Discussion:
rsyslog filter
(zu alt für eine Antwort)
Ulli Horlacher
2024-05-07 10:49:43 UTC
Permalink
Ich will, dass rsyslog Meldungen von amavis in eine extra Datei
zusaetzlich speichert. Dazu hab ich konfiguriert:


***@tandem:/etc/rsyslog.d# cat 00-isodate.conf
# https://www.rsyslog.com/doc/configuration/properties.html
$template ISO8601,"%timereported:::date-pgsql% %msg%\n"
$template ISO8601_withtag,"%timereported:::date-pgsql% %syslogtag%%msg%\n"
$ActionFileDefaultTemplate ISO8601_withtag

***@tandem:/etc/rsyslog.d# cat 15-mail,conf
:msg,ereregex,"ClamAV.*FAILED|amavis.*!" /var/log/mail.err
:syslogtag,contains,"amavis" /var/log/amavis.log


Funktioniert nur leider nicht:


***@tandem:/etc/rsyslog.d# ll /var/log/amavis.log
ll: cannot access '/var/log/amavis.log' - No such file or directory

***@tandem:/etc/rsyslog.d# grep amavis /var/log/syslog | tail -2
2024-05-07 12:32:43 amavis[99235]: (99235-03) Checking: 0rA0lcjA57Hy [145.253.228.164] <> -> <liste-***@tandem-fahren.de>
2024-05-07 12:32:45 amavis[99381]: (99235-03) SA info: util: setuid: ruid=112 euid=112 rgid=121 119 121 egid=121 119 121


Wo ist der Fehler?
--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum TIK
Universitaet Stuttgart E-Mail: ***@tik.uni-stuttgart.de
Allmandring 30a Tel: ++49-711-68565868
70569 Stuttgart (Germany) WWW: https://www.tik.uni-stuttgart.de/
Marc Haber
2024-05-07 13:44:10 UTC
Permalink
Post by Ulli Horlacher
Wo ist der Fehler?
Das kann ich Dir nicht sagen, aber ich kann Dir sagen wie ich das auf
meinen Nameservern gelöst habe:

|1 [1/4186]***@alemana:~ $ cat /etc/rsyslog.d/50_named.conf
|if ($programname == "named") and ($pri-text == "daemon.info") then {
|/var/log/syslog/named
|stop
|}

Vermutlich ist das sogar performanter weil es ohne regexp auskommt.

Hilft Dir das?

Grüße
Marc

P.S.: Jetzt weiß ich wenigstens auch warum die beim Start
auftauchenden fehlermeldungen doch im regulären syslog landen, die
werden halt mit einer höheren Priorität als info geloggt. Danke dass
Du mich motiviert hast da mal reinzuschauen
--
----------------------------------------------------------------------------
Marc Haber | " Questions are the | Mailadresse im Header
Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402
Ulli Horlacher
2024-05-08 06:58:40 UTC
Permalink
Post by Marc Haber
Das kann ich Dir nicht sagen, aber ich kann Dir sagen wie ich das auf
|if ($programname == "named") and ($pri-text == "daemon.info") then {
|/var/log/syslog/named
|stop
|}
Funktioniert bei mir leider auch nicht:

***@tandem:/etc/rsyslog.d# cat 15-mail.conf
:msg,ereregex,"ClamAV.*FAILED|amavis.*!" /var/log/mail.err

# :syslogtag,contains,"amavis" /var/log/amavis.log
if ($programname == "amavis") then { /var/log/amavis.log }

***@tandem:/etc/rsyslog.d# systemctl restart rsyslog
***@tandem:/etc/rsyslog.d# systemctl restart amavis
***@tandem:/etc/rsyslog.d# systemctl status amavis
* amavis.service - Interface between MTA and virus scanner/content filters
Loaded: loaded (/lib/systemd/system/amavis.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-05-08 08:50:28 CEST; 3s ago
Docs: http://www.ijs.si/software/amavisd/#doc
Process: 11492 ExecStartPre=/usr/bin/find /var/lib/amavis -maxdepth 1 -name amavis-* -type d -exec rm -rf {} ; (code=exited, status=0/SUCCESS)
Process: 11493 ExecStartPre=/usr/bin/find /var/lib/amavis/tmp -maxdepth 1 -name amavis-* -type d -exec rm -rf {} ; (code=exited, status=0/SUCCESS)
Main PID: 11495 (/usr/sbin/amavi)
Tasks: 1 (limit: 6974)
Memory: 133.1M
CPU: 2.507s
CGroup: /system.slice/amavis.service
`-11495 "/usr/sbin/amavisd-new (master)"

May 08 08:50:29 tandem amavis[11495]: No decoder for .lrz
May 08 08:50:29 tandem amavis[11495]: No decoder for .lz4
May 08 08:50:29 tandem amavis[11495]: No decoder for .lzo
May 08 08:50:29 tandem amavis[11495]: No decoder for .zoo
May 08 08:50:29 tandem amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
May 08 08:50:29 tandem amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
May 08 08:50:29 tandem amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
May 08 08:50:29 tandem amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
May 08 08:50:30 tandem amavis[11495]: initializing Mail::SpamAssassin (0)
May 08 08:50:31 tandem amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)

***@tandem:/etc/rsyslog.d# l /var/log/amavis
l: cannot access '/var/log/amavis' - No such file or directory

***@tandem:/etc/rsyslog.d# grep amavis /var/log/syslog | tail
2024-05-08 08:50:29 amavis[11495]: No decoder for .zoo
2024-05-08 08:50:29 amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
2024-05-08 08:50:29 amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
2024-05-08 08:50:29 amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
2024-05-08 08:50:29 amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
2024-05-08 08:50:30 amavis[11495]: initializing Mail::SpamAssassin (0)
2024-05-08 08:50:31 amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)
--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum TIK
Universitaet Stuttgart E-Mail: ***@tik.uni-stuttgart.de
Allmandring 30a Tel: ++49-711-68565868
70569 Stuttgart (Germany) WWW: https://www.tik.uni-stuttgart.de/
Ulli Horlacher
2024-05-08 07:06:05 UTC
Permalink
Post by Ulli Horlacher
* amavis.service - Interface between MTA and virus scanner/content filters
Loaded: loaded (/lib/systemd/system/amavis.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-05-08 08:50:28 CEST; 3s ago
Docs: http://www.ijs.si/software/amavisd/#doc
Process: 11492 ExecStartPre=/usr/bin/find /var/lib/amavis -maxdepth 1 -name amavis-* -type d -exec rm -rf {} ; (code=exited, status=0/SUCCESS)
Process: 11493 ExecStartPre=/usr/bin/find /var/lib/amavis/tmp -maxdepth 1 -name amavis-* -type d -exec rm -rf {} ; (code=exited, status=0/SUCCESS)
Main PID: 11495 (/usr/sbin/amavi)
Tasks: 1 (limit: 6974)
Memory: 133.1M
CPU: 2.507s
CGroup: /system.slice/amavis.service
`-11495 "/usr/sbin/amavisd-new (master)"
May 08 08:50:29 tandem amavis[11495]: No decoder for .lrz
May 08 08:50:29 tandem amavis[11495]: No decoder for .lz4
May 08 08:50:29 tandem amavis[11495]: No decoder for .lzo
May 08 08:50:29 tandem amavis[11495]: No decoder for .zoo
May 08 08:50:29 tandem amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
May 08 08:50:29 tandem amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
May 08 08:50:29 tandem amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
May 08 08:50:29 tandem amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
May 08 08:50:30 tandem amavis[11495]: initializing Mail::SpamAssassin (0)
May 08 08:50:31 tandem amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)
2024-05-08 08:50:29 amavis[11495]: No decoder for .zoo
2024-05-08 08:50:29 amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
2024-05-08 08:50:29 amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
2024-05-08 08:50:29 amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
2024-05-08 08:50:29 amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
2024-05-08 08:50:30 amavis[11495]: initializing Mail::SpamAssassin (0)
2024-05-08 08:50:31 amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)
BTW:
(Wie) kann man systemctl vernuenftiges ISO Datum beibringen?
--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum TIK
Universitaet Stuttgart E-Mail: ***@tik.uni-stuttgart.de
Allmandring 30a Tel: ++49-711-68565868
70569 Stuttgart (Germany) WWW: https://www.tik.uni-stuttgart.de/
Tim Landscheidt
2024-05-08 14:45:33 UTC
Permalink
Post by Ulli Horlacher
Post by Ulli Horlacher
* amavis.service - Interface between MTA and virus scanner/content filters
Loaded: loaded (/lib/systemd/system/amavis.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-05-08 08:50:28 CEST; 3s ago
Docs: http://www.ijs.si/software/amavisd/#doc
Process: 11492 ExecStartPre=/usr/bin/find /var/lib/amavis -maxdepth 1 -name amavis-* -type d -exec rm -rf {} ; (code=exited, status=0/SUCCESS)
Process: 11493 ExecStartPre=/usr/bin/find /var/lib/amavis/tmp -maxdepth 1 -name amavis-* -type d -exec rm -rf {} ; (code=exited, status=0/SUCCESS)
Main PID: 11495 (/usr/sbin/amavi)
Tasks: 1 (limit: 6974)
Memory: 133.1M
CPU: 2.507s
CGroup: /system.slice/amavis.service
`-11495 "/usr/sbin/amavisd-new (master)"
May 08 08:50:29 tandem amavis[11495]: No decoder for .lrz
May 08 08:50:29 tandem amavis[11495]: No decoder for .lz4
May 08 08:50:29 tandem amavis[11495]: No decoder for .lzo
May 08 08:50:29 tandem amavis[11495]: No decoder for .zoo
May 08 08:50:29 tandem amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
May 08 08:50:29 tandem amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
May 08 08:50:29 tandem amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
May 08 08:50:29 tandem amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
May 08 08:50:30 tandem amavis[11495]: initializing Mail::SpamAssassin (0)
May 08 08:50:31 tandem amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)
2024-05-08 08:50:29 amavis[11495]: No decoder for .zoo
2024-05-08 08:50:29 amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
2024-05-08 08:50:29 amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
2024-05-08 08:50:29 amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
2024-05-08 08:50:29 amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
2024-05-08 08:50:30 amavis[11495]: initializing Mail::SpamAssassin (0)
2024-05-08 08:50:31 amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)
(Wie) kann man systemctl vernuenftiges ISO Datum beibringen?
„systemctl status -o short-iso amavis“. Die Formate sind in
journalctl(1) beschrieben.

Tim
Ulli Horlacher
2024-05-08 23:29:41 UTC
Permalink
Post by Ulli Horlacher
Post by Ulli Horlacher
* amavis.service - Interface between MTA and virus scanner/content filters
Loaded: loaded (/lib/systemd/system/amavis.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-05-08 08:50:28 CEST; 3s ago
Docs: http://www.ijs.si/software/amavisd/#doc
Process: 11492 ExecStartPre=/usr/bin/find /var/lib/amavis -maxdepth 1 -name amavis-* -type d -exec rm -rf {} ; (code=exited, status=0/SUCCESS)
Process: 11493 ExecStartPre=/usr/bin/find /var/lib/amavis/tmp -maxdepth 1 -name amavis-* -type d -exec rm -rf {} ; (code=exited, status=0/SUCCESS)
Main PID: 11495 (/usr/sbin/amavi)
Tasks: 1 (limit: 6974)
Memory: 133.1M
CPU: 2.507s
CGroup: /system.slice/amavis.service
`-11495 "/usr/sbin/amavisd-new (master)"
May 08 08:50:29 tandem amavis[11495]: No decoder for .lrz
May 08 08:50:29 tandem amavis[11495]: No decoder for .lz4
May 08 08:50:29 tandem amavis[11495]: No decoder for .lzo
May 08 08:50:29 tandem amavis[11495]: No decoder for .zoo
May 08 08:50:29 tandem amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
May 08 08:50:29 tandem amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
May 08 08:50:29 tandem amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
May 08 08:50:29 tandem amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
May 08 08:50:30 tandem amavis[11495]: initializing Mail::SpamAssassin (0)
May 08 08:50:31 tandem amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)
2024-05-08 08:50:29 amavis[11495]: No decoder for .zoo
2024-05-08 08:50:29 amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
2024-05-08 08:50:29 amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
2024-05-08 08:50:29 amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
2024-05-08 08:50:29 amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
2024-05-08 08:50:30 amavis[11495]: initializing Mail::SpamAssassin (0)
2024-05-08 08:50:31 amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)
(Wie) kann man systemctl vernuenftiges ISO Datum beibringen?
?systemctl status -o short-iso amavis?. Die Formate sind in
journalctl(1) beschrieben.
Nichts davon ist "vernuenftig".
Haett mich auch gewundert, wenn es mit systemd irgendwas brauchbares
gaebe...
--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum TIK
Universitaet Stuttgart E-Mail: ***@tik.uni-stuttgart.de
Allmandring 30a Tel: ++49-711-68565868
70569 Stuttgart (Germany) WWW: https://www.tik.uni-stuttgart.de/
Tim Landscheidt
2024-05-09 07:46:27 UTC
Permalink
Post by Ulli Horlacher
[…]
Post by Ulli Horlacher
Post by Ulli Horlacher
2024-05-08 08:50:29 amavis[11495]: No decoder for .zoo
2024-05-08 08:50:29 amavis[11495]: Using primary internal av scanner code for ClamAV-clamd
2024-05-08 08:50:29 amavis[11495]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
2024-05-08 08:50:29 amavis[11495]: Deleting db files nanny.db,__db.003,__db.001,snmp.db,__db.002 in /var/lib/amavis/db
2024-05-08 08:50:29 amavis[11495]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.64, libdb 5.3
2024-05-08 08:50:30 amavis[11495]: initializing Mail::SpamAssassin (0)
2024-05-08 08:50:31 amavis[11495]: SA info: zoom: able to use 406/406 'body_0' compiled rules (100%)
(Wie) kann man systemctl vernuenftiges ISO Datum beibringen?
?systemctl status -o short-iso amavis?. Die Formate sind in
journalctl(1) beschrieben.
Nichts davon ist "vernuenftig".
„short-iso“ ist das Format aus ISO 8601 und ein Blinzeln
entfernt von Deinem syslog-Privatformat.
Post by Ulli Horlacher
Haett mich auch gewundert, wenn es mit systemd irgendwas brauchbares
gaebe...
Wer hätte das gedacht.

Tim

Thomas Dorner
2024-05-08 15:45:12 UTC
Permalink
Post by Ulli Horlacher
(Wie) kann man systemctl vernuenftiges ISO Datum beibringen?
--output=...
(man journalctl)

Viele Grüße, Thomas
--
Adresse gilt nur kurzzeitig!
Ulli Horlacher
2024-05-08 07:08:12 UTC
Permalink
Post by Ulli Horlacher
:msg,ereregex,"ClamAV.*FAILED|amavis.*!" /var/log/mail.err
# :syslogtag,contains,"amavis" /var/log/amavis.log
if ($programname == "amavis") then { /var/log/amavis.log }
^^^^^^^^^^^^^^^^^^^
Post by Ulli Horlacher
l: cannot access '/var/log/amavis' - No such file or directory
ARGHH!!
Man sollte schon LESEN was man selber geschrieben hat :-}
--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum TIK
Universitaet Stuttgart E-Mail: ***@tik.uni-stuttgart.de
Allmandring 30a Tel: ++49-711-68565868
70569 Stuttgart (Germany) WWW: https://www.tik.uni-stuttgart.de/
Ulli Horlacher
2024-05-08 07:04:31 UTC
Permalink
^
Post by Ulli Horlacher
Wo ist der Fehler?
Da
^^

HMPF :-}
--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum TIK
Universitaet Stuttgart E-Mail: ***@tik.uni-stuttgart.de
Allmandring 30a Tel: ++49-711-68565868
70569 Stuttgart (Germany) WWW: https://www.tik.uni-stuttgart.de/
Lesen Sie weiter auf narkive:
Loading...