1PFLOGSUMM(1) User Contributed Perl Documentation PFLOGSUMM(1)
2
3
4
6 pflogsumm.pl - Produce Postfix MTA logfile summary
7
8 Copyright (C) 1998-2003 by James S. Seymour, Release 1.1.0.
9
11 pflogsumm.pl -[eq] [-d <today⎪yesterday>] [-h <cnt>] [-u <cnt>]
12 [--verp_mung[=<n>]] [--verbose_msg_detail] [--iso_date_time]
13 [-m⎪--uucp_mung] [-i⎪--ignore_case] [--smtpd_stats] [--mailq]
14 [--problems_first] [--rej_add_from] [--no_bounce_detail]
15 [--no_deferral_detail] [--no_reject_detail] [--no_no_msg_size]
16 [--no_smtpd_warnings] [--zero_fill] [--syslog_name=string]
17 [file1 [filen]]
18
19 pflogsumm.pl -[help⎪version]
20
21 If no file(s) specified, reads from stdin. Output is to stdout.
22
23
25 Pflogsumm is a log analyzer/summarizer for the Postfix MTA. It is
26 designed to provide an over-view of Postfix activity, with just enough
27 detail to give the administrator a "heads up" for potential trouble
28 spots.
29
30 Pflogsumm generates summaries and, in some cases, detailed reports of
31 mail server traffic volumes, rejected and bounced email, and server
32 warnings, errors and panics.
33
34
36 -d today generate report for just today
37 -d yesterday generate report for just "yesterday"
38
39 -e extended (extreme? excessive?) detail
40
41 Emit detailed reports. At present, this includes
42 only a per-message report, sorted by sender domain,
43 then user-in-domain, then by queue i.d.
44
45 WARNING: the data built to generate this report can
46 quickly consume very large amounts of memory if a
47 lot of log entries are processed!
48
49 -h <cnt> top <cnt> to display in host/domain reports.
50
51 0 = none.
52
53 See also: "-u" and "--no_*_detail" for further
54 report-limiting options.
55
56 --help Emit short usage message and bail out.
57
58 (By happy coincidence, "-h" alone does much the same,
59 being as it requires a numeric argument :-). Yeah, I
60 know: lame.)
61
62 -i
63 --ignore_case Handle complete email address in a case-insensitive
64 manner.
65
66 Normally pflogsumm lower-cases only the host and
67 domain parts, leaving the user part alone. This
68 option causes the entire email address to be lower-
69 cased.
70
71 --iso_date_time
72
73 For summaries that contain date or time information,
74 use ISO 8601 standard formats (CCYY-MM-DD and HH:MM),
75 rather than "Mon DD CCYY" and "HHMM".
76
77 -m modify (mung?) UUCP-style bang-paths
78 --uucp_mung
79
80 This is for use when you have a mix of Internet-style
81 domain addresses and UUCP-style bang-paths in the log.
82 Upstream UUCP feeds sometimes mung Internet domain
83 style address into bang-paths. This option can
84 sometimes undo the "damage". For example:
85 "somehost.dom!username@foo" (where "foo" is the next
86 host upstream and "somehost.dom" was whence the email
87 originated) will get converted to
88 "foo!username@somehost.dom". This also affects the
89 extended detail report (-e), to help ensure that by-
90 domain-by-name sorting is more accurate.
91
92 --mailq Run "mailq" command at end of report.
93
94 Merely a convenience feature. (Assumes that "mailq"
95 is in $PATH. See "$mailqCmd" variable to path thisi
96 if desired.)
97
98 --no_bounce_detail
99 --no_deferral_detail
100 --no_reject_detail
101
102 Suppresses the printing of the following detailed
103 reports, respectively:
104
105 message bounce detail (by relay)
106 message deferral detail
107 message reject detail
108
109 See also: "-u" and "-h" for further report-limiting
110 options.
111
112 --no_no_msg_size
113
114 Do not emit report on "Messages with no size data".
115
116 Message size is reported only by the queue manager.
117 The message may be delivered long-enough after the
118 (last) qmgr log entry that the information is not in
119 the log(s) processed by a particular run of
120 pflogsumm.pl. This throws off "Recipients by message
121 size" and the total for "bytes delivered." These are
122 normally reported by pflogsumm as "Messages with no
123 size data."
124
125 --no_smtpd_warnings
126
127 On a busy mail server, say at an ISP, SMTPD warnings
128 can result in a rather sizeable report. This option
129 turns reporting them off.
130
131 --problems_first
132
133 Emit "problems" reports (bounces, defers, warnings,
134 etc.) before "normal" stats.
135
136 --rej_add_from
137 For those reject reports that list IP addresses or
138 host/domain names: append the email from address to
139 each listing. (Does not apply to "Improper use of
140 SMTP command pipelining" report.)
141
142 -q quiet - don't print headings for empty reports
143
144 note: headings for warning, fatal, and "master"
145 messages will always be printed.
146
147 --smtpd_stats
148
149 Generate smtpd connection statistics.
150
151 The "per-day" report is not generated for single-day
152 reports. For multiple-day reports: "per-hour" numbers
153 are daily averages (reflected in the report heading).
154
155 --syslog_name=name
156
157 Set syslog_name to look for for Postfix log entries.
158
159 By default, pflogsumm looks for entries in logfiles
160 with a syslog name of "postfix," the default.
161 If you've set a non-default "syslog_name" parameter
162 in your Postfix configuration, use this option to
163 tell pflogsumm what that is.
164
165 See the discussion about the use of this option under
166 "NOTES," below.
167
168 -u <cnt> top <cnt> to display in user reports. 0 == none.
169
170 See also: "-h" and "--no_*_detail" for further
171 report-limiting options.
172
173 --verbose_msg_detail
174
175 For the message deferral, bounce and reject summaries:
176 display the full "reason", rather than a truncated one.
177
178 Note: this can result in quite long lines in the report.
179
180 --verp_mung do "VERP" generated address (?) munging. Convert
181 --verp_mung=2 sender addresses of the form
182 "list-return-NN-someuser=some.dom@host.sender.dom"
183 to
184 "list-return-ID-someuser=some.dom@host.sender.dom"
185
186 In other words: replace the numeric value with "ID".
187
188 By specifying the optional "=2" (second form), the
189 munging is more "aggressive", converting the address
190 to something like:
191
192 "list-return@host.sender.dom"
193
194 Actually: specifying anything less than 2 does the
195 "simple" munging and anything greater than 1 results
196 in the more "aggressive" hack being applied.
197
198 See "NOTES" regarding this option.
199
200 --version Print program name and version and bail out.
201
202 --zero_fill "Zero-fill" certain arrays so reports come out with
203 data in columns that that might otherwise be blank.
204
205
207 Pflogsumm doesn't return anything of interest to the shell.
208
209
211 Error messages are emitted to stderr.
212
213
215 Produce a report of previous day's activities:
216
217 pflogsumm.pl -d yesterday /var/log/maillog
218
219 A report of prior week's activities (after logs rotated):
220
221 pflogsumm.pl /var/log/maillog.0
222
223 What's happened so far today:
224
225 pflogsumm.pl -d today /var/log/maillog
226
227 Crontab entry to generate a report of the previous day's activity
228 at 10 minutes after midnight.
229
230 10 0 * * * /usr/local/sbin/pflogsumm -d yesterday /var/log/maillog
231 2>&1 ⎪/usr/bin/mailx -s "`uname -n` daily mail stats" postmaster
232
233 Crontab entry to generate a report for the prior week's activity.
234 (This example assumes one rotates ones mail logs weekly, some time
235 before 4:10 a.m. on Sunday.)
236
237 10 4 * * 0 /usr/local/sbin/pflogsumm /var/log/maillog.0
238 2>&1 ⎪/usr/bin/mailx -s "`uname -n` weekly mail stats" postmaster
239
240 The two crontab examples, above, must actually be a single line
241 each. They're broken-up into two-or-more lines due to page
242 formatting issues.
243
244
246 The pflogsumm FAQ: pflogsumm-faq.txt.
247
248
250 Pflogsumm makes no attempt to catch/parse non-Postfix log
251 entries. Unless it has "postfix/" in the log entry, it will be
252 ignored.
253
254 It's important that the logs are presented to pflogsumm in
255 chronological order so that message sizes are available when
256 needed.
257
258 For display purposes: integer values are munged into "kilo" and
259 "mega" notation as they exceed certain values. I chose the
260 admittedly arbitrary boundaries of 512k and 512m as the points at
261 which to do this--my thinking being 512x was the largest number
262 (of digits) that most folks can comfortably grok at-a-glance.
263 These are "computer" "k" and "m", not 1000 and 1,000,000. You
264 can easily change all of this with some constants near the
265 beginning of the program.
266
267 "Items-per-day" reports are not generated for single-day
268 reports. For multiple-day reports: "Items-per-hour" numbers are
269 daily averages (reflected in the report headings).
270
271 Message rejects, reject warnings, holds and discards are all
272 reported under the "rejects" column for the Per-Hour and Per-Day
273 traffic summaries.
274
275 Verp munging may not always result in correct address and
276 address-count reduction.
277
278 Verp munging is always in a state of experimentation. The use
279 of this option may result in inaccurate statistics with regards
280 to the "senders" count.
281
282 UUCP-style bang-path handling needs more work. Particularly if
283 Postfix is not being run with "swap_bangpath = yes" and/or *is* being
284 run with "append_dot_mydomain = yes", the detailed by-message report
285 may not be sorted correctly by-domain-by-user. (Also depends on
286 upstream MTA, I suspect.)
287
288 The "percent rejected" and "percent discarded" figures are only
289 approximations. They are calculated as follows (example is for
290 "percent rejected"):
291
292 percent rejected =
293
294 (rejected / (delivered + rejected + discarded)) * 100
295
296 There are some issues with the use of --syslog_name. The problem is
297 that, even with $syslog_name set, Postfix will sometimes still log
298 things with "postfix" as the syslog_name. This is noted in
299 /etc/postfix/sample-misc.cf:
300
301 # Beware: a non-default syslog_name setting takes effect only
302 # after process initialization. Some initialization errors will be
303 # logged with the default name, especially errors while parsing
304 # the command line and errors while accessing the Postfix main.cf
305 # configuration file.
306
307 As a consequence, pflogsumm must always look for "postfix," in logs,
308 as well as whatever is supplied for syslog_name.
309
310 Where this becomes an issue is where people are running two or more
311 instances of Postfix, logging to the same file. In such a case:
312
313 . Neither instance may use the default "postfix" syslog name
314 and...
315
316 . Log entries that fall victim to what's described in
317 sample-misc.cf will be reported under "postfix", so that if
318 you're running pflogsumm twice, once for each syslog_name, such
319 log entries will show up in each report.
320
321 The Pflogsumm Home Page is at:
322
323 http://jimsun.LinxNet.com/postfix_contrib.html
324
325
327 Pflogsumm requires the Date::Calc module, which can be obtained from
328 CPAN at http://www.perl.com.
329
330 Pflogsumm is currently written and tested under Perl 5.005_03.
331 As of version 19990413-02, pflogsumm worked with Perl 5.003, but
332 future compatibility is not guaranteed.
333
334
336 This program is free software; you can redistribute it and/or
337 modify it under the terms of the GNU General Public License
338 as published by the Free Software Foundation; either version 2
339 of the License, or (at your option) any later version.
340
341 This program is distributed in the hope that it will be useful,
342 but WITHOUT ANY WARRANTY; without even the implied warranty of
343 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
344 GNU General Public License for more details.
345
346 You may have received a copy of the GNU General Public License
347 along with this program; if not, write to the Free Software
348 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
349 USA.
350
351 An on-line copy of the GNU General Public License can be found
352 http://www.fsf.org/copyleft/gpl.html.
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
3703rd Berkeley Distribution 1.1.0 PFLOGSUMM(1)