On 03/13/2015 02:29 PM, Jason Woods wrote: > >> On 13 Mar 2015, at 18:13, ken <gebser at mousecar.com> wrote: >> >>> On 03/13/2015 01:06 PM, Blake Hudson wrote: ken wrote on >>> 3/13/2015 11:36 AM: >>>> # rpm -q sendmail logwatch sendmail-8.13.8-8.1.el5_7 >>>> logwatch-7.3-10.el5 >>>> >>>> One host sends just one email per day, the daily logwatch >>>> report. Here's /var/log/maillog entries from yesterday >>>> (hostnames are changed to make designations in this >>>> conversation more intuitive): >>>> >>>> Mar 12 04:02:18 srchost sendmail[27151]: t2C82Bjr027151: >>>> from=root, size=2485, class=0, nrcpts=1, >>>> msgid=<201503120802.t2C82Bjr027151 at localhost.localdomain>, >>>> relay=root at localhost Mar 12 04:02:19 srchost sendmail[27383]: >>>> t2C82IiB027383: from=<root at localhost.localdomain>, size=2756, >>>> class=0, nrcpts=1, >>>> msgid=<201503120802.t2C82Bjr027151 at localhost.localdomain>, >>>> proto=ESMTP, daemon=MTA, relay=srchost [127.0.0.1] Mar 12 >>>> 04:02:19 srchost sendmail[27151]: t2C82Bjr027151: >>>> to=recip at dest, ctladdr=root (0/0), delay=00:00:08, >>>> xdelay=00:00:01, mailer=relay, pri=32485, relay=[127.0.0.1] >>>> [127.0.0.1], dsn=2.0.0, stat=Sent (t2C82IiB027383 Message >>>> accepted for delivery) > > First email is sent locally to root. I see that it's sent *from* root. Where does it say it's sent *to* root? > >>>> Mar 12 04:02:20 srchost sendmail[27385]: t2C82IiB027383: >>>> to=<recip at dest.com>, ctladdr=<root at localhost.localdomain> >>>> (0/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, >>>> pri=122756, relay=dellap.mousecar.net. [192.168.0.26], >>>> dsn=2.0.0, stat=Sent (t2C82Jh3016227 Message accepted for >>>> delivery) > > Root I guess forwards through an alias so it resends to target. /etc/logwatch.conf is configured to send to <recip at dest.com>, so no aliasing and no resending. > >>>> >> >> My major concern is accuracy. I mean, there's not much sense in >> using logwatch if what it's telling me is wrong. > > I'm guessing it simply parses the message sent lines. Whether or not > treating locally delivered emails is correct or not - I'm inclined to > think it is. Either way it would probably be difficult to exclude it > - and then you would never be able to track locally sent emails. > > Jason Tracking where/how emails are sent would be done in maillog, not in logwatch. I'd disagree. If one email is sent, saying two are sent is not correct. If one email is sent with one recipient, the total number of recipients is one. If I hold up two fingers and ask someone how many fingers I'm holding up and she says "four", that too is incorrect. Yes, it might be difficult to machine-parse the maillog, but then the software-- here logwatch-- should either be fixed or its data described accurately (and hopefully too, meaningfully). It shouldn't post erroneous data.