1PFLOGSUMM(1) User Contributed Perl Documentation PFLOGSUMM(1)
2
3
4
6 pflogsumm.pl - Produce Postfix MTA logfile summary
7
8 Copyright (C) 1998-2010 by James S. Seymour, Release 1.1.3.
9
11 pflogsumm.pl -[eq] [-d <today|yesterday>] [--detail <cnt>]
12 [--bounce_detail <cnt>] [--deferral_detail <cnt>]
13 [-h <cnt>] [-i|--ignore_case] [--iso_date_time] [--mailq]
14 [-m|--uucp_mung] [--no_bounce_detail] [--no_deferral_detail]
15 [--no_no_msg_size] [--no_reject_detail] [--no_smtpd_warnings]
16 [--problems_first] [--rej_add_from] [--reject_detail <cnt>]
17 [--smtp_detail <cnt>] [--smtpd_stats]
18 [--smtpd_warning_detail <cnt>] [--syslog_name=string]
19 [-u <cnt>] [--verbose_msg_detail] [--verp_mung[=<n>]]
20 [--zero_fill] [file1 [filen]]
21
22 pflogsumm.pl -[help|version]
23
24 If no file(s) specified, reads from stdin. Output is to stdout.
25
27 Pflogsumm is a log analyzer/summarizer for the Postfix MTA. It is
28 designed to provide an over-view of Postfix activity, with just enough
29 detail to give the administrator a "heads up" for potential trouble
30 spots.
31
32 Pflogsumm generates summaries and, in some cases, detailed reports of
33 mail server traffic volumes, rejected and bounced email, and server
34 warnings, errors and panics.
35
37 --bounce_detail <cnt>
38
39 Limit detailed bounce reports to the top <cnt>. 0
40 to suppress entirely.
41
42 -d today generate report for just today
43 -d yesterday generate report for just "yesterday"
44
45 --deferral_detail <cnt>
46
47 Limit detailed deferral reports to the top <cnt>. 0
48 to suppress entirely.
49
50 --detail <cnt>
51
52 Sets all --*_detail, -h and -u to <cnt>. Is
53 over-ridden by individual settings. --detail 0
54 suppresses *all* detail.
55
56 -e extended (extreme? excessive?) detail
57
58 Emit detailed reports. At present, this includes
59 only a per-message report, sorted by sender domain,
60 then user-in-domain, then by queue i.d.
61
62 WARNING: the data built to generate this report can
63 quickly consume very large amounts of memory if a
64 lot of log entries are processed!
65
66 -h <cnt> top <cnt> to display in host/domain reports.
67
68 0 = none.
69
70 See also: "-u" and "--*_detail" options for further
71 report-limiting options.
72
73 --help Emit short usage message and bail out.
74
75 (By happy coincidence, "-h" alone does much the same,
76 being as it requires a numeric argument :-). Yeah, I
77 know: lame.)
78
79 -i
80 --ignore_case Handle complete email address in a case-insensitive
81 manner.
82
83 Normally pflogsumm lower-cases only the host and
84 domain parts, leaving the user part alone. This
85 option causes the entire email address to be lower-
86 cased.
87
88 --iso_date_time
89
90 For summaries that contain date or time information,
91 use ISO 8601 standard formats (CCYY-MM-DD and HH:MM),
92 rather than "Mon DD CCYY" and "HHMM".
93
94 -m modify (mung?) UUCP-style bang-paths
95 --uucp_mung
96
97 This is for use when you have a mix of Internet-style
98 domain addresses and UUCP-style bang-paths in the log.
99 Upstream UUCP feeds sometimes mung Internet domain
100 style address into bang-paths. This option can
101 sometimes undo the "damage". For example:
102 "somehost.dom!username@foo" (where "foo" is the next
103 host upstream and "somehost.dom" was whence the email
104 originated) will get converted to
105 "foo!username@somehost.dom". This also affects the
106 extended detail report (-e), to help ensure that by-
107 domain-by-name sorting is more accurate.
108
109 --mailq Run "mailq" command at end of report.
110
111 Merely a convenience feature. (Assumes that "mailq"
112 is in $PATH. See "$mailqCmd" variable to path thisi
113 if desired.)
114
115 --no_bounce_detail
116 --no_deferral_detail
117 --no_reject_detail
118
119 These switches are depreciated in favour of
120 --bounce_detail, --deferral_detail and
121 --reject_detail, respectively.
122
123 Suppresses the printing of the following detailed
124 reports, respectively:
125
126 message bounce detail (by relay)
127 message deferral detail
128 message reject detail
129
130 See also: "-u" and "-h" for further report-limiting
131 options.
132
133 --no_no_msg_size
134
135 Do not emit report on "Messages with no size data".
136
137 Message size is reported only by the queue manager.
138 The message may be delivered long-enough after the
139 (last) qmgr log entry that the information is not in
140 the log(s) processed by a particular run of
141 pflogsumm.pl. This throws off "Recipients by message
142 size" and the total for "bytes delivered." These are
143 normally reported by pflogsumm as "Messages with no
144 size data."
145
146 --no_smtpd_warnings
147
148 This switch is depreciated in favour of
149 smtpd_warning_detail
150
151 On a busy mail server, say at an ISP, SMTPD warnings
152 can result in a rather sizeable report. This option
153 turns reporting them off.
154
155 --problems_first
156
157 Emit "problems" reports (bounces, defers, warnings,
158 etc.) before "normal" stats.
159
160 --rej_add_from
161 For those reject reports that list IP addresses or
162 host/domain names: append the email from address to
163 each listing. (Does not apply to "Improper use of
164 SMTP command pipelining" report.)
165
166 -q quiet - don't print headings for empty reports
167
168 note: headings for warning, fatal, and "master"
169 messages will always be printed.
170
171 --reject_detail <cnt>
172
173 Limit detailed smtpd reject, warn, hold and discard
174 reports to the top <cnt>. 0 to suppress entirely.
175
176 --smtp_detail <cnt>
177
178 Limit detailed smtp delivery reports to the top <cnt>.
179 0 to suppress entirely.
180
181 --smtpd_stats
182
183 Generate smtpd connection statistics.
184
185 The "per-day" report is not generated for single-day
186 reports. For multiple-day reports: "per-hour" numbers
187 are daily averages (reflected in the report heading).
188
189 --smtpd_warning_detail <cnt>
190
191 Limit detailed smtpd warnings reports to the top <cnt>.
192 0 to suppress entirely.
193
194 --syslog_name=name
195
196 Set syslog_name to look for for Postfix log entries.
197
198 By default, pflogsumm looks for entries in logfiles
199 with a syslog name of "postfix," the default.
200 If you've set a non-default "syslog_name" parameter
201 in your Postfix configuration, use this option to
202 tell pflogsumm what that is.
203
204 See the discussion about the use of this option under
205 "NOTES," below.
206
207 -u <cnt> top <cnt> to display in user reports. 0 == none.
208
209 See also: "-h" and "--*_detail" options for further
210 report-limiting options.
211
212 --verbose_msg_detail
213
214 For the message deferral, bounce and reject summaries:
215 display the full "reason", rather than a truncated one.
216
217 Note: this can result in quite long lines in the report.
218
219 --verp_mung do "VERP" generated address (?) munging. Convert
220 --verp_mung=2 sender addresses of the form
221 "list-return-NN-someuser=some.dom@host.sender.dom"
222 to
223 "list-return-ID-someuser=some.dom@host.sender.dom"
224
225 In other words: replace the numeric value with "ID".
226
227 By specifying the optional "=2" (second form), the
228 munging is more "aggressive", converting the address
229 to something like:
230
231 "list-return@host.sender.dom"
232
233 Actually: specifying anything less than 2 does the
234 "simple" munging and anything greater than 1 results
235 in the more "aggressive" hack being applied.
236
237 See "NOTES" regarding this option.
238
239 --version Print program name and version and bail out.
240
241 --zero_fill "Zero-fill" certain arrays so reports come out with
242 data in columns that that might otherwise be blank.
243
245 Pflogsumm doesn't return anything of interest to the shell.
246
248 Error messages are emitted to stderr.
249
251 Produce a report of previous day's activities:
252
253 pflogsumm.pl -d yesterday /var/log/maillog
254
255 A report of prior week's activities (after logs rotated):
256
257 pflogsumm.pl /var/log/maillog.0
258
259 What's happened so far today:
260
261 pflogsumm.pl -d today /var/log/maillog
262
263 Crontab entry to generate a report of the previous day's activity
264 at 10 minutes after midnight.
265
266 10 0 * * * /usr/local/sbin/pflogsumm -d yesterday /var/log/maillog
267 2>&1 |/usr/bin/mailx -s "`uname -n` daily mail stats" postmaster
268
269 Crontab entry to generate a report for the prior week's activity.
270 (This example assumes one rotates ones mail logs weekly, some time
271 before 4:10 a.m. on Sunday.)
272
273 10 4 * * 0 /usr/local/sbin/pflogsumm /var/log/maillog.0
274 2>&1 |/usr/bin/mailx -s "`uname -n` weekly mail stats" postmaster
275
276 The two crontab examples, above, must actually be a single line
277 each. They're broken-up into two-or-more lines due to page
278 formatting issues.
279
281 The pflogsumm FAQ: pflogsumm-faq.txt.
282
284 Pflogsumm makes no attempt to catch/parse non-Postfix log
285 entries. Unless it has "postfix/" in the log entry, it will be
286 ignored.
287
288 It's important that the logs are presented to pflogsumm in
289 chronological order so that message sizes are available when
290 needed.
291
292 For display purposes: integer values are munged into "kilo" and
293 "mega" notation as they exceed certain values. I chose the
294 admittedly arbitrary boundaries of 512k and 512m as the points at
295 which to do this--my thinking being 512x was the largest number
296 (of digits) that most folks can comfortably grok at-a-glance.
297 These are "computer" "k" and "m", not 1000 and 1,000,000. You
298 can easily change all of this with some constants near the
299 beginning of the program.
300
301 "Items-per-day" reports are not generated for single-day
302 reports. For multiple-day reports: "Items-per-hour" numbers are
303 daily averages (reflected in the report headings).
304
305 Message rejects, reject warnings, holds and discards are all
306 reported under the "rejects" column for the Per-Hour and Per-Day
307 traffic summaries.
308
309 Verp munging may not always result in correct address and
310 address-count reduction.
311
312 Verp munging is always in a state of experimentation. The use
313 of this option may result in inaccurate statistics with regards
314 to the "senders" count.
315
316 UUCP-style bang-path handling needs more work. Particularly if
317 Postfix is not being run with "swap_bangpath = yes" and/or *is* being
318 run with "append_dot_mydomain = yes", the detailed by-message report
319 may not be sorted correctly by-domain-by-user. (Also depends on
320 upstream MTA, I suspect.)
321
322 The "percent rejected" and "percent discarded" figures are only
323 approximations. They are calculated as follows (example is for
324 "percent rejected"):
325
326 percent rejected =
327
328 (rejected / (delivered + rejected + discarded)) * 100
329
330 There are some issues with the use of --syslog_name. The problem is
331 that, even with $syslog_name set, Postfix will sometimes still log
332 things with "postfix" as the syslog_name. This is noted in
333 /etc/postfix/sample-misc.cf:
334
335 # Beware: a non-default syslog_name setting takes effect only
336 # after process initialization. Some initialization errors will be
337 # logged with the default name, especially errors while parsing
338 # the command line and errors while accessing the Postfix main.cf
339 # configuration file.
340
341 As a consequence, pflogsumm must always look for "postfix," in logs,
342 as well as whatever is supplied for syslog_name.
343
344 Where this becomes an issue is where people are running two or more
345 instances of Postfix, logging to the same file. In such a case:
346
347 . Neither instance may use the default "postfix" syslog name
348 and...
349
350 . Log entries that fall victim to what's described in
351 sample-misc.cf will be reported under "postfix", so that if
352 you're running pflogsumm twice, once for each syslog_name, such
353 log entries will show up in each report.
354
355 The Pflogsumm Home Page is at:
356
357 http://jimsun.LinxNet.com/postfix_contrib.html
358
360 For certain options (e.g.: --smtpd_stats), Pflogsumm requires the
361 Date::Calc module, which can be obtained from CPAN at
362 http://www.perl.com.
363
364 Pflogsumm is currently written and tested under Perl 5.8.3.
365 As of version 19990413-02, pflogsumm worked with Perl 5.003, but
366 future compatibility is not guaranteed.
367
369 This program is free software; you can redistribute it and/or
370 modify it under the terms of the GNU General Public License
371 as published by the Free Software Foundation; either version 2
372 of the License, or (at your option) any later version.
373
374 This program is distributed in the hope that it will be useful,
375 but WITHOUT ANY WARRANTY; without even the implied warranty of
376 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
377 GNU General Public License for more details.
378
379 You may have received a copy of the GNU General Public License
380 along with this program; if not, write to the Free Software
381 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
382 USA.
383
384 An on-line copy of the GNU General Public License can be found
385 http://www.fsf.org/copyleft/gpl.html.
386
387
388
3891.1.3 2010-03-20 PFLOGSUMM(1)