hannes at vonhaugwitz.com> Subject: Bug#594605: fixed in logcheck 1.3.13 Date: Fri, 03 Sep 2010 08:48:27 +0000 Size: 5663 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100903/b3eac8bb/attachment-0003.eml>