1POSTFIX-LOGWATCH(1) General Commands Manual POSTFIX-LOGWATCH(1)
2
6 postfix-logwatch - A Postfix log parser and analysis utility
7
9 postfix-logwatch [options] [logfile ...]
10
12 The postfix-logwatch(1) utility is a Postfix MTA log parser that pro‐
13 duces summaries, details, and statistics regarding the operation of
14 Postfix.
15 This utility can be used as a standalone program, or as a Logwatch fil‐
17 ter module to produce Postfix summary and detailed reports from within
18 Logwatch.
19 Postfix-logwatch is able to produce a wide range of reports with data
21 grouped and sorted as much as possible to reduce noise and highlight
22 patterns. Brief summary reports provide a quick overview of general
23 Postfix operations and message delivery, calling out warnings that may
24 require attention. Detailed reports provide easy to scan, hierarchi‐
25 cally-arranged and organized information, with as much or little detail
26 as desired.
27 Postfix-logwatch outputs two principal sections: a Summary section and
29 a Detailed section. For readability and quick scanning, all event or
30 hit counts appear in the left column, followed by brief description of
31 the event type, and finally additional statistics or count representa‐
32 tions may appear in the rightmost column.
33 The following segment from a sample Summary report illustrates:
35 ****** Summary ********************************************
37 81 *Warning: Connection rate limit reached (anvil)
39 146 Warned
40 68.310M Bytes accepted 71,628,177
42 97.645M Bytes delivered 102,388,245
43 ======== ================================================
44 3464 Accepted 41.44%
46 4895 Rejected 58.56%
47 -------- ------------------------------------------------
48 8359 Total 100.00%
49 ======== ================================================
50 The report warns that anvil's connection rate was hit 81 times, a Post‐
52 fix access check WARN action was logged 146 times, and a total of
53 68.310 megabytes (71,628,177 bytes) were accepted into the Postfix sys‐
54 tem, delivering 97.645 megabytes of data (due to multiple recipients).
55 The Accepted and Rejected lines show that Postfix accepted 3464 (41.44%
56 of the total messages) and rejected 4895 (the remaining 58.56%) of the
57 8359 total messages (temporary rejects show up elsewhere).
58 There are dozens of sub-sections available in the Detailed report, each
60 of whose output can be controlled in various ways. Each sub-section
61 attempts to group and present the most meaningful data at superior lev‐
62 els, while pushing less useful or noisy data towards inferior levels.
63 The goal is to provide as much benefit as possible from smart grouping
64 of data, to allow faster report scanning, pattern identification, and
65 problem solving. Data is always sorted in descending order by count,
66 and then numerically by IP address or alphabetically as appropriate.
67 The following MX errors segment from a sample Detailed report illus‐
69 trates the basic hierarchical level structure of postfix-logwatch:
70 ****** Detailed *******************************************
72 261 MX errors --------------------------------------
74 261 Unable to look up MX host
75 222 Host not found
76 73 foolishspammer.local
77 60 completely.bogus.domain.example
78 11 friend.example.com
79 39 No address associated with hostname
80 23 dummymx.sample.net
81 16 pushn.spam.sample.com
82 The postfix-logwatch utility reads from STDIN or from the named Postfix
85 logfile. Multiple logfile arguments may be specified, each processed
86 in order. The user running postfix-logwatch must have read permission
87 on each named log file.
88 Options
90 The options listed below affect the operation of postfix-logwatch. Op‐
91 tions specified later on the command line override earlier ones. Any
92 option may be abbreviated to an unambiguous length.
93 -f config_file
96 --config_file config_file
97 Use an alternate configuration file config_file instead of the
98 default. This option may be used more than once. Multiple con‐
99 figuration files will be processed in the order presented on the
100 command line. See CONFIGURATION FILE below.
101 --debug keywords
103 Output debug information during the operation of postfix-log‐
104 watch. The parameter keywords is one or more comma or space
105 separated keywords. To obtain the list of valid keywords, use
106 --debug xxx where xxx is any invalid keyword.
107 --[no]delays
109 Enables (disables) output of the message delays percentiles re‐
110 port. The delays percentiles report shows percentiles for each
111 of the 4 delivery latency times reported by Postfix (available
112 in version 2.3 and later) in the form delays=a/b/c/d, where a is
113 the amount of time before the active queue (includes time for
114 previous delivery attempts and time in the deferred queue), b is
115 the amount of time in the active queue up to delivery agent
116 handoff, c is the amount of time spent making connections (in‐
117 cluding DNS, HELO and TLS) and d is the amount of time spent de‐
118 livering the message. The total delay shown comes from the de‐
119 lay= field in a message delivery log line.
120 Note: This report may consume a large amount of memory; if you
122 have no use for it, disable the delays report.
123 --delays_percentiles p1 [p2 ...]
126 Specifies the percentiles to be used in the message delays per‐
127 centiles report. The percentiles p1, p2, ... range from 0 to
128 100, inclusively. The order of the list is not sorted - the re‐
129 port will output the percentiles columns in the order you spec‐
130 ify.
131 --detail level
133 Sets the maximum detail level for postfix-logwatch to level.
134 This option is global, overriding any other output limiters de‐
135 scribed below.
136 The postfix-logwatch utility produces a Summary section, a De‐
138 tailed section, and additional report sections. With level less
139 than 5, postfix-logwatch will produce only the Summary section.
140 At level 5 and above, the Detailed section, and any additional
141 report sections are candidates for output. Each incremental in‐
142 crease in level generates one additional hierarchical sub-level
143 of output in the Detailed section of the report. At level 10,
144 all levels are output. Lines that exceed the maximum report
145 width (specified with max_report_width) will be cut. Setting
146 level to 11 will prevent lines in the report from being cut (see
147 also --line_style).
148 --help Print usage information and a brief description about command
150 line options.
151 --ignore_service pattern
153 Ignore log lines that contain the postfix service name post‐
154 fix/service. The parameter service is a regular expression.
155 Note: if you use parenthesis in your regular expression, be sure
157 they are cloistering and not capturing: use (?:pattern) instead
158 of (pattern).
159 --ipaddr_width width
161 Specifies that IP addresses in address/hostname pairs should be
162 printed with a field width of width characters. Increasing the
163 default may be useful for systems using long IPv6 addresses.
164 -l limiter=levelspec
166 --limit limiter=levelspec
167 Sets the level limiter limiter with the specification levelspec.
168 --line_style style
170 Specifies how to handle long report lines. Three styles are
171 available: full, truncate, and wrap. Setting style to full will
172 prevent cutting lines to max_report_width; this is what occurs
173 when detail is 11 or higher. When style is truncate (the de‐
174 fault), long lines will be truncated according to max_re‐
175 port_width. Setting style to wrap will wrap lines longer than
176 max_report_width such that left column hit counts are not ob‐
177 scured. This option takes precedence over the line style im‐
178 plied by the detail level. The options --full, --truncate, and
179 --wrap are synonyms.
180 --[no]long_queue_ids
182 Enables (disables) interpretation of long queue IDs in Postfix
183 (>= 2.9) logs.
184 --nodetail
186 Disables the Detailed section of the report, and all supplemen‐
187 tal reports. This option provides a convenient mechanism to
188 quickly disable all sections under the Detailed report, where
189 subsequent command line options may re-enable one or more sec‐
190 tions to create specific reports.
191 --[no]summary
193 --show_summary
195 Enables (disables) displaying of the the Summary section of the
196 report. The variable postfix_Show_Summary in used in a configu‐
197 ration file.
198 --recipient_delimiter delimiter
200 Split email delivery addresses using the recipient delimiter
201 character delimiter. This should generally match the recipi‐
202 ent_delimiter specified in the Postfix parameter file main.cf,
203 or the default value indicated in postconf -d recipient_delim‐
204 iter. This is very useful for obtaining per-alias statistics
205 when a recipient delimiter is used for mail delivery.
206 --reject_reply_patterns r1 [r2 ...]
208 Specifies the list of reject reply patterns used to create re‐
209 ject groups. Each entry in the list r1 [r2 ...] must be either
210 a three character regular expression reply code of the form
211 [45][0-9.][0-9.], or the word "Warn". The "." in the regular
212 expression is a literal dot which matches any reject reply sub‐
213 code; this wildcarding allows creation of broad rejects groups.
214 List order is preserved, in that reject reports will be output
215 in the same order as the entries in the list. Specific reject
216 reply codes will take priority over wildcard patterns, regard‐
217 less of the list order.
218 The default list is "5.. 4.. Warn", which creates three groups
220 of rejects: permanent rejects, temporary reject failures, and
221 reject warnings (as in warn_if_reject).
222 This feature allows, for example, distinguishing 421 transmis‐
224 sion channel closures from 45x errors (eg. 450 mailbox unavail‐
225 able, 451 local processing errors, 452 insufficient storage).
226 Such a grouping would be configured with the list: "421 4.. 5..
227 Warn". See RFC 2821 for more information about reply codes.
228 See also CONFIGURATION FILE regarding using reject_reply_pat‐
230 terns within a configuration file.
231 --[no]sect_vars
233 --show_sect_vars boolean
234 Enables (disables) supplementing each Detailed section title
235 with the name of that section's level limiter. The name dis‐
236 played is the command line option (or configuration file vari‐
237 able) used to limit that section's output. With the large num‐
238 ber of level limiters available in postfix-logwatch, this a con‐
239 venient mechanism for determining exactly which level limiter
240 affects a section.
241 --syslog_name namepat
243 Specifies the syslog service name that postfix-logwatch uses to
244 match syslog lines. Only log lines whose service name matches
245 the perl regular expression namepat will be used by postfix-log‐
246 watch; all non-matching lines are silently ignored. This is
247 useful when a pre-installed Postfix package uses a name other
248 than the default (postfix), or when multiple Postfix instances
249 are in use and per-instance reporting is desired.
250 The pattern namepat should match the syslog_name configuration
252 parameter specified in the Postfix parameter file main.cf, the
253 master control file master.cf, or the default value as indicated
254 by the output of postconf -d syslog_name.
255 Note: if you use parenthesis in your regular expression, be sure
257 they are cloistering and not capturing: use (?:pattern) instead
258 of (pattern).
259 --[no]unknown
261 --show_unknown boolean
262 Enables (disables) display of the postfix-generated name of 'un‐
263 known' in formated IP/hostname pairs in Detailed reports. De‐
264 fault: enabled.
265 --version
267 Print postfix-logwatch version information.
268 Level Limiters
270 The output of every section in the Detailed report is controlled by a
271 level limiter. The name of the level limiter variable will be output
272 when the sect_vars option is set. Level limiters are set either via
273 command line in standalone mode with --limit limiter=levelspec option,
274 or via configuration file variable $postfix_limiter=levelspec. Each
275 limiter requires a levelspec argument, which is described below in
276 LEVEL CONTROL.
277 The list of level limiters is shown below.
279 There are several level limiters that control reject sub-sections (eg.
281 rejectbody, rejectsender, etc.). Because the list of reject variants
282 is not known until runtime after reject_reply_patterns is seen, these
283 reject limiters are shown below generically, with the prefix ###. To
284 use one of these reject limiters, substitute ### with one of the reject
285 reply codes in effect, replacing each dot with an x character. For ex‐
286 ample, using the default reject_reply_patterns list of "5.. 4.. Warn",
287 three rejectbody variants are valid: --limit 5xxrejectbody, --limit
288 4xxrejectbody and --limit warnrejectbody. As a convenience, you may
289 entirely eliminate the ### prefix, and instead use the bare rejectXXX
290 option, and all reject level limiter variations will be auto-generated
291 based on the reject_reply_patterns list. For example, the command line
292 segment:
293 ... --reject_reply_patterns "421 5.." \
295 --limit rejectrbl="1:10:"
296 would automatically become:
298 ... --reject_reply_patterns "421 5.." \
300 --limit 421rejectrbl="1:10:" --limit 5xxrejectrbl="1:10:"
301 See reject_reply_patterns above, and comments in the configuration file
303 postfix-logwatch.conf.
304 [ THIS SECTION IS NOT YET COMPLETE ]
307 AttrError
309 Errors obtaining attribute data from service.
310 BCCed Messages that triggered access, header_checks or body_checks BCC
311 action. (postfix 2.6 experimental branch)
312 BounceLocal
313 BounceRemote
314 Local and remote bounces. A bounce is considered a local bounce
315 if the relay was one of none, local, virtual, avcheck, maildrop
316 or 127.0.0.1.
317 ByIpRejects
318 Regrouping by client host IP address of all 5xx (permanent) re‐
319 ject variants.
320 CommunicationError
321 Postfix errors talking to one of its services.
322 Anvil Anvil rate or concurrency limits.
323 ConnectionInbound
324 Connections made to the smtpd server.
325 ConnectionLostInbound
326 Connections lost to the smtpd server.
327 ConnectionLostOutbound
328 Connections lost during smtp communications with remote MTA.
329 ConnectToFailure
330 Failures reported by smtp when connecting to remote MTA.
331 DatabaseGeneration
332 Warnings noted when binary database map file requires postmap
333 update from newer source file.
334 Deferrals
335 Deferred
336 Message delivery deferrals. A single deferred message will have
337 one or more deferrals many times.
338 Deliverable
339 Address verification indicates recipient address is deliverable.
340 Delivered
341 Number of messages handed-off to a delivery agent such as local
342 or virtual.
343 Discarded
344 Messages that triggered access, header_checks or body_checks
345 DISCARD action.
346 DNSError
347 Any one of several errors encountered during DNS lookups.
348 EnvelopeSenderDomains
349 List of sending domains. (2 levels: envelope sender domain, lo‐
350 calpart)
351 EnvelopeSenders
352 List of envelope senders. (1 level: envelope sender)
353 Error Postfix general error messages.
354 FatalConfigError
355 Fatal main.cf or master.cf configuration errors.
356 FatalError
357 Postfix general fatal messages.
358 Filtered
359 Messages that triggered access, header_checks or body_checks
360 FILTER action.
361 Forwarded
362 Messages forwarded by MDA for one address class to another (eg.
363 local -> virtual).
364 HeloError
365 XXXXXXXXXXX
366 Hold Messages that were placed on hold by postsuper, or triggered by
367 access, header_checks or body_checks HOLD action.
368 HostnameValidationError
369 Invalid hostname detected.
370 HostnameVerification
371 Lookup of hostname does not map back to the IP of the peer (ie.
372 the remote system connecting to smtpd). Also known as forward-
373 confirmed reverse DNS (FCRDNS). When the reverse name has no
374 DNS entry, the message "host not found, try again" is included;
375 otherwise, it is not (e.g. when the reverse has some IP address,
376 but not the one Postfix expects).
377 IllegalAddrSyntax
378 Illegal syntax in an email address provided during the MAIL FROM
379 or RCPT TO dialog.
380 LdapError
381 Any LDAP errors during LDAP lookup.
382 MailerLoop
383 An MX lookup for the best mailer to use to deliver mail would
384 result in a sending to ourselves.
385 MapProblem
386 Problem with an access table map that needs correcting.
387 MessageWriteError
388 Postfix encountered an error when trying to create a message
389 file somewhere in the spool directory.
390 NumericHostname
391 A hostname was found that was numeric, instead of alphabetic.
392 PanicError
393 Postfix general panic messages.
394 PixWorkaround
395 Workarounds were enabled to avoid remote Cisco PIX SMTP "fix‐
396 ups".
397 PolicydWeight
398 Summarization of policyweight/policydweight results.
399 PolicySpf
400 Summarization of PolicySPF results.
401 Postgrey
402 Summarization of Postgrey results.
403 Postscreen
404 Summarization of 2.7's postscreen and verify services.
405 DNSBLog
406 Summarization of 2.7's dnsblog service.
407 Prepended
408 Messages that triggered header_checks or body_checks PREPEND ac‐
409 tion.
410 ProcessExit
411 Postfix services that exited unexpectedly.
412 ProcessLimit
413 A Postfix service has reached or exceeded the maximum number of
414 processes allowed.
415 QueueWriteError
416 Problems writing a Postfix queue file.
417 RblError
418 Lookup errors for RBLs.
419 Redirected
420 Messages that triggered access, header_checks or body_checks RE‐
421 DIRECT action.
422 ###RejectBody
423 Messages that triggered body_checks REJECT action.
424 ###RejectClient
425 Messages rejected by client access controls (smtpd_client_re‐
426 strictions).
427 ###RejectConfigError
428 Message rejected due to server configuration errors.
429 ###RejectContent
430 Messages rejected by message_reject_characters.
431 ###RejectData
432 Messages rejected at DATA stage in SMTP conversation
433 (smtpd_data_restrictions).
434 ###RejectEtrn
435 Messages rejected at ETRN stage in SMTP conversation
436 (smtpd_etrn_restrictions).
437 ###RejectHeader
438 Messages that triggered header_checks REJECT action.
439 ###RejectHelo
440 Messages rejected at HELO/EHLO stage in SMTP conversation
441 (smtpd_helo_restrictions).
442 ###RejectInsufficientSpace
443 Messages rejected due to insufficient storage space.
444 ###RejectLookupFailure
445 Messages rejected due to temporary DNS lookup failures.
446 ###RejectMilter
447 Milter rejects. No reject reply code is available for these re‐
448 jects, but an extended 5.7.1 DSN is provided. These rejects are
449 forced into the generic 5xx rejects group. If you redefine re‐
450 ject_reply_patterns such that it does not contain the pattern
451 5.., milter rejects will not be output.
452 ###RejectRbl
453 Messages rejected by an RBL hit.
454 ###RejectRecip
455 Messages rejected by recipient access controls (smtpd_recipi‐
456 ent_restrictions).
457 ###RejectRelay
458 Messages rejected by relay access controls.
459 ###RejectSender
460 Messages rejected by sender access controls (smtpd_sender_re‐
461 strictions).
462 ###RejectSize
463 Messages rejected due to excessive message size.
464 ###RejectUnknownClient
465 Messages rejected by unknown client access controls.
466 ###RejectUnknownReverseClient
467 Messages rejected by unknown reverse client access controls.
468 ###RejectUnknownUser
469 Messages rejected by unknown user access controls.
470 ###RejectUnverifiedClient
471 Messages rejected by unverified client access controls.
472 ###RejectVerify
473 Messages rejected dueo to address verification failures.
474 Replaced
475 Messages that triggered header_checks or body_checks REPLACE ac‐
476 tion.
477 ReturnedToSender
478 Messages returned to sender due to exceeding queue lifetime
479 (maximal_queue_lifetime).
480 SaslAuth
481 SASL authentication successes, includes SASL method, username,
482 and sender when present.
483 SaslAuthFail
484 SASL authentication failures.
485 Sent Messages sent via the SMTP delivery agent.
486 SentLmtp
487 Messages sent via the LMTP delivery agent.
488 SmtpConversationError
489 Errors during the SMTP/ESMTP dialog.
490 SmtpProtocolViolation
491 Protocol violation during the SMTP/ESMTP dialog.
492 StartupError
493 Errors during Postfix server startup.
494 TimeoutInbound
495 Connections to smtpd that timed out.
496 TlsClientConnect
497 TLS client connections.
498 TlsOffered
499 TLS communication offered.
500 TlsServerConnect
501 TLS server connections.
502 TlsUnverified
503 Unverified TLS connections.
504 Undeliverable
505 Address verification indicates recipient address is undeliver‐
506 able.
507 Warn Messages that triggered access, header_checks or body_checks
508 WARN action.
509 WarnConfigError
510 Warnings regarding Postfix configuration errors.
511 WarningsOther
512 Postfix general warning messages.
513
516 The Detailed section of the report consists of a number of sub-sec‐
517 tions, each of which is controlled both globally and independently.
518 Two settings influence the output provided in the Detailed report: a
519 global detail level (specified with --detail) which has final (big ham‐
520 mer) output-limiting control over the Detailed section, and sub-section
521 specific detail settings (small hammer), which allow further limiting
522 of the output for a sub-section. Each sub-section may be limited to a
523 specific depth level, and each sub-level may be limited with top N or
524 threshold limits. The levelspec argument to each of the level limiters
525 listed above is used to accomplish this.
526 It is probably best to continue explanation of sub-level limiting with
528 the following well-known outline-style hierarchy, and some basic exam‐
529 ples:
530 level 0
532 level 1
533 level 2
534 level 3
535 level 4
536 level 4
537 level 2
538 level 3
539 level 4
540 level 4
541 level 4
542 level 3
543 level 4
544 level 3
545 level 1
546 level 2
547 level 3
548 level 4
549 The simplest form of output limiting suppresses all output below a
551 specified level. For example, a levelspec set to "2" shows only data
552 in levels 0 through 2. Think of this as collapsing each sub-level 2
553 item, thus hiding all inferior levels (3, 4, ...), to yield:
554 level 0
556 level 1
557 level 2
558 level 2
559 level 1
560 level 2
561 Sometimes the volume of output in a section is too great, and it is
563 useful to suppress any data that does not exceed a certain threshold
564 value. Consider a dictionary spam attack, which produces very lengthy
565 lists of hit-once recipient email or IP addresses. Each sub-level in
566 the hierarchy can be threshold-limited by setting the levelspec appro‐
567 priately. Setting levelspec to the value "2::5" will suppress any data
568 at level 2 that does not exceed a hit count of 5.
569 Perhaps producing a top N list, such as top 10 senders, is desired. A
571 levelspec of "3:10:" limits level 3 data to only the top 10 hits.
572 With those simple examples out of the way, a levelspec is defined as a
574 whitespace- or comma-separated list of one or more of the following:
575 l Specifies the maximum level to be output for this sub-section,
577 with a range from 0 to 10. if l is 0, no levels will be output,
578 effectively disabling the sub-section (level 0 data is already
579 provided in the Summary report, so level 1 is considered the
580 first useful level in the Detailed report). Higher values will
581 produce output up to and including the specified level.
582 l.n Same as above, with the addition that n limits this section's
584 level 1 output to the top n items. The value for n can be any
585 integer greater than 1. (This form of limiting has less utility
586 than the syntax shown below. It is provided for backwards com‐
587 patibility; users are encouraged to use the syntax below).
588 l:n:t This triplet specifies level l, top n, and minimum threshold t.
590 Each of the values are integers, with l being the level limiter
591 as described above, n being a top n limiter for the level l, and
592 t being the threshold limiter for level l. When both n and t
593 are specified, n has priority, allowing top n lists (regardless
594 of threshold value). If the value of l is omitted, the speci‐
595 fied values for n and/or t are used for all levels available in
596 the sub-section. This permits a simple form of wildcarding (eg.
597 place minimum threshold limits on all levels). However, spe‐
598 cific limiters always override wildcard limiters. The first
599 form of level limiter may be included in levelspec to restrict
600 output, regardless of how many triplets are present.
601 All three forms of limiters are effective only when postfix-logwatch's
603 detail level is 5 or greater (the Detailed section is not activated un‐
604 til detail is at least 5).
605 See the EXAMPLES section for usage scenarios.
607
609 Postfix-logwatch can read configuration settings from a configuration
610 file. Essentially, any command line option can be placed into a con‐
611 figuration file, and these settings are read upon startup.
612 Because postfix-logwatch can run either standalone or within Logwatch,
614 to minimize confusion, postfix-logwatch inherits Logwatch's configura‐
615 tion file syntax requirements and conventions. These are:
616 • White space lines are ignored.
618 • Lines beginning with # are ignored
620 • Settings are of the form:
622 option = value
624 • Spaces or tabs on either side of the = character are ignored.
627 • Any value protected in double quotes will be case-preserved.
629 • All other content is reduced to lowercase (non-preserving, case in‐
631 sensitive).
632 • All postfix-logwatch configuration settings must be prefixed with
634 "$postfix_" or postfix-logwatch will ignore them.
635 • When running under Logwatch, any values not prefixed with "$post‐
637 fix_" are consumed by Logwatch; it only passes to postfix-logwatch
638 (via environment variable) settings it considers valid.
639 • The values True and Yes are converted to 1, and False and No are
641 converted to 0.
642 • Order of settings is not preserved within a configuration file
644 (since settings are passed by Logwatch via environment variables,
645 which have no defined order).
646 To include a command line option in a configuration file, prefix the
648 command line option name with the word "$postfix_". The following con‐
649 figuration file setting and command line option are equivalent:
650 $postfix_Line_Style = Truncate
652 --line_style Truncate
654 Level limiters are also prefixed with $postfix_, but on the command
656 line are specified with the --limit option:
657 $postfix_Sent = 2
659 --limit Sent=2
661 The order of command line options and configuration file processing oc‐
665 curs as follows: 1) The default configuration file is read if it exists
666 and no --config_file was specified on a command line. 2) Configuration
667 files are read and processed in the order found on the command line.
668 3) Command line options override any options already set either via
669 command line or from any configuration file.
670 Command line options are interpreted when they are seen on the command
672 line, and later options will override previously set options. The no‐
673 table exception is with limiter variables, which are interpreted in the
674 order found, but only after all other options have been processed.
675 This allows --reject_reply_patterns to determine the dynamic list of
676 the various reject limiters.
677 See also --reject_reply_patterns.
679
681 The postfix-logwatch utility exits with a status code of 0, unless an
682 error occurred, in which case a non-zero exit status is returned.
683
685 Running Standalone
686 Note: postfix-logwatch reads its log data from one or more named Post‐
687 fix log files, or from STDIN. For brevity, where required, the exam‐
688 ples below use the word file as the command line argument meaning
689 /path/to/postfix.log. Obviously you will need to substitute file with
690 the appropriate path.
691 To run postfix-logwatch in standalone mode, simply run:
693 postfix-logwatch file
695 A complete list of options and basic usage is available via:
697 postfix-logwatch --help
699 To print a summary only report of Postfix log data:
701 postfix-logwatch --detail 1 file
703 To produce a summary report and a one-level detail report for May 25th:
705 grep 'May 25' file | postfix-logwatch --detail 5
707 To produce only a top 10 list of Sent email domains, the summary report
709 and detailed reports are first disabled. Since commands line options
710 are read and enabled left-to-right, the Sent section is re-enabled to
711 level 1 with a level 1 top 10 limiter:
712 postfix-logwatch --nosummary --nodetail --limit sent='1 1:10:' file
714 The following command and its sample output shows a more complex level
716 limiter example. The command gives the top 3 Sent email addresses from
717 the top 5 domains, in addition, all level 3 items with a hit count of 2
718 or less are suppressed (in the Sent sub-section, this happens to be
719 email's Original To address). Ellipses indicate top N or threshold-
720 limited data:
721 postfix-logwatch --nosummary --nodetail \
723 --limit sent '1:5: 2:3: 3::2' file
724 1762 Sent via SMTP -----------------------------------
726 352 example.com
727 310 joe
728 255 joe.bob@virtdomain.example.com
729 7 info@virtdomain.example.com
730 21 pooryoda3
731 11 hot93uh
732 ...
733 244 sample.net
734 97 buzz
735 26 leroyjones
736 14 sally
737 ...
738 152 example.net
739 40 jim_jameson
740 23 sam_sampson
741 19 paul_paulson
742 ...
743 83 sample.us
744 44 root
745 39 jenny1
746 69 dom3.example.us
747 10 kay
748 7 ron
749 6 mrsmith
750 ...
751 ...
752 The next command uses both reject_reply_patterns and level limiters to
754 see 421 RBL rejects, threshold-limiting level 2 output to hits greater
755 than 5 (level 2 in the Reject RBL sub-section is the client's IP ad‐
756 dress / hostname pair). This makes for a very nice RBL offenders list,
757 shown in the sample output (note the use of the unambiguous, abbrevi‐
758 ated command line option reject_reply_pat):
759 postfix-logwatch --reject_reply_pat '421 4.. 5.. Warn' \
761 --nosummary --nodetail --limit 421rejectrbl='2 2::5' file
762 300 421 Reject RBL ---------------------------------------
764 243 zen.spamhaus.org=127.0.0.2
765 106 10.0.0.129 129.0.0.example.com
766 41 192.168.10.70 hostx10.sample.net
767 40 192.168.42.39 hostz42.sample.net
768 15 10.1.1.152 dsl-10-1-1-152.example.us
769 14 10.10.10.122 mail122.sample.com
770 7 192.168.3.44 smalltime-spammer.example.com
771 ...
772 48 zen.spamhaus.org=127.0.0.4
773 17 10.29.124.92 10-29-124-92.adsl-static.sample.us
774 ...
775 8 zen.spamhaus.org=127.0.0.11
776 ...
777 1 zen.spamhaus.org=127.0.0.10
778 ...
779 Running within Logwatch
781 Note: Logwatch versions prior to 7.3.6, unless configured otherwise,
782 required the --print option to print to STDOUT instead of sending re‐
783 ports via email. Since version 7.3.6, STDOUT is the default output
784 destination, and the --print option has been replaced by --output std‐
785 out. Check your configuration to determine where report output will be
786 directed, and add the appropriate option to the commands below.
787 To print a summary report for today's Postfix log data:
789 logwatch --service postfix --range today --detail 1
791 To print a report for today's Postfix log data, with one level
793 of detail in the Detailed section:
794 logwatch --service postfix --range today --detail 5
796 To print a report for yesterday, with two levels of detail in the De‐
798 tailed section:
799 logwatch --service postfix --range yesterday --detail 6
801 To print a report from Dec 12th through Dec 14th, with four levels of
803 detail in the Detailed section:
804 logwatch --service postfix --range \
806 'between 12/12 and 12/14' --detail 8
807 To print a report for today, with all levels of detail:
809 logwatch --service postfix --range today --detail 10
811 Same as above, but leaves long lines uncut:
813 logwatch --service postfix --range today --detail 11
815
818 The postfix-logwatch program uses the following (automatically set) en‐
819 vironment variables when running under Logwatch:
820 LOGWATCH_DETAIL_LEVEL
822 This is the detail level specified with the Logwatch command
823 line argument --detail or the Detail setting in the ...conf/ser‐
824 vices/postfix.conf configuration file.
825 LOGWATCH_DEBUG
827 This is the debug level specified with the Logwatch command line
828 argument --debug.
829 postfix_xxx
831 The Logwatch program passes all settings postfix_xxx in the con‐
832 figuration file ...conf/services/postfix.conf to the postfix
833 filter (which is actually named .../scripts/services/postfix)
834 via environment variable.
835
837 Standalone mode
838 /usr/local/bin/postfix-logwatch
839 The postfix-logwatch program
840 /usr/local/etc/postfix-logwatch.conf
842 The postfix-logwatch configuration file in standalone mode
843 Logwatch mode
845 /etc/logwatch/scripts/services/postfix
846 The Logwatch postfix filter
847 /etc/logwatch/conf/services/postfix.conf
849 The Logwatch postfix filter configuration file
850
852 logwatch(8), system log analyzer and reporter
853
855 README, an overview of postfix-logwatch
856 Changes, the version change list history
857 Bugs, a list of the current bugs or other inadequacies
858 Makefile, the rudimentary installer
859 LICENSE, the usage and redistribution licensing terms
860
862 Covered under the included MIT/X-Consortium License:
863 http://www.opensource.org/licenses/mit-license.php
864
866 Mike Cappella
867 The original postfix Logwatch filter was written by Kenneth Porter, and
869 has had many contributors over the years. They are entirely not re‐
870 sponsible for any errors, problems or failures since the current au‐
871 thor's hands have touched the source code.
872 POSTFIX-LOGWATCH(1)