On Mon, September 14, 2015 21:28, Always Learning wrote:
On Mon, 2015-09-14 at 14:51 -0400, James B. Byrne wrote:
The Logwatch imapd service script distributed with CentOS-6 does not generate anything when I run logwatch --service all on a cyrus-imapd host. Is this expected behaviour? Is there a separate script for cyrus-imapd or are their configuration options required to get the existing script to work.
- Check there is data in the log file(s).
Yes. We have cyrus-imapd logging to /var/log/maillog. This appears to be the default setting as I can find no explicit reference to maillog in either /etc/imapd.conf or /etc/cyrus.conf and none to imapd in /etc/rsyslog.conf.
- Ensure Logwatch has the correct location and names of your log
files.
Check: /usr/share/logwatch/default.conf/logfiles/ - there should be a 'imapd' file there. I don't use imapd and there is no such file on my instances of C6.
I do not have one either.
yum provides /usr/share/logwatch/default.conf/logfiles/imapd.conf Loaded plugins: etckeeper, fastestmirror, priorities, refresh-packagekit Loading mirror speeds from cached hostfile * base: centos.mirror.rafal.ca * epel: mirror.steadfast.net * extras: less.cogeco.net * updates: mirror.netflash.net No Matches found
The Logwatch related files that reference imapd are these:
find /usr/share/logwatch -type f | xargs grep -l imapd /usr/share/logwatch/default.conf/services/imapd.conf /usr/share/logwatch/default.conf/services/secure.conf /usr/share/logwatch/scripts/services/secure /usr/share/logwatch/scripts/services/cron /usr/share/logwatch/scripts/services/courier /usr/share/logwatch/scripts/services/imapd
Maillog is referenced in /usr/share/logwatch/default.conf/services/imapd.conf:
cat /usr/share/logwatch/default.conf/services/imapd.conf ########################################################################### # ------------------------------------------------------------------------ ###########################################################################
# You can put comments anywhere you want to. They are effective for the # rest of the line.
# this is in the format of <name> = <value>. Whitespace at the beginning # and end of the lines is removed. Whitespace before and after the = sign # is removed. Everything is case *insensitive*.
# Yes = True = On = 1 # No = False = Off = 0
Title = "IMAP"
# Which logfile group... LogFile = maillog
# Only give lines pertaining to courier... # I'm not sure if this is complete, especially for the new webmail daemon in 0.44.1 #but you will get at least all currently supported logs *OnlyService = (imapd|imapd-ssl|imapsd)
*RemoveHeaders =
# vi: shiftwidth=3 tabstop=3 et
The only executable(sic) script available in /usr/share/logwatch/scripts/services/ referred to in /usr/share/logwatch/default.conf/services/imapd.conf is imapd and that script is specifically tailored to courier-imap. Which is likely the reason that it reports nothing.
Which brings me back to my original question. Where can one find a current Logwatch script for cyrus-imap log analysis? The cyrus-imapd specific logwatch script that I have found and have placed into /etc/logwatch/scripts/services/imapd is old and has errors. I can probably fix the errors but my Perl skills are inadequate to do anything more.
Does anyone know of a current Logwatch script for cyrus-imapd? And where it can be obtained?
On Tue, 2015-09-15 at 10:28 -0400, James B. Byrne wrote:
Does anyone know of a current Logwatch script for cyrus-imapd? And where it can be obtained?
Tampering with an existing Logwatch script may seem daunting but, as I have no Perl skills, it was relative easy to produced a more useful display. Note the amended script should be placed in /etc/logwatch/scripts/services/your-choice-of-file-name
(1) If your cyrus-imap is similar to the Exim script, there are 2 main parts:-
(a) identifying the information and accumulating it; and
(b) printing the data.
(2) In the standard Exim script I located lines like:-
elsif ( $ThisLine =~ /[Rr]ecipient verify fail/)
{$RecipVerify{$ThisLine}++;}
elsif ( $ThisLine =~ /[Ss]ender verify fail/ )
{$SendVerify{$ThisLine}++;}
and inserted my own tests like these (I was testing on error messages I created which were prefixed with a self-chosen code)
-------------------- elsif ($ThisLine =~ /A02]/) { $a02++; $temp1 = substr($ThisLine,0,20).": "; # date
$temp2 = index($ThisLine," H="); # sender's host $temp2+= 3; $temp2 = substr($ThisLine,$temp2);
$temp3 = index($temp2,":"); $temp1 = $temp1 . substr($temp2,0,$temp3);
@a02 = (@a02, $temp1."\n"); $temp1 = ''; $temp2 = ''; $temp3 = ''; } --------------------
The Perl seems similar to PHP. $a = a variable; @a = an array
The second main part prints the data. In the original Exim script it looks like this
if ( %SmtpConnection ) { print "\n--- SMTP Connection Issues \n"; foreach $ThisOne (keys %SmtpConnection) { $bb = $SmtpConnection{$ThisOne}; print " $ThisOne: $bb Time(s)\n"; } }
My inserted coding is this ...
if(@c01) {print "\n--- C01 : Spam rejected = $c01\n @c01";} if(@c02) {print "\n--- C02 : Senders denied = $c02\n";}
The first line prints a heading and a total, new line and then lists the examples. The second line prints only a heading and a total.
If your script is similar to the standard Exim script then it should be possible to, using the log file for guidance, to construct your own script.
You can ignore unwanted log file lines by testing like this ...
elsif ($ThisLine =~ /xxxxxxx/) {}