1POSTFIX-LOGWATCH(1)         General Commands Manual        POSTFIX-LOGWATCH(1)
2
3
4

NAME

6       postfix-logwatch - A Postfix log parser and analysis utility
7

SYNOPSIS

9       postfix-logwatch [options] [logfile ...]
10

DESCRIPTION

12       The  postfix-logwatch(1)  utility is a Postfix MTA log parser that pro‐
13       duces summaries, details, and statistics  regarding  the  operation  of
14       Postfix.
15
16       This utility can be used as a standalone program, or as a Logwatch fil‐
17       ter module to produce Postfix summary and detailed reports from  within
18       Logwatch.
19
20       Postfix-logwatch  is  able to produce a wide range of reports with data
21       grouped and sorted as much as possible to reduce  noise  and  highlight
22       patterns.   Brief  summary  reports provide a quick overview of general
23       Postfix operations and message delivery, calling out warnings that  may
24       require  attention.   Detailed reports provide easy to scan, hierarchi‐
25       cally-arranged and organized information, with as much or little detail
26       as desired.
27
28       Postfix-logwatch  outputs two principal sections: a Summary section and
29       a Detailed section.  For readability and quick scanning, all  event  or
30       hit  counts appear in the left column, followed by brief description of
31       the event type, and finally additional statistics or count  representa‐
32       tions may appear in the rightmost column.
33
34       The following segment from a sample Summary report illustrates:
35
36           ****** Summary ********************************************
37
38                 81   *Warning: Connection rate limit reached (anvil)
39                146   Warned
40
41             68.310M  Bytes accepted                        71,628,177
42             97.645M  Bytes delivered                      102,388,245
43           ========   ================================================
44
45               3464   Accepted                                  41.44%
46               4895   Rejected                                  58.56%
47           --------   ------------------------------------------------
48               8359   Total                                    100.00%
49           ========   ================================================
50
51       The report warns that anvil's connection rate was hit 81 times, a Post‐
52       fix access check WARN action was logged  146  times,  and  a  total  of
53       68.310 megabytes (71,628,177 bytes) were accepted into the Postfix sys‐
54       tem, delivering 97.645 megabytes of data (due to multiple  recipients).
55       The Accepted and Rejected lines show that Postfix accepted 3464 (41.44%
56       of the total messages) and rejected 4895 (the remaining 58.56%) of  the
57       8359 total messages (temporary rejects show up elsewhere).
58
59       There are dozens of sub-sections available in the Detailed report, each
60       of whose output can be controlled in various  ways.   Each  sub-section
61       attempts to group and present the most meaningful data at superior lev‐
62       els, while pushing less useful or noisy data towards  inferior  levels.
63       The  goal is to provide as much benefit as possible from smart grouping
64       of data, to allow faster report scanning, pattern  identification,  and
65       problem  solving.   Data is always sorted in descending order by count,
66       and then numerically by IP address or alphabetically as appropriate.
67
68       The following MX errors segment from a sample  Detailed  report  illus‐
69       trates the basic hierarchical level structure of postfix-logwatch:
70
71           ****** Detailed *******************************************
72
73                261   MX errors --------------------------------------
74                261      Unable to look up MX host
75                222         Host not found
76                 73            foolishspammer.local
77                 60            completely.bogus.domain.example
78                 11            friend.example.com
79                 39         No address associated with hostname
80                 23            dummymx.sample.net
81                 16            pushn.spam.sample.com
82
83
84       The postfix-logwatch utility reads from STDIN or from the named Postfix
85       logfile.  Multiple logfile arguments may be specified,  each  processed
86       in  order.  The user running postfix-logwatch must have read permission
87       on each named log file.
88
89   Options
90       The options listed below affect the operation of postfix-logwatch.  Op‐
91       tions  specified  later on the command line override earlier ones.  Any
92       option may be abbreviated to an unambiguous length.
93
94
95       -f config_file
96       --config_file config_file
97              Use an alternate configuration file config_file instead  of  the
98              default.  This option may be used more than once.  Multiple con‐
99              figuration files will be processed in the order presented on the
100              command line.  See CONFIGURATION FILE below.
101
102       --debug keywords
103              Output  debug  information  during the operation of postfix-log‐
104              watch.  The parameter keywords is one or  more  comma  or  space
105              separated  keywords.   To obtain the list of valid keywords, use
106              --debug xxx where xxx is any invalid keyword.
107
108       --[no]delays
109              Enables (disables) output of the message delays percentiles  re‐
110              port.   The delays percentiles report shows percentiles for each
111              of the 4 delivery latency times reported by  Postfix  (available
112              in version 2.3 and later) in the form delays=a/b/c/d, where a is
113              the amount of time before the active queue  (includes  time  for
114              previous delivery attempts and time in the deferred queue), b is
115              the amount of time in the active  queue  up  to  delivery  agent
116              handoff,  c  is the amount of time spent making connections (in‐
117              cluding DNS, HELO and TLS) and d is the amount of time spent de‐
118              livering  the message.  The total delay shown comes from the de‐
119              lay= field in a message delivery log line.
120
121              Note: This report may consume a large amount of memory;  if  you
122              have no use for it, disable the delays report.
123
124
125       --delays_percentiles p1 [p2 ...]
126              Specifies  the percentiles to be used in the message delays per‐
127              centiles report.  The percentiles p1, p2, ... range  from  0  to
128              100, inclusively.  The order of the list is not sorted - the re‐
129              port will output the percentiles columns in the order you  spec‐
130              ify.
131
132       --detail level
133              Sets  the  maximum  detail  level for postfix-logwatch to level.
134              This option is global, overriding any other output limiters  de‐
135              scribed below.
136
137              The  postfix-logwatch  utility produces a Summary section, a De‐
138              tailed section, and additional report sections.  With level less
139              than  5, postfix-logwatch will produce only the Summary section.
140              At level 5 and above, the Detailed section, and  any  additional
141              report sections are candidates for output.  Each incremental in‐
142              crease in level generates one additional hierarchical  sub-level
143              of  output  in the Detailed section of the report.  At level 10,
144              all levels are output.  Lines that  exceed  the  maximum  report
145              width  (specified  with  max_report_width) will be cut.  Setting
146              level to 11 will prevent lines in the report from being cut (see
147              also --line_style).
148
149       --help Print  usage  information  and a brief description about command
150              line options.
151
152       --ignore_service pattern
153              Ignore log lines that contain the  postfix  service  name  post‐
154              fix/service.  The parameter service is a regular expression.
155
156              Note: if you use parenthesis in your regular expression, be sure
157              they are cloistering and not capturing: use  (?:pattern) instead
158              of (pattern).
159
160       --ipaddr_width width
161              Specifies  that IP addresses in address/hostname pairs should be
162              printed with a field width of width characters.  Increasing  the
163              default may be useful for systems using long IPv6 addresses.
164
165       -l limiter=levelspec
166       --limit limiter=levelspec
167              Sets the level limiter limiter with the specification levelspec.
168
169       --line_style style
170              Specifies  how  to  handle  long report lines.  Three styles are
171              available: full, truncate, and wrap.  Setting style to full will
172              prevent  cutting  lines to max_report_width; this is what occurs
173              when detail is 11 or higher.  When style is  truncate  (the  de‐
174              fault),  long  lines  will  be  truncated  according  to max_re‐
175              port_width.  Setting style to wrap will wrap lines  longer  than
176              max_report_width  such  that  left column hit counts are not ob‐
177              scured.  This option takes precedence over the  line  style  im‐
178              plied  by the detail level.  The options --full, --truncate, and
179              --wrap are synonyms.
180
181       --[no]long_queue_ids
182              Enables (disables) interpretation of long queue IDs  in  Postfix
183              (>= 2.9) logs.
184
185       --nodetail
186              Disables  the Detailed section of the report, and all supplemen‐
187              tal reports.  This option provides  a  convenient  mechanism  to
188              quickly  disable  all  sections under the Detailed report, where
189              subsequent command line options may re-enable one or  more  sec‐
190              tions to create specific reports.
191
192       --[no]summary
193
194       --show_summary
195              Enables  (disables) displaying of the the Summary section of the
196              report.  The variable postfix_Show_Summary in used in a configu‐
197              ration file.
198
199       --recipient_delimiter delimiter
200              Split  email  delivery  addresses  using the recipient delimiter
201              character delimiter.  This should generally  match  the  recipi‐
202              ent_delimiter  specified  in the Postfix parameter file main.cf,
203              or the default value indicated in postconf  -d  recipient_delim‐
204              iter.   This  is  very useful for obtaining per-alias statistics
205              when a recipient delimiter is used for mail delivery.
206
207       --reject_reply_patterns r1 [r2 ...]
208              Specifies the list of reject reply patterns used to  create  re‐
209              ject  groups.  Each entry in the list r1 [r2 ...] must be either
210              a three character regular expression  reply  code  of  the  form
211              [45][0-9.][0-9.],  or  the  word "Warn".  The "." in the regular
212              expression is a literal dot which matches any reject reply  sub‐
213              code;  this wildcarding allows creation of broad rejects groups.
214              List order is preserved, in that reject reports will  be  output
215              in  the  same order as the entries in the list.  Specific reject
216              reply codes will take priority over wildcard  patterns,  regard‐
217              less of the list order.
218
219              The  default  list is "5.. 4.. Warn", which creates three groups
220              of rejects: permanent rejects, temporary  reject  failures,  and
221              reject warnings (as in warn_if_reject).
222
223              This  feature  allows, for example, distinguishing 421 transmis‐
224              sion channel closures from 45x errors (eg. 450 mailbox  unavail‐
225              able,  451  local  processing errors, 452 insufficient storage).
226              Such a grouping would be configured with the list: "421 4..  5..
227              Warn".  See RFC 2821 for more information about reply codes.
228
229              See  also  CONFIGURATION  FILE regarding using reject_reply_pat‐
230              terns within a configuration file.
231
232       --[no]sect_vars
233       --show_sect_vars boolean
234              Enables (disables) supplementing  each  Detailed  section  title
235              with  the  name  of that section's level limiter.  The name dis‐
236              played is the command line option (or configuration  file  vari‐
237              able)  used to limit that section's output.  With the large num‐
238              ber of level limiters available in postfix-logwatch, this a con‐
239              venient  mechanism  for  determining exactly which level limiter
240              affects a section.
241
242       --syslog_name namepat
243              Specifies the syslog service name that postfix-logwatch uses  to
244              match  syslog  lines.  Only log lines whose service name matches
245              the perl regular expression namepat will be used by postfix-log‐
246              watch;  all  non-matching  lines  are silently ignored.  This is
247              useful when a pre-installed Postfix package uses  a  name  other
248              than  the  default (postfix), or when multiple Postfix instances
249              are in use and per-instance reporting is desired.
250
251              The pattern namepat should match the  syslog_name  configuration
252              parameter  specified  in the Postfix parameter file main.cf, the
253              master control file master.cf, or the default value as indicated
254              by the output of postconf -d syslog_name.
255
256              Note: if you use parenthesis in your regular expression, be sure
257              they are cloistering and not capturing: use  (?:pattern) instead
258              of (pattern).
259
260       --[no]unknown
261       --show_unknown boolean
262              Enables (disables) display of the postfix-generated name of 'un‐
263              known' in formated IP/hostname pairs in Detailed  reports.   De‐
264              fault: enabled.
265
266       --version
267              Print postfix-logwatch version information.
268
269   Level Limiters
270       The  output  of every section in the Detailed report is controlled by a
271       level limiter.  The name of the level limiter variable will  be  output
272       when  the  sect_vars  option is set.  Level limiters are set either via
273       command line in standalone mode with --limit limiter=levelspec  option,
274       or  via  configuration  file variable $postfix_limiter=levelspec.  Each
275       limiter requires a levelspec argument,  which  is  described  below  in
276       LEVEL CONTROL.
277
278       The list of level limiters is shown below.
279
280       There  are several level limiters that control reject sub-sections (eg.
281       rejectbody, rejectsender, etc.).  Because the list of  reject  variants
282       is  not  known until runtime after reject_reply_patterns is seen, these
283       reject limiters are shown below generically, with the prefix  ###.   To
284       use one of these reject limiters, substitute ### with one of the reject
285       reply codes in effect, replacing each dot with an x character.  For ex‐
286       ample,  using the default reject_reply_patterns list of "5.. 4.. Warn",
287       three rejectbody variants are  valid:  --limit  5xxrejectbody,  --limit
288       4xxrejectbody  and  --limit  warnrejectbody.  As a convenience, you may
289       entirely eliminate the ### prefix, and instead use the  bare  rejectXXX
290       option,  and all reject level limiter variations will be auto-generated
291       based on the reject_reply_patterns list.  For example, the command line
292       segment:
293
294           ... --reject_reply_patterns "421 5.." \
295                   --limit rejectrbl="1:10:"
296
297       would automatically become:
298
299           ... --reject_reply_patterns "421 5.." \
300                   --limit 421rejectrbl="1:10:" --limit 5xxrejectrbl="1:10:"
301
302       See reject_reply_patterns above, and comments in the configuration file
303       postfix-logwatch.conf.
304
305
306       [ THIS SECTION IS NOT YET COMPLETE ]
307
308       AttrError
309              Errors obtaining attribute data from service.
310       BCCed  Messages that triggered access, header_checks or body_checks BCC
311              action. (postfix 2.6 experimental branch)
312       BounceLocal
313       BounceRemote
314              Local and remote bounces.  A bounce is considered a local bounce
315              if the relay was one of none, local, virtual, avcheck,  maildrop
316              or 127.0.0.1.
317       ByIpRejects
318              Regrouping  by client host IP address of all 5xx (permanent) re‐
319              ject variants.
320       CommunicationError
321              Postfix errors talking to one of its services.
322       Anvil  Anvil rate or concurrency limits.
323       ConnectionInbound
324              Connections made to the smtpd server.
325       ConnectionLostInbound
326              Connections lost to the smtpd server.
327       ConnectionLostOutbound
328              Connections lost during smtp communications with remote MTA.
329       ConnectToFailure
330              Failures reported by smtp when connecting to remote MTA.
331       DatabaseGeneration
332              Warnings noted when binary database map  file  requires  postmap
333              update from newer source file.
334       Deferrals
335       Deferred
336              Message delivery deferrals.  A single deferred message will have
337              one or more deferrals many times.
338       Deliverable
339              Address verification indicates recipient address is deliverable.
340       Delivered
341              Number of messages handed-off to a delivery agent such as  local
342              or virtual.
343       Discarded
344              Messages  that  triggered  access,  header_checks or body_checks
345              DISCARD action.
346       DNSError
347              Any one of several errors encountered during DNS lookups.
348       EnvelopeSenderDomains
349              List of sending domains.  (2 levels: envelope sender domain, lo‐
350              calpart)
351       EnvelopeSenders
352              List of envelope senders.  (1 level: envelope sender)
353       Error  Postfix general error messages.
354       FatalConfigError
355              Fatal main.cf or master.cf configuration errors.
356       FatalError
357              Postfix general fatal messages.
358       Filtered
359              Messages  that  triggered  access,  header_checks or body_checks
360              FILTER action.
361       Forwarded
362              Messages forwarded by MDA for one address class to another  (eg.
363              local -> virtual).
364       HeloError
365              XXXXXXXXXXX
366       Hold   Messages  that were placed on hold by postsuper, or triggered by
367              access, header_checks or body_checks HOLD action.
368       HostnameValidationError
369              Invalid hostname detected.
370       HostnameVerification
371              Lookup of hostname does not map back to the IP of the peer  (ie.
372              the  remote system connecting to smtpd).  Also known as forward-
373              confirmed reverse DNS (FCRDNS).  When the reverse  name  has  no
374              DNS  entry, the message "host not found, try again" is included;
375              otherwise, it is not (e.g. when the reverse has some IP address,
376              but not the one Postfix expects).
377       IllegalAddrSyntax
378              Illegal syntax in an email address provided during the MAIL FROM
379              or RCPT TO dialog.
380       LdapError
381              Any LDAP errors during LDAP lookup.
382       MailerLoop
383              An MX lookup for the best mailer to use to  deliver  mail  would
384              result in a sending to ourselves.
385       MapProblem
386              Problem with an access table map that needs correcting.
387       MessageWriteError
388              Postfix  encountered  an  error  when trying to create a message
389              file somewhere in the spool directory.
390       NumericHostname
391              A hostname was found that was numeric, instead of alphabetic.
392       PanicError
393              Postfix general panic messages.
394       PixWorkaround
395              Workarounds were enabled to avoid remote Cisco  PIX  SMTP  "fix‐
396              ups".
397       PolicydWeight
398              Summarization of policyweight/policydweight results.
399       PolicySpf
400              Summarization of PolicySPF results.
401       Postgrey
402              Summarization of Postgrey results.
403       Postscreen
404              Summarization of 2.7's postscreen and verify services.
405       DNSBLog
406              Summarization of 2.7's dnsblog service.
407       Prepended
408              Messages that triggered header_checks or body_checks PREPEND ac‐
409              tion.
410       ProcessExit
411              Postfix services that exited unexpectedly.
412       ProcessLimit
413              A Postfix service has reached or exceeded the maximum number  of
414              processes allowed.
415       QueueWriteError
416              Problems writing a Postfix queue file.
417       RblError
418              Lookup errors for RBLs.
419       Redirected
420              Messages that triggered access, header_checks or body_checks RE‐
421              DIRECT action.
422       ###RejectBody
423              Messages that triggered body_checks REJECT action.
424       ###RejectClient
425              Messages rejected by client  access  controls  (smtpd_client_re‐
426              strictions).
427       ###RejectConfigError
428              Message rejected due to server configuration errors.
429       ###RejectContent
430              Messages rejected by message_reject_characters.
431       ###RejectData
432              Messages   rejected   at   DATA   stage   in  SMTP  conversation
433              (smtpd_data_restrictions).
434       ###RejectEtrn
435              Messages  rejected  at   ETRN   stage   in   SMTP   conversation
436              (smtpd_etrn_restrictions).
437       ###RejectHeader
438              Messages that triggered header_checks REJECT action.
439       ###RejectHelo
440              Messages  rejected  at  HELO/EHLO  stage  in  SMTP  conversation
441              (smtpd_helo_restrictions).
442       ###RejectInsufficientSpace
443              Messages rejected due to insufficient storage space.
444       ###RejectLookupFailure
445              Messages rejected due to temporary DNS lookup failures.
446       ###RejectMilter
447              Milter rejects.  No reject reply code is available for these re‐
448              jects, but an extended 5.7.1 DSN is provided.  These rejects are
449              forced into the generic 5xx rejects group.  If you redefine  re‐
450              ject_reply_patterns  such  that  it does not contain the pattern
451              5.., milter rejects will not be output.
452       ###RejectRbl
453              Messages rejected by an RBL hit.
454       ###RejectRecip
455              Messages rejected by recipient  access  controls  (smtpd_recipi‐
456              ent_restrictions).
457       ###RejectRelay
458              Messages rejected by relay access controls.
459       ###RejectSender
460              Messages  rejected  by  sender access controls (smtpd_sender_re‐
461              strictions).
462       ###RejectSize
463              Messages rejected due to excessive message size.
464       ###RejectUnknownClient
465              Messages rejected by unknown client access controls.
466       ###RejectUnknownReverseClient
467              Messages rejected by unknown reverse client access controls.
468       ###RejectUnknownUser
469              Messages rejected by unknown user access controls.
470       ###RejectUnverifiedClient
471              Messages rejected by unverified client access controls.
472       ###RejectVerify
473              Messages rejected dueo to address verification failures.
474       Replaced
475              Messages that triggered header_checks or body_checks REPLACE ac‐
476              tion.
477       ReturnedToSender
478              Messages  returned  to  sender  due  to exceeding queue lifetime
479              (maximal_queue_lifetime).
480       SaslAuth
481              SASL authentication successes, includes SASL  method,  username,
482              and sender when present.
483       SaslAuthFail
484              SASL authentication failures.
485       Sent   Messages sent via the SMTP delivery agent.
486       SentLmtp
487              Messages sent via the LMTP delivery agent.
488       SmtpConversationError
489              Errors during the SMTP/ESMTP dialog.
490       SmtpProtocolViolation
491              Protocol violation during the SMTP/ESMTP dialog.
492       StartupError
493              Errors during Postfix server startup.
494       TimeoutInbound
495              Connections to smtpd that timed out.
496       TlsClientConnect
497              TLS client connections.
498       TlsOffered
499              TLS communication offered.
500       TlsServerConnect
501              TLS server connections.
502       TlsUnverified
503              Unverified TLS connections.
504       Undeliverable
505              Address  verification  indicates recipient address is undeliver‐
506              able.
507       Warn   Messages that triggered  access,  header_checks  or  body_checks
508              WARN action.
509       WarnConfigError
510              Warnings regarding Postfix configuration errors.
511       WarningsOther
512              Postfix general warning messages.
513
514

LEVEL CONTROL

516       The  Detailed  section  of  the report consists of a number of sub-sec‐
517       tions, each of which is controlled  both  globally  and  independently.
518       Two  settings  influence  the output provided in the Detailed report: a
519       global detail level (specified with --detail) which has final (big ham‐
520       mer) output-limiting control over the Detailed section, and sub-section
521       specific detail settings (small hammer), which allow  further  limiting
522       of  the output for a sub-section.  Each sub-section may be limited to a
523       specific depth level, and each sub-level may be limited with top  N  or
524       threshold limits.  The levelspec argument to each of the level limiters
525       listed above is used to accomplish this.
526
527       It is probably best to continue explanation of sub-level limiting  with
528       the  following well-known outline-style hierarchy, and some basic exam‐
529       ples:
530
531           level 0
532              level 1
533                 level 2
534                    level 3
535                       level 4
536                       level 4
537                 level 2
538                    level 3
539                       level 4
540                       level 4
541                       level 4
542                    level 3
543                       level 4
544                    level 3
545              level 1
546                 level 2
547                    level 3
548                       level 4
549
550       The simplest form of output limiting  suppresses  all  output  below  a
551       specified  level.   For example, a levelspec set to "2" shows only data
552       in levels 0 through 2.  Think of this as collapsing  each  sub-level  2
553       item, thus hiding all inferior levels (3, 4, ...), to yield:
554
555           level 0
556              level 1
557                 level 2
558                 level 2
559              level 1
560                 level 2
561
562       Sometimes  the  volume  of  output in a section is too great, and it is
563       useful to suppress any data that does not exceed  a  certain  threshold
564       value.   Consider a dictionary spam attack, which produces very lengthy
565       lists of hit-once recipient email or IP addresses.  Each  sub-level  in
566       the  hierarchy can be threshold-limited by setting the levelspec appro‐
567       priately.  Setting levelspec to the value "2::5" will suppress any data
568       at level 2 that does not exceed a hit count of 5.
569
570       Perhaps  producing a top N list, such as top 10 senders, is desired.  A
571       levelspec of "3:10:" limits level 3 data to only the top 10 hits.
572
573       With those simple examples out of the way, a levelspec is defined as  a
574       whitespace- or comma-separated list of one or more of the following:
575
576       l      Specifies  the  maximum level to be output for this sub-section,
577              with a range from 0 to 10.  if l is 0, no levels will be output,
578              effectively  disabling  the sub-section (level 0 data is already
579              provided in the Summary report, so level  1  is  considered  the
580              first  useful level in the Detailed report).  Higher values will
581              produce output up to and including the specified level.
582
583       l.n    Same as above, with the addition that n  limits  this  section's
584              level  1  output to the top n items.  The value for n can be any
585              integer greater than 1.  (This form of limiting has less utility
586              than  the  syntax shown below. It is provided for backwards com‐
587              patibility; users are encouraged to use the syntax below).
588
589       l:n:t  This triplet specifies level l, top n, and minimum threshold  t.
590              Each  of the values are integers, with l being the level limiter
591              as described above, n being a top n limiter for the level l, and
592              t  being  the  threshold limiter for level l.  When both n and t
593              are specified, n has priority, allowing top n lists  (regardless
594              of  threshold  value).  If the value of l is omitted, the speci‐
595              fied values for n and/or t are used for all levels available  in
596              the sub-section.  This permits a simple form of wildcarding (eg.
597              place minimum threshold limits on all  levels).   However,  spe‐
598              cific  limiters  always  override  wildcard limiters.  The first
599              form of level limiter may be included in levelspec  to  restrict
600              output, regardless of how many triplets are present.
601
602       All  three forms of limiters are effective only when postfix-logwatch's
603       detail level is 5 or greater (the Detailed section is not activated un‐
604       til detail is at least 5).
605
606       See the EXAMPLES section for usage scenarios.
607

CONFIGURATION FILE

609       Postfix-logwatch  can  read configuration settings from a configuration
610       file.  Essentially, any command line option can be placed into  a  con‐
611       figuration file, and these settings are read upon startup.
612
613       Because  postfix-logwatch can run either standalone or within Logwatch,
614       to minimize confusion, postfix-logwatch inherits Logwatch's  configura‐
615       tion file syntax requirements and conventions.  These are:
616
617       •   White space lines are ignored.
618
619       •   Lines beginning with # are ignored
620
621       •   Settings are of the form:
622
623                   option = value
624
625
626       •   Spaces or tabs on either side of the = character are ignored.
627
628       •   Any value protected in double quotes will be case-preserved.
629
630       •   All other content is reduced to lowercase (non-preserving, case in‐
631           sensitive).
632
633       •   All postfix-logwatch configuration settings must be  prefixed  with
634           "$postfix_" or postfix-logwatch will ignore them.
635
636       •   When  running  under Logwatch, any values not prefixed with "$post‐
637           fix_" are consumed by Logwatch; it only passes to  postfix-logwatch
638           (via environment variable) settings it considers valid.
639
640       •   The  values  True  and Yes are converted to 1, and False and No are
641           converted to 0.
642
643       •   Order of settings is not  preserved  within  a  configuration  file
644           (since  settings  are passed by Logwatch via environment variables,
645           which have no defined order).
646
647       To include a command line option in a configuration  file,  prefix  the
648       command line option name with the word "$postfix_".  The following con‐
649       figuration file setting and command line option are equivalent:
650
651               $postfix_Line_Style = Truncate
652
653               --line_style Truncate
654
655       Level limiters are also prefixed with $postfix_,  but  on  the  command
656       line are specified with the --limit option:
657
658               $postfix_Sent = 2
659
660               --limit Sent=2
661
662
663
664       The order of command line options and configuration file processing oc‐
665       curs as follows: 1) The default configuration file is read if it exists
666       and no --config_file was specified on a command line.  2) Configuration
667       files are read and processed in the order found on  the  command  line.
668       3)  Command  line  options  override any options already set either via
669       command line or from any configuration file.
670
671       Command line options are interpreted when they are seen on the  command
672       line,  and later options will override previously set options.  The no‐
673       table exception is with limiter variables, which are interpreted in the
674       order  found,  but  only  after  all other options have been processed.
675       This allows --reject_reply_patterns to determine the  dynamic  list  of
676       the various reject limiters.
677
678       See also --reject_reply_patterns.
679

EXIT STATUS

681       The  postfix-logwatch  utility exits with a status code of 0, unless an
682       error occurred, in which case a non-zero exit status is returned.
683

EXAMPLES

685   Running Standalone
686       Note: postfix-logwatch reads its log data from one or more named  Post‐
687       fix  log  files, or from STDIN.  For brevity, where required, the exam‐
688       ples below use the word file  as  the  command  line  argument  meaning
689       /path/to/postfix.log.   Obviously you will need to substitute file with
690       the appropriate path.
691
692       To run postfix-logwatch in standalone mode, simply run:
693
694           postfix-logwatch file
695
696       A complete list of options and basic usage is available via:
697
698           postfix-logwatch --help
699
700       To print a summary only report of Postfix log data:
701
702           postfix-logwatch --detail 1 file
703
704       To produce a summary report and a one-level detail report for May 25th:
705
706           grep 'May 25' file | postfix-logwatch --detail 5
707
708       To produce only a top 10 list of Sent email domains, the summary report
709       and  detailed  reports are first disabled.  Since commands line options
710       are read and enabled left-to-right, the Sent section is  re-enabled  to
711       level 1 with a level 1 top 10 limiter:
712
713           postfix-logwatch --nosummary --nodetail --limit sent='1 1:10:' file
714
715       The  following command and its sample output shows a more complex level
716       limiter example.  The command gives the top 3 Sent email addresses from
717       the top 5 domains, in addition, all level 3 items with a hit count of 2
718       or less are suppressed (in the Sent sub-section,  this  happens  to  be
719       email's  Original  To  address).  Ellipses indicate top N or threshold-
720       limited data:
721
722           postfix-logwatch --nosummary --nodetail \
723                   --limit sent '1:5: 2:3: 3::2' file
724
725           1762   Sent via SMTP -----------------------------------
726            352      example.com
727            310         joe
728            255            joe.bob@virtdomain.example.com
729              7            info@virtdomain.example.com
730             21         pooryoda3
731             11         hot93uh
732                        ...
733            244      sample.net
734             97         buzz
735             26         leroyjones
736             14         sally
737                        ...
738            152      example.net
739             40         jim_jameson
740             23         sam_sampson
741             19         paul_paulson
742                        ...
743             83      sample.us
744             44         root
745             39         jenny1
746             69      dom3.example.us
747             10         kay
748              7         ron
749              6         mrsmith
750                        ...
751                     ...
752
753       The next command uses both reject_reply_patterns and level limiters  to
754       see  421 RBL rejects, threshold-limiting level 2 output to hits greater
755       than 5 (level 2 in the Reject RBL sub-section is the  client's  IP  ad‐
756       dress / hostname pair).  This makes for a very nice RBL offenders list,
757       shown in the sample output (note the use of the  unambiguous,  abbrevi‐
758       ated command line option reject_reply_pat):
759
760           postfix-logwatch --reject_reply_pat '421 4.. 5.. Warn' \
761                   --nosummary --nodetail --limit 421rejectrbl='2 2::5' file
762
763           300   421 Reject RBL ---------------------------------------
764           243      zen.spamhaus.org=127.0.0.2
765           106         10.0.0.129       129.0.0.example.com
766            41         192.168.10.70    hostx10.sample.net
767            40         192.168.42.39    hostz42.sample.net
768            15         10.1.1.152       dsl-10-1-1-152.example.us
769            14         10.10.10.122     mail122.sample.com
770             7         192.168.3.44     smalltime-spammer.example.com
771                       ...
772            48      zen.spamhaus.org=127.0.0.4
773            17         10.29.124.92     10-29-124-92.adsl-static.sample.us
774                       ...
775             8      zen.spamhaus.org=127.0.0.11
776                       ...
777             1      zen.spamhaus.org=127.0.0.10
778                       ...
779
780   Running within Logwatch
781       Note:  Logwatch  versions  prior to 7.3.6, unless configured otherwise,
782       required the --print option to print to STDOUT instead of  sending  re‐
783       ports  via  email.   Since  version 7.3.6, STDOUT is the default output
784       destination, and the --print option has been replaced by --output  std‐
785       out.  Check your configuration to determine where report output will be
786       directed, and add the appropriate option to the commands below.
787
788       To print a summary report for today's Postfix log data:
789
790           logwatch --service postfix --range today --detail 1
791
792       To print a report for today's Postfix log data, with one level
793       of detail in the Detailed section:
794
795           logwatch --service postfix --range today --detail 5
796
797       To print a report for yesterday, with two levels of detail in  the  De‐
798       tailed section:
799
800           logwatch --service postfix --range yesterday --detail 6
801
802       To  print  a report from Dec 12th through Dec 14th, with four levels of
803       detail in the Detailed section:
804
805           logwatch --service postfix --range \
806                   'between 12/12 and 12/14' --detail 8
807
808       To print a report for today, with all levels of detail:
809
810           logwatch --service postfix --range today --detail 10
811
812       Same as above, but leaves long lines uncut:
813
814           logwatch --service postfix --range today --detail 11
815
816

ENVIRONMENT

818       The postfix-logwatch program uses the following (automatically set) en‐
819       vironment variables when running under Logwatch:
820
821       LOGWATCH_DETAIL_LEVEL
822              This  is  the  detail  level specified with the Logwatch command
823              line argument --detail or the Detail setting in the ...conf/ser‐
824              vices/postfix.conf configuration file.
825
826       LOGWATCH_DEBUG
827              This is the debug level specified with the Logwatch command line
828              argument --debug.
829
830       postfix_xxx
831              The Logwatch program passes all settings postfix_xxx in the con‐
832              figuration  file  ...conf/services/postfix.conf  to  the postfix
833              filter (which is  actually  named  .../scripts/services/postfix)
834              via environment variable.
835

FILES

837   Standalone mode
838       /usr/local/bin/postfix-logwatch
839              The postfix-logwatch program
840
841       /usr/local/etc/postfix-logwatch.conf
842              The postfix-logwatch configuration file in standalone mode
843
844   Logwatch mode
845       /etc/logwatch/scripts/services/postfix
846              The Logwatch postfix filter
847
848       /etc/logwatch/conf/services/postfix.conf
849              The Logwatch postfix filter configuration file
850

SEE ALSO

852       logwatch(8), system log analyzer and reporter
853

README FILES

855       README, an overview of postfix-logwatch
856       Changes, the version change list history
857       Bugs, a list of the current bugs or other inadequacies
858       Makefile, the rudimentary installer
859       LICENSE, the usage and redistribution licensing terms
860

LICENSE

862       Covered under the included MIT/X-Consortium License:
863       http://www.opensource.org/licenses/mit-license.php
864

AUTHOR(S)

866       Mike Cappella
867
868       The original postfix Logwatch filter was written by Kenneth Porter, and
869       has had many contributors over the years.  They are entirely not re‐
870       sponsible for any errors, problems or failures since the current au‐
871       thor's hands have touched the source code.
872
873
874
875                                                           POSTFIX-LOGWATCH(1)
Impressum