1PFLOGSUMM(1)          User Contributed Perl Documentation         PFLOGSUMM(1)
2
3
4

NNAAMMEE

6       pflogsumm.pl - Produce Postfix MTA logfile summary
7
8       Copyright (C) 1998-2003 by James S. Seymour, Release 1.1.0.
9

SSYYNNOOPPSSIISS

11           pflogsumm.pl -[eq] [-d <today⎪yesterday>] [-h <cnt>] [-u <cnt>]
12               [--verp_mung[=<n>]] [--verbose_msg_detail] [--iso_date_time]
13               [-m⎪--uucp_mung] [-i⎪--ignore_case] [--smtpd_stats] [--mailq]
14               [--problems_first] [--rej_add_from] [--no_bounce_detail]
15               [--no_deferral_detail] [--no_reject_detail] [--no_no_msg_size]
16               [--no_smtpd_warnings] [--zero_fill] [--syslog_name=string]
17               [file1 [filen]]
18
19           pflogsumm.pl -[help⎪version]
20
21           If no file(s) specified, reads from stdin.  Output is to stdout.
22
23

DDEESSCCRRIIPPTTIIOONN

25           Pflogsumm is a log analyzer/summarizer for the Postfix MTA.  It is
26           designed to provide an over-view of Postfix activity, with just enough
27           detail to give the administrator a "heads up" for potential trouble
28           spots.
29
30           Pflogsumm generates summaries and, in some cases, detailed reports of
31           mail server traffic volumes, rejected and bounced email, and server
32           warnings, errors and panics.
33
34

OOPPTTIIOONNSS

36           -d today       generate report for just today
37           -d yesterday   generate report for just "yesterday"
38
39           -e             extended (extreme? excessive?) detail
40
41                          Emit detailed reports.  At present, this includes
42                          only a per-message report, sorted by sender domain,
43                          then user-in-domain, then by queue i.d.
44
45                          WARNING: the data built to generate this report can
46                          quickly consume very large amounts of memory if a
47                          lot of log entries are processed!
48
49           -h <cnt>       top <cnt> to display in host/domain reports.
50
51                          0 = none.
52
53                          See also: "-u" and "--no_*_detail" for further
54                                    report-limiting options.
55
56           --help         Emit short usage message and bail out.
57
58                          (By happy coincidence, "-h" alone does much the same,
59                          being as it requires a numeric argument :-).  Yeah, I
60                          know: lame.)
61
62           -i
63           --ignore_case  Handle complete email address in a case-insensitive
64                          manner.
65
66                          Normally pflogsumm lower-cases only the host and
67                          domain parts, leaving the user part alone.  This
68                          option causes the entire email address to be lower-
69                          cased.
70
71           --iso_date_time
72
73                          For summaries that contain date or time information,
74                          use ISO 8601 standard formats (CCYY-MM-DD and HH:MM),
75                          rather than "Mon DD CCYY" and "HHMM".
76
77           -m             modify (mung?) UUCP-style bang-paths
78           --uucp_mung
79
80                          This is for use when you have a mix of Internet-style
81                          domain addresses and UUCP-style bang-paths in the log.
82                          Upstream UUCP feeds sometimes mung Internet domain
83                          style address into bang-paths.  This option can
84                          sometimes undo the "damage".  For example:
85                          "somehost.dom!username@foo" (where "foo" is the next
86                          host upstream and "somehost.dom" was whence the email
87                          originated) will get converted to
88                          "foo!username@somehost.dom".  This also affects the
89                          extended detail report (-e), to help ensure that by-
90                           domain-by-name sorting is more accurate.
91
92           --mailq        Run "mailq" command at end of report.
93
94                          Merely a convenience feature.  (Assumes that "mailq"
95                          is in $PATH.  See "$mailqCmd" variable to path thisi
96                          if desired.)
97
98           --no_bounce_detail
99           --no_deferral_detail
100           --no_reject_detail
101
102                          Suppresses the printing of the following detailed
103                          reports, respectively:
104
105                               message bounce detail (by relay)
106                               message deferral detail
107                               message reject detail
108
109                          See also: "-u" and "-h" for further report-limiting
110                                    options.
111
112           --no_no_msg_size
113
114                           Do not emit report on "Messages with no size data".
115
116                           Message size is reported only by the queue manager.
117                           The message may be delivered long-enough after the
118                           (last) qmgr log entry that the information is not in
119                           the log(s) processed by a particular run of
120                           pflogsumm.pl.  This throws off "Recipients by message
121                           size" and the total for "bytes delivered." These are
122                           normally reported by pflogsumm as "Messages with no
123                           size data."
124
125           --no_smtpd_warnings
126
127                           On a busy mail server, say at an ISP, SMTPD warnings
128                           can result in a rather sizeable report.  This option
129                           turns reporting them off.
130
131           --problems_first
132
133                          Emit "problems" reports (bounces, defers, warnings,
134                          etc.) before "normal" stats.
135
136           --rej_add_from
137                          For those reject reports that list IP addresses or
138                          host/domain names: append the email from address to
139                          each listing.  (Does not apply to "Improper use of
140                          SMTP command pipelining" report.)
141
142           -q             quiet - don't print headings for empty reports
143
144                          note: headings for warning, fatal, and "master"
145                          messages will always be printed.
146
147           --smtpd_stats
148
149                          Generate smtpd connection statistics.
150
151                          The "per-day" report is not generated for single-day
152                          reports.  For multiple-day reports: "per-hour" numbers
153                          are daily averages (reflected in the report heading).
154
155           --syslog_name=name
156
157                          Set syslog_name to look for for Postfix log entries.
158
159                          By default, pflogsumm looks for entries in logfiles
160                          with a syslog name of "postfix," the default.
161                          If you've set a non-default "syslog_name" parameter
162                          in your Postfix configuration, use this option to
163                          tell pflogsumm what that is.
164
165                          See the discussion about the use of this option under
166                          "NOTES," below.
167
168           -u <cnt>       top <cnt> to display in user reports. 0 == none.
169
170                          See also: "-h" and "--no_*_detail" for further
171                                    report-limiting options.
172
173           --verbose_msg_detail
174
175                          For the message deferral, bounce and reject summaries:
176                          display the full "reason", rather than a truncated one.
177
178                          Note: this can result in quite long lines in the report.
179
180           --verp_mung    do "VERP" generated address (?) munging.  Convert
181           --verp_mung=2  sender addresses of the form
182                          "list-return-NN-someuser=some.dom@host.sender.dom"
183                           to
184                             "list-return-ID-someuser=some.dom@host.sender.dom"
185
186                           In other words: replace the numeric value with "ID".
187
188                          By specifying the optional "=2" (second form), the
189                          munging is more "aggressive", converting the address
190                          to something like:
191
192                               "list-return@host.sender.dom"
193
194                          Actually: specifying anything less than 2 does the
195                          "simple" munging and anything greater than 1 results
196                          in the more "aggressive" hack being applied.
197
198                          See "NOTES" regarding this option.
199
200           --version      Print program name and version and bail out.
201
202           --zero_fill    "Zero-fill" certain arrays so reports come out with
203                          data in columns that that might otherwise be blank.
204
205

RREETTUURRNN VVAALLUUEE

207           Pflogsumm doesn't return anything of interest to the shell.
208
209

EERRRROORRSS

211           Error messages are emitted to stderr.
212
213

EEXXAAMMPPLLEESS

215           Produce a report of previous day's activities:
216
217               pflogsumm.pl -d yesterday /var/log/maillog
218
219           A report of prior week's activities (after logs rotated):
220
221               pflogsumm.pl /var/log/maillog.0
222
223           What's happened so far today:
224
225               pflogsumm.pl -d today /var/log/maillog
226
227           Crontab entry to generate a report of the previous day's activity
228           at 10 minutes after midnight.
229
230               10 0 * * * /usr/local/sbin/pflogsumm -d yesterday /var/log/maillog
231               2>&1 ⎪/usr/bin/mailx -s "`uname -n` daily mail stats" postmaster
232
233           Crontab entry to generate a report for the prior week's activity.
234           (This example assumes one rotates ones mail logs weekly, some time
235           before 4:10 a.m. on Sunday.)
236
237               10 4 * * 0   /usr/local/sbin/pflogsumm /var/log/maillog.0
238               2>&1 ⎪/usr/bin/mailx -s "`uname -n` weekly mail stats" postmaster
239
240           The two crontab examples, above, must actually be a single line
241           each.  They're broken-up into two-or-more lines due to page
242           formatting issues.
243
244

SSEEEE AALLSSOO

246           The pflogsumm FAQ: pflogsumm-faq.txt.
247
248

NNOOTTEESS

250           Pflogsumm makes no attempt to catch/parse non-Postfix log
251           entries.  Unless it has "postfix/" in the log entry, it will be
252           ignored.
253
254           It's important that the logs are presented to pflogsumm in
255           chronological order so that message sizes are available when
256           needed.
257
258           For display purposes: integer values are munged into "kilo" and
259           "mega" notation as they exceed certain values.  I chose the
260           admittedly arbitrary boundaries of 512k and 512m as the points at
261           which to do this--my thinking being 512x was the largest number
262           (of digits) that most folks can comfortably grok at-a-glance.
263           These are "computer" "k" and "m", not 1000 and 1,000,000.  You
264           can easily change all of this with some constants near the
265           beginning of the program.
266
267           "Items-per-day" reports are not generated for single-day
268           reports.  For multiple-day reports: "Items-per-hour" numbers are
269           daily averages (reflected in the report headings).
270
271           Message rejects, reject warnings, holds and discards are all
272           reported under the "rejects" column for the Per-Hour and Per-Day
273           traffic summaries.
274
275           Verp munging may not always result in correct address and
276           address-count reduction.
277
278           Verp munging is always in a state of experimentation.  The use
279           of this option may result in inaccurate statistics with regards
280           to the "senders" count.
281
282           UUCP-style bang-path handling needs more work.  Particularly if
283           Postfix is not being run with "swap_bangpath = yes" and/or *is* being
284           run with "append_dot_mydomain = yes", the detailed by-message report
285           may not be sorted correctly by-domain-by-user.  (Also depends on
286           upstream MTA, I suspect.)
287
288           The "percent rejected" and "percent discarded" figures are only
289           approximations.  They are calculated as follows (example is for
290           "percent rejected"):
291
292               percent rejected =
293
294                   (rejected / (delivered + rejected + discarded)) * 100
295
296           There are some issues with the use of --syslog_name.  The problem is
297           that, even with $syslog_name set, Postfix will sometimes still log
298           things with "postfix" as the syslog_name.  This is noted in
299           /etc/postfix/sample-misc.cf:
300
301               # Beware: a non-default syslog_name setting takes effect only
302               # after process initialization. Some initialization errors will be
303               # logged with the default name, especially errors while parsing
304               # the command line and errors while accessing the Postfix main.cf
305               # configuration file.
306
307           As a consequence, pflogsumm must always look for "postfix," in logs,
308           as well as whatever is supplied for syslog_name.
309
310           Where this becomes an issue is where people are running two or more
311           instances of Postfix, logging to the same file.  In such a case:
312
313               . Neither instance may use the default "postfix" syslog name
314                 and...
315
316               . Log entries that fall victim to what's described in
317                 sample-misc.cf will be reported under "postfix", so that if
318                 you're running pflogsumm twice, once for each syslog_name, such
319                 log entries will show up in each report.
320
321           The Pflogsumm Home Page is at:
322
323               http://jimsun.LinxNet.com/postfix_contrib.html
324
325

RREEQQUUIIRREEMMEENNTTSS

327           Pflogsumm requires the Date::Calc module, which can be obtained from
328           CPAN at http://www.perl.com.
329
330           Pflogsumm is currently written and tested under Perl 5.005_03.
331           As of version 19990413-02, pflogsumm worked with Perl 5.003, but
332           future compatibility is not guaranteed.
333
334

LLIICCEENNSSEE

336           This program is free software; you can redistribute it and/or
337           modify it under the terms of the GNU General Public License
338           as published by the Free Software Foundation; either version 2
339           of the License, or (at your option) any later version.
340
341           This program is distributed in the hope that it will be useful,
342           but WITHOUT ANY WARRANTY; without even the implied warranty of
343           MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
344           GNU General Public License for more details.
345
346           You may have received a copy of the GNU General Public License
347           along with this program; if not, write to the Free Software
348           Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
349           USA.
350
351           An on-line copy of the GNU General Public License can be found
352           http://www.fsf.org/copyleft/gpl.html.
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
3703rd Berkeley Distribution            1.1.0                        PFLOGSUMM(1)