1AMAVIS-LOGWATCH(1)          General Commands Manual         AMAVIS-LOGWATCH(1)
2
3
4

NAME

6       amavis-logwatch - An Amavisd-new log parser and analysis utility
7

SYNOPSIS

9       amavis-logwatch [options] [logfile ...]
10

DESCRIPTION

12       The  amavis-logwatch(1)  utility is an Amavisd-new log parser that pro‐
13       duces summaries, details, and statistics  regarding  the  operation  of
14       Amavisd-new (henceforth, simply called Amavis).
15
16       This utility can be used as a standalone program, or as a Logwatch fil‐
17       ter module to produce Amavisd-new summary  and  detailed  reports  from
18       within Logwatch.
19
20       Amavis-logwatch  is  able  to produce a wide range of reports with data
21       grouped and sorted as much as possible to reduce  noise  and  highlight
22       patterns.   Brief  summary  reports provide a quick overview of general
23       Amavis operations and message delivery, calling out warnings  that  may
24       require  attention.   Detailed reports provide easy to scan, hierarchi‐
25       cally-arranged and organized information, with as much or little detail
26       as desired.
27
28       Much  of  the  interesting data is available when Amavis' $log_level is
29       set to at least 2.  See Amavis Log Level below.
30
31       Amavis-logwatch outputs two principal sections: a Summary section and a
32       Detailed section.  For readability and quick scanning, all event or hit
33       counts appear in the left column, followed by brief description of  the
34       event  type, and finally additional statistics or count representations
35       may appear in the rightmost column.
36
37       The following segment from a sample Summary report illustrates:
38
39           ****** Summary ********************************************
40
41                  9   Miscellaneous warnings
42
43              20313   Total messages scanned ----------------  100.00%
44           1008.534M  Total bytes scanned                1,057,524,252
45           ========   ================================================
46
47               1190   Blocked -------------------------------    5.86%
48                 18     Malware blocked                          0.09%
49                  4     Banned name blocked                      0.02%
50                416     Spam blocked                             2.05%
51                752     Spam discarded (no quarantine)           3.70%
52
53              19123   Passed --------------------------------   94.14%
54                 47     Bad header passed                        0.23%
55              19076     Clean passed                            93.91%
56           ========   ================================================
57
58                 18   Malware -------------------------------    0.09%
59                 18     Malware blocked                          0.09%
60
61                  4   Banned --------------------------------    0.02%
62                  4     Banned file blocked                      0.02%
63
64               1168   Spam ----------------------------------    5.75%
65                416     Spam blocked                             2.05%
66                752     Spam discarded (no quarantine)           3.70%
67
68              19123   Ham -----------------------------------   94.14%
69                 47     Bad header passed                        0.23%
70              19076     Clean passed                            93.91%
71           ========   ================================================
72
73               1982   SpamAssassin bypassed
74                 32   Released from quarantine
75                  2   DSN notification (debug supplemental)
76                  2   Bounce unverifiable
77               2369   Whitelisted
78                  2   Blacklisted
79                 12   MIME error
80                 58   Bad header (debug supplemental)
81                 40   Extra code modules loaded at runtime
82
83       The report indicates there were 9 general warnings, and Amavis  scanned
84       a  total  of  20313  messages  for  a  total  of  1008.53  megabytes or
85       1,057,524,252 bytes.  The next  summary  groups  shows  the  Blocked  /
86       Passed overview, with 1190 Blocked messages (broken down as 18 messages
87       blocked as malware, 4 messages with banned names,  416  spam  messages,
88       and  752  discarded  messages),  and 19123 Passed messages (47 messages
89       with bad headers and 19076 clean messages).
90
91       The next (optional) summary grouping shows message disposition by  con‐
92       tents  category.  There were 18 malware messages and 4 banned file mes‐
93       sages (all blocked), 1168 Spam messages,  of  which  416  were  blocked
94       (quarantined)  and  752  discarded.  Finally, there were 19123 messages
95       considered to be Ham (i.e. not spam), 47 of which contained  bad  head‐
96       ers.
97
98       Additional count summaries for a variety of events are also listed.
99
100       There are dozens of sub-sections available in the Detailed report, each
101       of whose output can be controlled in various  ways.   Each  sub-section
102       attempts to group and present the most meaningful data at superior lev‐
103       els, while pushing less useful or noisy data towards  inferior  levels.
104       The  goal is to provide as much benefit as possible from smart grouping
105       of data, to allow faster report scanning, pattern  identification,  and
106       problem  solving.   Data is always sorted in descending order by count,
107       and then numerically by IP address or alphabetically as appropriate.
108
109       The following Spam blocked segment from a sample Detailed report illus‐
110       trates the basic hierarchical level structure of amavis-logwatch:
111
112           ****** Detailed *******************************************
113
114              19346   Spam blocked -----------------------------------
115                756      from@example.com
116                 12         10.0.0.2
117                 12            <>
118                 12         192.168.2.2
119                 12            <>
120                  5         192.168.2.1
121                ...
122
123
124       The  amavis-logwatch  utility reads from STDIN or from the named Amavis
125       logfile.  Multiple logfile arguments may be specified,  each  processed
126       in  order.   The user running amavis-logwatch must have read permission
127       on each named log file.
128
129   Options
130       The options listed below affect the operation of amavis-logwatch.   Op‐
131       tions  specified  later on the command line override earlier ones.  Any
132       option may be abbreviated to an unambiguous length.
133
134
135       --[no]autolearn
136       --show_autolearn boolean
137              Enables (disables) output of the autolearn report.  This  report
138              is only available if the default Amavis $log_templ has been mod‐
139              ified to provide autolearn results in log entries.  This can  be
140              done  by  uncommenting  two  lines  in the Amavis program itself
141              (where the default log templates reside), or by correctly adding
142              the  $log_templ  variable to the amavisd.conf file.  See Amavis'
143              README.customize and search near the end of the Amavisd  program
144              for "autolearn".
145
146       --[no]by_ccat_summary
147       --show_by_ccat_summary boolean
148              Enables  (disables) the by contents category summary in the Sum‐
149              mary section.  Default: enabled.
150
151       -f config_file
152       --config_file config_file
153              Use an alternate configuration file config_file instead  of  the
154              default.  This option may be used more than once.  Multiple con‐
155              figuration files will be processed in the order presented on the
156              command line.  See CONFIGURATION FILE below.
157
158       --debug keywords
159              Output  debug  information  during  the operation of amavis-log‐
160              watch.  The parameter keywords is one or  more  comma  or  space
161              separated  keywords.   To obtain the list of valid keywords, use
162              --debug xxx where xxx is any invalid keyword.
163
164       --detail level
165              Sets the maximum detail  level  for  amavis-logwatch  to  level.
166              This  option is global, overriding any other output limiters de‐
167              scribed below.
168
169              The amavis-logwatch utility produces a Summary  section,  a  De‐
170              tailed section, and additional report sections.  With level less
171              than 5, amavis-logwatch will produce only the  Summary  section.
172              At  level  5 and above, the Detailed section, and any additional
173              report sections are candidates for output.  Each incremental in‐
174              crease  in level generates one additional hierarchical sub-level
175              of output in the Detailed section of the report.  At  level  10,
176              all  levels  are  output.   Lines that exceed the maximum report
177              width (specified with max_report_width) will  be  cut.   Setting
178              level to 11 will prevent lines in the report from being cut (see
179              also --line_style).
180
181       --[no]first_recip_only
182       --show_first_recip_only boolean
183              Specifies whether or not to sort by, and show,  only  the  first
184              recipient when a scanned messages contains multiple recipients.
185
186       --help Print  usage  information  and a brief description about command
187              line options.
188
189       --ipaddr_width width
190              Specifies that IP addresses in address/hostname pairs should  be
191              printed  with a field width of width characters.  Increasing the
192              default may be useful for systems using long IPv6 addresses.
193
194       -l limiter=levelspec
195       --limit limiter=levelspec
196              Sets the level limiter limiter with the specification levelspec.
197
198       --line_style style
199              Specifies how to handle long report  lines.   Three  styles  are
200              available: full, truncate, and wrap.  Setting style to full will
201              prevent cutting lines to max_report_width; this is  what  occurs
202              when  detail  is  11 or higher.  When style is truncate (the de‐
203              fault), long  lines  will  be  truncated  according  to  max_re‐
204              port_width.   Setting  style to wrap will wrap lines longer than
205              max_report_width such that left column hit counts  are  not  ob‐
206              scured.   This  option  takes precedence over the line style im‐
207              plied by the detail level.  The options --full, --truncate,  and
208              --wrap are synonyms.
209
210
211       --nodetail
212              Disables  the Detailed section of the report, and all supplemen‐
213              tal reports.  This option provides  a  convenient  mechanism  to
214              quickly  disable  all  sections under the Detailed report, where
215              subsequent command line options may re-enable one or  more  sec‐
216              tions to create specific reports.
217
218       --sarules `S,H´
219       --sarules default
220              Enables  the SpamAssassin Rules Hit report.  The comma-separated
221              S and H arguments are top N values for the Spam and Ham reports,
222              respectively, and can be any integer greater than or equal to 0,
223              or the keyword all.  The keyword default uses the  built-in  de‐
224              fault values.
225
226       --nosarules
227              Disables the SpamAssassin Rules Hit report.
228
229       --sa_timings nrows
230              Enables the SpamAssassin Timings percentiles report.  The report
231              can be limited to the top N rows with the nrows argument.   This
232              report requires Amavis 2.6+ and SpamAssassin 3.3+.
233
234       --sa_timings_percentiles `P1 [P2 ...]´
235              Specifies  the percentiles shown in the SpamAssassin Timings re‐
236              port.  The arguments P1 ... are integers from 0  to  100  inclu‐
237              sive.  Their order will be preserved in the report.
238
239       --nosa_timings
240              Disables the SpamAssassin Timings report.
241
242       --version
243              Print amavis-logwatch version information.
244
245       --score_frequencies `B1 [B2 ...]´
246       --score_frequencies default
247              Enables  the  Spam Score Frequency report.  The arguments B1 ...
248              are frequency distribution buckets, and can be any real numbers.
249              Their  order  will  be preserved in the report.  The keyword de‐
250              fault uses the built-in default values.
251
252       --noscore_frequencies
253              Disables the Spam Score Frequency report.
254
255       --score_percentiles `P1 [P2 ...]´
256       --score_percentiles default
257              Enables the Spam Score Percentiles report.  The arguments P1 ...
258              specify  the  percentiles  shown in the report, and are integers
259              from 0 to 100 inclusive.  The keyword default uses the  built-in
260              default values.
261
262       --noscore_percentiles
263              Disables the Spam Score Percentiles report.
264
265
266       --[no]sect_vars
267       --show_sect_vars boolean
268              Enables  (disables)  supplementing  each  Detailed section title
269              with the name of that section's level limiter.   The  name  dis‐
270              played  is  the command line option (or configuration file vari‐
271              able) used to limit that section's output.  With the large  num‐
272              ber  of level limiters available in amavis-logwatch, this a con‐
273              venient mechanism for determining exactly  which  level  limiter
274              affects a section.
275
276       --[no]startinfo
277       --show_startinfo boolean
278              Enables (disables) the Amavis startup report showing most recent
279              Amavis startup details.
280
281       --[no]summary
282
283       --show_summary
284              Enables (disables) displaying of the the Summary section of  the
285              report.   The variable Amavis_Show_Summary in used in a configu‐
286              ration file.
287
288       --syslog_name namepat
289              Specifies the syslog service name that amavis-logwatch  uses  to
290              match  syslog  lines.  Only log lines whose service name matches
291              the perl regular expression namepat will be used by  amavis-log‐
292              watch;  all  non-matching  lines  are silently ignored.  This is
293              useful when a pre-installed Amavis package  uses  a  name  other
294              than the default (amavis).
295
296              Note: if you use parenthesis in your regular expression, be sure
297              they are cloistering and not capturing: use  (?:pattern) instead
298              of (pattern).
299
300       --timings percent
301              Enables  the Amavis Scan Timings percentiles report.  The report
302              can be top N-percent limited with the percent argument.
303
304       --timings_percentiles `P1 [P2 ...]´
305              Specifies the percentiles shown in the Scan Timings report.  The
306              arguments  P1  ...  are integers from 0 to 100 inclusive.  Their
307              order will be preserved in the report.
308
309       --notimings
310              Disables the Amavis Scan Timings report.
311
312       --version
313              Print amavis-logwatch version information.
314
315
316   Level Limiters
317       The output of every section in the Detailed report is controlled  by  a
318       level  limiter.   The name of the level limiter variable will be output
319       when the sect_vars option is set.  Level limiters are  set  either  via
320       command  line in standalone mode with --limit limiter=levelspec option,
321       or via configuration  file  variable  $amavis_limiter=levelspec.   Each
322       limiter  requires  a  levelspec  argument,  which is described below in
323       LEVEL CONTROL.
324
325       The list of level limiters is shown below.
326
327
328       Amavis major contents category (ccatmajor) sections, listed in order of
329       priority: VIRUS, BANNED, UNCHECKED, SPAM, SPAMMY, BADH, OVERSIZED, MTA,
330       CLEAN.
331
332       MalwareBlocked
333       MalwarePassed
334              Blocked or passed  messages  that  contain  malware  (ccatmajor:
335              VIRUS).
336
337       BannedNameBlocked
338       BannedNamePassed
339              Blocked  or  passed  messages  that contain banned names in MIME
340              parts (ccatmajor: BANNED).
341
342       UncheckedBlocked
343       UncheckedPassed
344              Blocked or passed messages that were  not  checked  by  a  virus
345              scanner or SpamAssassin (Amavis ccatmajor: UNCHECKED).
346
347       SpamBlocked
348       SpamPassed
349              Blocked  or  passed  messages  that  were  considered  spam that
350              reached kill level (Amavis ccatmajor: SPAM)
351
352       SpammyBlocked
353       SpammyPassed
354              Blocked or passed messages that were considered  spam,  but  did
355              not reach kill level (Amavis ccatmajor: SPAMMY)
356
357       BadHeaderBlocked
358       BadHeaderPassed
359              Blocked  or passed messages that contain bad mail headers (ccat‐
360              major: BAD-HEADER).
361
362       OversizedBlocked
363       OversizedPassed
364              Blocked  or  passed  messages  that  were  considered  oversized
365              (Amavis ccatmajor: OVERSIZED).
366
367       MtaBlocked
368       MtaPassed
369              Blocked  or  passed  messages due to failure to re-inject to MTA
370              (Amavis ccatmajor: MTA-BLOCKED).  Occurrences of this event  in‐
371              dicates  a  configuration problem.  [ note: I don't believe mta‐
372              passed occurs, but exists for completeness.]
373
374       OtherBlocked
375       OtherPassed
376              Blocked or passed messages that are not any of other major  con‐
377              tents categories (Amavis ccatmajor: OTHER).
378
379
380       TempFailBlocked
381       TempfailPassed
382              Blocked  or passed messages that had a temporary failure (Amavis
383              ccatmajor: TEMPFAIL)
384
385       CleanBlocked
386       CleanPassed
387              Messages blocked or passed which were considered  clean  (Amavis
388              ccatmajor: CLEAN; i.e. non-spam, non-viral).
389
390       Other sections, arranged alphabetically:
391
392       AvConnectFailure
393              Problems connecting to Anti-Virus scanner(s).
394
395       AvTimeout
396              Timeouts awaiting responses from Anti-Virus scanner(s).
397
398       ArchiveExtract
399              Archive extraction problems.
400
401       BadHeaderSupp
402              Supplemental debug information regarding messages containing bad
403              mail headers.
404
405       Bayes  Messages frequencies by Bayesian probability buckets.
406
407       BadAddress
408              Invalid mail address syntax.
409
410       Blacklisted
411              Messages that were (soft-)blacklisted.  See also Whitelisted be‐
412              low.
413
414       BounceKilled
415       BounceRescued
416       BounceUnverifiable
417              Disposition of incoming bounce messages (DSNs).
418
419       ContentType
420              MIME attachment breakdown by type/subtype.
421
422       DccError
423              Errors encountered with or returned by DCC.
424
425       DefangError
426              Errors encountered during defang process.
427
428       Defanged
429              Messages defanged (rendered harmless).
430
431       DsnNotification
432              Errors  encountered during attempt to send delivery status noti‐
433              fication.
434
435       DsnSuppressed
436              Delivery status notification (DSN) intentionally suppressed.
437
438       ExtraModules
439              Additional code modules Amavis loaded during runtime.
440
441       FakeSender
442              Forged sender addresses, as determined by Amavis.
443
444       Fatal  Fatal events.  These are presented at the top of the report,  as
445              they may require attention.
446
447       LocalDeliverySkipped
448              Failures delivering to a local address.
449
450       MalwareByScanner
451              Breakdown of malware by scanner(s) that detected the malware.
452
453       MimeError
454              Errors encountered during MIME extraction.
455
456       Panic  Panic  events.  These are presented at the top of the report, as
457              they may require attention.
458
459       p0f    Passive fingerprint (p0f) hits, grouped by  mail  contents  type
460              (virus,  unchecked, banned, spam, ham), next by operating system
461              genre, and finally by IP address.  Note: Windows systems are re‐
462              fined by Windows OS version, whereas versions of other operating
463              systems are grouped generically.
464
465       Released
466              Messages that were released from Amavis quarantine.
467
468       SADiags
469              Diagnostics as reported from SpamAssassin.
470
471       SmtpResponse
472              SMTP responses received during dialog with MTA.  These  log  en‐
473              tries are primarly debug.
474
475       TmpPreserved
476              Temporary  directories  preserved  by Amavis when some component
477              encounters a problem or failure.  Directories listed  and  their
478              corresponding log entries should be evaluated for problems.
479
480       VirusScanSkipped
481              Messages that could not be scanned by a virus scanner.
482
483       Warning
484              Warning  events  not  categorized  in  specific  warnings below.
485              These are presented at the top of the report, as  they  may  re‐
486              quire attention.
487
488       WarningAddressModified
489              Incomplete email addresses modified by Amavis for safety.
490
491       WarningNoQuarantineId
492              Attempts  to  release a quarantined message that did not contain
493              an X-Quarantine-ID header.
494
495       WarningSecurity levelspec
496              Insecure configuration or utility used by Amavis.
497
498       WarningSmtpShutdown
499              Failures during SMTP conversation with MTA.
500
501       WarningSql
502              Failures to communicate with, or error replies  from,  SQL  ser‐
503              vice.
504
505       Whitelisted
506              Messages  that  were  (soft-)whitelisted.   See also Blacklisted
507              above.
508
509

LEVEL CONTROL

511       The Detailed section of the report consists of  a  number  of  sub-sec‐
512       tions,  each  of  which  is controlled both globally and independently.
513       Two settings influence the output provided in the  Detailed  report:  a
514       global detail level (specified with --detail) which has final (big ham‐
515       mer) output-limiting control over the Detailed section, and sub-section
516       specific  detail  settings (small hammer), which allow further limiting
517       of the output for a sub-section.  Each sub-section may be limited to  a
518       specific  depth  level, and each sub-level may be limited with top N or
519       threshold limits.  The levelspec argument to each of the level limiters
520       listed above is used to accomplish this.
521
522       It  is probably best to continue explanation of sub-level limiting with
523       the following well-known outline-style hierarchy, and some basic  exam‐
524       ples:
525
526           level 0
527              level 1
528                 level 2
529                    level 3
530                       level 4
531                       level 4
532                 level 2
533                    level 3
534                       level 4
535                       level 4
536                       level 4
537                    level 3
538                       level 4
539                    level 3
540              level 1
541                 level 2
542                    level 3
543                       level 4
544
545       The  simplest  form  of  output  limiting suppresses all output below a
546       specified level.  For example, a levelspec set to "2" shows  only  data
547       in  levels  0  through 2.  Think of this as collapsing each sub-level 2
548       item, thus hiding all inferior levels (3, 4, ...), to yield:
549
550           level 0
551              level 1
552                 level 2
553                 level 2
554              level 1
555                 level 2
556
557       Sometimes the volume of output in a section is too  great,  and  it  is
558       useful  to  suppress  any data that does not exceed a certain threshold
559       value.  Consider a dictionary spam attack, which produces very  lengthy
560       lists  of  hit-once recipient email or IP addresses.  Each sub-level in
561       the hierarchy can be threshold-limited by setting the levelspec  appro‐
562       priately.  Setting levelspec to the value "2::5" will suppress any data
563       at level 2 that does not exceed a hit count of 5.
564
565       Perhaps producing a top N list, such as top 10 senders, is desired.   A
566       levelspec of "3:10:" limits level 3 data to only the top 10 hits.
567
568       With  those simple examples out of the way, a levelspec is defined as a
569       whitespace- or comma-separated list of one or more of the following:
570
571       l      Specifies the maximum level to be output for  this  sub-section,
572              with a range from 0 to 10.  if l is 0, no levels will be output,
573              effectively disabling the sub-section (level 0 data  is  already
574              provided  in  the  Summary  report, so level 1 is considered the
575              first useful level in the Detailed report).  Higher values  will
576              produce output up to and including the specified level.
577
578       l.n    Same  as  above,  with the addition that n limits this section's
579              level 1 output to the top n items.  The value for n can  be  any
580              integer greater than 1.  (This form of limiting has less utility
581              than the syntax shown below. It is provided for  backwards  com‐
582              patibility; users are encouraged to use the syntax below).
583
584       l:n:t  This  triplet specifies level l, top n, and minimum threshold t.
585              Each of the values are integers, with l being the level  limiter
586              as described above, n being a top n limiter for the level l, and
587              t being the threshold limiter for level l.  When both  n  and  t
588              are  specified, n has priority, allowing top n lists (regardless
589              of threshold value).  If the value of l is omitted,  the  speci‐
590              fied  values for n and/or t are used for all levels available in
591              the sub-section.  This permits a simple form of wildcarding (eg.
592              place  minimum  threshold  limits on all levels).  However, spe‐
593              cific limiters always override  wildcard  limiters.   The  first
594              form  of  level limiter may be included in levelspec to restrict
595              output, regardless of how many triplets are present.
596
597       All three forms of limiters are effective only  when  amavis-logwatch's
598       detail level is 5 or greater (the Detailed section is not activated un‐
599       til detail is at least 5).
600
601       See the EXAMPLES section for usage scenarios.
602

CONFIGURATION FILE

604       Amavis-logwatch can read configuration settings  from  a  configuration
605       file.   Essentially,  any command line option can be placed into a con‐
606       figuration file, and these settings are read upon startup.
607
608       Because amavis-logwatch can run either standalone or  within  Logwatch,
609       to  minimize  confusion, amavis-logwatch inherits Logwatch's configura‐
610       tion file syntax requirements and conventions.  These are:
611
612       •   White space lines are ignored.
613
614       •   Lines beginning with # are ignored
615
616       •   Settings are of the form:
617
618                   option = value
619
620
621       •   Spaces or tabs on either side of the = character are ignored.
622
623       •   Any value protected in double quotes will be case-preserved.
624
625       •   All other content is reduced to lowercase (non-preserving, case in‐
626           sensitive).
627
628       •   All  amavis-logwatch  configuration  settings must be prefixed with
629           "$amavis_" or amavis-logwatch will ignore them.
630
631       •   When  running  under  Logwatch,  any  values  not   prefixed   with
632           "$amavis_"  are consumed by Logwatch; it only passes to amavis-log‐
633           watch (via environment variable) settings it considers valid.
634
635       •   The values True and Yes are converted to 1, and False  and  No  are
636           converted to 0.
637
638       •   Order  of  settings  is  not  preserved within a configuration file
639           (since settings are passed by Logwatch via  environment  variables,
640           which have no defined order).
641
642       To  include  a  command line option in a configuration file, prefix the
643       command line option name with the word "$amavis_".  The following  con‐
644       figuration file setting and command line option are equivalent:
645
646               $amavis_Line_Style = Truncate
647
648               --line_style Truncate
649
650       Level limiters are also prefixed with $amavis_, but on the command line
651       are specified with the --limit option:
652
653               $amavis_SpamBlocked = 2
654
655               --limit SpamBlocked=2
656
657
658
659       The order of command line options and configuration file processing oc‐
660       curs as follows: 1) The default configuration file is read if it exists
661       and no --config_file was specified on a command line.  2) Configuration
662       files  are  read  and processed in the order found on the command line.
663       3) Command line options override any options  already  set  either  via
664       command line or from any configuration file.
665
666       Command  line options are interpreted when they are seen on the command
667       line, and later options will override previously set options.
668
669
670

EXIT STATUS

672       The amavis-logwatch utility exits with a status code of  0,  unless  an
673       error occurred, in which case a non-zero exit status is returned.
674

EXAMPLES

676   Running Standalone
677       Note:  amavis-logwatch reads its log data from one or more named Amavis
678       log files, or from STDIN.  For brevity, where  required,  the  examples
679       below   use  the  word  file  as  the  command  line  argument  meaning
680       /path/to/amavis.log.  Obviously you will need to substitute  file  with
681       the appropriate path.
682
683       To run amavis-logwatch in standalone mode, simply run:
684
685           amavis-logwatch file
686
687       A complete list of options and basic usage is available via:
688
689           amavis-logwatch --help
690
691       To print a summary only report of Amavis log data:
692
693           amavis-logwatch --detail 1 file
694
695       To produce a summary report and a one-level detail report for May 25th:
696
697           grep 'May 25' file | amavis-logwatch --detail 5
698
699       To produce only a top 10 list of Sent email domains, the summary report
700       and detailed reports are first disabled. Since  commands  line  options
701       are  read  and enabled left-to-right, the Sent section is re-enabled to
702       level 1 with a level 1 top 10 limiter:
703
704           amavis-logwatch --nosummary --nodetail \
705              --limit spamblocked '1 1:10:' file
706
707       The following command and its sample output shows a more complex  level
708       limiter  example.   The command gives the top 4 spam blocked recipients
709       (level 1), and under with each recipient the top 2 sending  IPs  (level
710       2)  and finally below that, only envelope from addresses (level 3) with
711       hit counts greater than 6.  Ellipses indicate top N  or  threshold-lim‐
712       ited data:
713
714           amavis-logwatch --nosummary --nodetail \
715                   --limit spamblocked '1:4: 2:2: 3::6' file
716
717           19346   Spam blocked -----------------------------------
718             756      joe@example.com
719              12         10.0.0.1
720              12            <>
721              12         10.99.99.99
722              12            <>
723                     ...
724             640      fred@example.com
725               8         10.0.0.1
726               8            <>
727               8         192.168.3.19
728               8            <>
729                     ...
730             595      peter@sample.net
731               8         10.0.0.1
732               8            <>
733               7         192.168.3.3
734               7            <>
735                     ...
736             547      paul@example.us
737               8         192.168.3.19
738               8            <>
739               7         10.0.0.1
740               7            <>
741                      ...
742                   ...
743
744   Running within Logwatch
745       Note:  Logwatch  versions  prior to 7.3.6, unless configured otherwise,
746       required the --print option to print to STDOUT instead of  sending  re‐
747       ports  via  email.   Since  version 7.3.6, STDOUT is the default output
748       destination, and the --print option has been replaced by --output  std‐
749       out.  Check your configuration to determine where report output will be
750       directed, and add the appropriate option to the commands below.
751
752       To print a summary report for today's Amavis log data:
753
754           logwatch --service amavis --range today --detail 1
755
756       To print a report for today's Amavis log data, with one level
757       of detail in the Detailed section:
758
759           logwatch --service amavis --range today --detail 5
760
761       To print a report for yesterday, with two levels of detail in  the  De‐
762       tailed section:
763
764           logwatch --service amavis --range yesterday --detail 6
765
766       To  print  a report from Dec 12th through Dec 14th, with four levels of
767       detail in the Detailed section:
768
769           logwatch --service amavis --range \
770                   'between 12/12 and 12/14' --detail 8
771
772       To print a report for today, with all levels of detail:
773
774           logwatch --service amavis --range today --detail 10
775
776       Same as above, but leaves long lines uncropped:
777
778           logwatch --service amavis --range today --detail 11
779
780   Amavis Log Level
781       Amavis provides additional log information when the variable $log_level
782       is  increased  above  the default 0 value.  This information is used by
783       the amavis-logwatch utility to provide additional reports,  not  avail‐
784       able  with  the  default $log_level=0 value.  A $log_level of 2 is sug‐
785       gested.
786
787       If you prefer not to increase the noise level  in  your  main  mail  or
788       Amavis logs, you can configure syslog to log Amavis' output to multiple
789       log files, where basic log entries are routed to your main mail  log(s)
790       and more detailed entries routed to an Amavis-specific log file used to
791       feed the amavis-logwatch utility.
792
793       A convenient way to accomplish this is to change the Amavis  configura‐
794       tion variables in amavisd.conf as shown below:
795
796           amavisd.conf:
797               $log_level = 2;
798               $syslog_facility = 'local5';
799               $syslog_priority = 'debug';
800
801
802       This increases $log_level to 2, and sends Amavis' log entries to an al‐
803       ternate syslog facility (eg. local5, user), which can then be routed to
804       one or more log files, including your main mail log file:
805
806           syslog.conf:
807               #mail.info                         -/var/log/maillog
808               mail.info;local5.notice            -/var/log/maillog
809
810               local5.info                        -/var/log/amavisd-info.log
811
812
813       Amavis'  typical  $log_level  0  messages will be directed to both your
814       maillog and to the amavisd-info.log file, but  higher  $log_level  mes‐
815       sages will only be routed to the amavisd-info.log file.  For additional
816       information on Amavis' logging, search the file  RELEASE_NOTES  in  the
817       Amavis distribution for:
818
819           "syslog priorities are now dynamically derived"
820
821

ENVIRONMENT

823       The  amavis-logwatch program uses the following (automatically set) en‐
824       vironment variables when running under Logwatch:
825
826       LOGWATCH_DETAIL_LEVEL
827              This is the detail level specified  with  the  Logwatch  command
828              line argument --detail or the Detail setting in the ...conf/ser‐
829              vices/amavis.conf configuration file.
830
831       LOGWATCH_DEBUG
832              This is the debug level specified with the Logwatch command line
833              argument --debug.
834
835       amavis_xxx
836              The  Logwatch program passes all settings amavis_xxx in the con‐
837              figuration file ...conf/services/amavis.conf to the amavis  fil‐
838              ter  (which  is  actually named .../scripts/services/amavis) via
839              environment variable.
840

FILES

842   Standalone mode
843       /usr/local/bin/amavis-logwatch
844              The amavis-logwatch program
845
846       /usr/local/etc/amavis-logwatch.conf
847              The amavis-logwatch configuration file in standalone mode
848
849   Logwatch mode
850       /etc/logwatch/scripts/services/amavis
851              The Logwatch amavis filter
852
853       /etc/logwatch/conf/services/amavis.conf
854              The Logwatch amavis filter configuration file
855

SEE ALSO

857       logwatch(8), system log analyzer and reporter
858

README FILES

860       README, an overview of amavis-logwatch
861       Changes, the version change list history
862       Bugs, a list of the current bugs or other inadequacies
863       Makefile, the rudimentary installer
864       LICENSE, the usage and redistribution licensing terms
865

LICENSE

867       Covered under the included MIT/X-Consortium License:
868       http://www.opensource.org/licenses/mit-license.php
869
870

AUTHOR(S)

872       Mike Cappella
873
874       The original amavis Logwatch filter was written by Jim O'Halloran, and
875       has had many contributors over the years.  They are entirely not re‐
876       sponsible for any errors, problems or failures since the current au‐
877       thor's hands have touched the source code.
878
879
880
881                                                            AMAVIS-LOGWATCH(1)
Impressum