[CentOS] Apparent bug in logwatch's reporting of number of email by sendmail

Fri Mar 13 20:15:23 UTC 2015
Liam O'Toole <liam.p.otoole at gmail.com>

On 2015-03-13, Jason Woods
<devel at jasonwoods.me.uk> wrote:
>
>> On 13 Mar 2015, at 18:13, ken
>> <gebser at mousecar.com> wrote:
>> 
>>> On 03/13/2015 01:06 PM, Blake Hudson wrote: ken wrote on 3/13/2015
>>> 11:36 AM:
>>>> # rpm -q sendmail logwatch sendmail-8.13.8-8.1.el5_7
>>>> logwatch-7.3-10.el5
>>>> 
>>>> One host sends just one email per day, the daily logwatch report.
>>>> Here's /var/log/maillog entries from yesterday (hostnames are
>>>> changed to make designations in this conversation more intuitive):
>>>> 
>>>> Mar 12 04:02:18 srchost sendmail[27151]: t2C82Bjr027151: from=root,
>>>> size=2485, class=0, nrcpts=1,
>>>> msgid=<201503120802.t2C82Bjr027151 at localhost.localdomain>,
>>>> relay=root at localhost Mar 12 04:02:19 srchost sendmail[27383]:
>>>> t2C82IiB027383:
>>>> from=<root at localhost.localdomain>,
>>>> size=2756, class=0, nrcpts=1,
>>>> msgid=<201503120802.t2C82Bjr027151 at localhost.localdomain>,
>>>> proto=ESMTP, daemon=MTA, relay=srchost [127.0.0.1] Mar 12 04:02:19
>>>> srchost sendmail[27151]: t2C82Bjr027151: to=recip at dest,
>>>> ctladdr=root (0/0), delay=00:00:08, xdelay=00:00:01, mailer=relay,
>>>> pri=32485, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent
>>>> (t2C82IiB027383 Message accepted for delivery)
>
> First email is sent locally to root.

And that email would be the logwatch report itself, but from 24 hours
before.

>
>>>> Mar 12 04:02:20 srchost sendmail[27385]: t2C82IiB027383:
>>>> to=<recip at dest.com>, ctladdr=<root-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob at public.gmane.org> (0/0),
>>>> delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=122756,
>>>> relay=dellap.mousecar.net. [192.168.0.26], dsn=2.0.0, stat=Sent
>>>> (t2C82Jh3016227 Message accepted for delivery)
>
> Root I guess forwards through an alias so it resends to target.

That would be my guess too.

>
>>>> 
>> 
>> My major concern is accuracy.  I mean, there's not much sense in using logwatch if what it's telling me is wrong.
>
> I'm guessing it simply parses the message sent lines. Whether or not treating locally delivered emails is correct or not - I'm inclined to think it is. Either way it would probably be difficult to exclude it - and then you would never be able to track locally sent emails.
>
> Jason


-- 

Liam