postfix 日志过滤与linux 日志 模块rsyslog配置
在有些linux上,可能使用的是sysylog,而rsysylog是在它的基础上扩展的,也就意味着是兼容sysylog的配置的;
它的man rsyslog.conf出来的东西太少了,根本搞不明白怎么回事.还是上了官网才搞明白.
我的是要求是让postfix产生的日志把我想的内容记录到一个文件中.如转发的smtp的成功与否这二种信息记录而已;
postfix它是调用rsyslog来记录的.所以要做的文章是对rsyslog进行配置;
个人理解是rsyslog它有多种向它请求记录的对象,如The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security
(same as auth), syslog, user, uucp and local0 through local7.
然后还有一个是日志的级别.如The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as
warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)
它们通过
对象.级别
这样的形式指定这一行的记录规则针对那个对象,那个级别,如mail.*;是指mail所有级别,mail.debug,是指debug级别.还有一些像mail.=notice,main.debug只要notice和debug记入一个文件;这个是消息对象的指定.
接着设置写入消息的格式,一般最好是一个消息一行.就是使用$template 格式名字(用于后面引用),"格式规则" 如:$template mailOkFail,"%timegenerated% %msg%\n",这个命令要独自一行.这是制定一个名叫mailOkFail的规则,规则详情是 默认时间格式 日志内容 换行,然后通过 分号格式名 引用
日志写入的文件是 -/var/log/mail.debug
就是按照 日志对象 存储 一行这样的写法来配置的
如
daemon.* -/var/log/daemon.log
批的就是把 管道的所有日志放到 后面的那个路径的文件中,至于-我现在还不明白这有什么作用,没看完全部文档.
通过 对象.级别 过滤了,可能像我还需要把某些过滤掉,那么它也提供了对于某个级别的日志进行内容级的过滤,如
if ($syslogtag startswith 'postfix/smtp[') and not ($msg contains 'to=<service@myhrd.cn>' or $msg startswith 'connect to ') then /var/log
意思跟其它语言的if是一样的,如果if的条件成立,那么把这个日志放入后面的文件.内容的比较意思跟它的英文单词表达意思是一样的.在http://www.rsyslog.com/doc/rsyslog_conf_filter.html这里有说明.但是我觉得if是最好用的.其它好像没办法配置多个条件.
当配置好后(配置文件路径是root@chrd-edm:/etc/rsyslog.d# cat 50-default.conf),
如想看mail日志配置的情况,需要先把mail所有的日志删除,运行 rm mail*把所有的mail日志删除.
接着重启rsyslog让它重新生成log文件,因为它好像是配置了写这些文件时的用户和组,如果删除了,没有重启它,你会看不到这些文件生成的,它好像只有在重启时生成.不会在接到日志请求时就检测文件不存在自动生成.
root@chrd-edm:/etc/rsyslog.d# cat 50-default.conf
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#only log smtp ok or fail,主要是这节到后面的空格,可以让下面的debug中的乱日志只记录smtpok与失败到mail.smtp中
$template mailOkFail,"%timegenerated% %msg%\n"
if ($syslogtag startswith 'postfix/smtp[') and not ($msg contains 'to=<service@myhrd.cn>' or $msg startswith 'connect to ') then /var/log/mail.smtp;mailOkFail
#smtp结束
mail.debug -/var/log/mail.debug
mail.info -/var/log/mail.info
#mail.notice -/var/log/mail.notice
mail.warning -/var/log/mail.warning
#mail.warn -/var/log/mail.warn
#mail.error -/var/log/mail.error
#mail.err /var/log/mail.err
#mail.crit -/var/log/mail.crit
#mail.alert -/var/log/mail.alert
#mail.emerg -/var/log/mail.emerg
#mail.panic -/var/log/mail.panic
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
-------------
mail.debug /var/log/mail.debug
配置会生成如下日志
Nov 15 15:31:58 chrd-edm postfix/smtp[23044]: 3FBFA101459: to=<366334509@qq.com>, relay=mx3.qq.com[112.90.142.53]:25, delay=18626, delays=0.06/18618/4.1/2.9, dsn=2.0.0, status=sent (250 Ok: queued as )
Nov 15 15:31:58 chrd-edm postfix/qmgr[20433]: 3FBFA101459: removed
Nov 15 15:32:01 chrd-edm postfix/smtpd[23253]: connect from localhost[127.0.0.1]
Nov 15 15:32:01 chrd-edm postfix/smtpd[23253]: 524E2101459: client=localhost[127.0.0.1]
Nov 15 15:32:01 chrd-edm postfix/cleanup[23243]: 524E2101459: message-id=<4ec2157150df4@myhrd.cn>
Nov 15 15:32:01 chrd-edm postfix/qmgr[20433]: 524E2101459: from=<service@myhrd.cn>, size=1666, nrcpt=1 (queue active)
Nov 15 15:32:01 chrd-edm postfix/smtpd[23253]: disconnect from localhost[127.0.0.1]
修改后
#only log smtp ok or fail,主要是这节到后面的空格,可以让下面的debug中的乱日志只记录smtpok与失败到mail.smtp中
$template mailOkFail,"%timegenerated% %msg%\n"
if ($syslogtag startswith 'postfix/smtp[') and not ($msg contains 'to=<service@myhrd.cn>' or $msg startswith 'connect to ') then /var/log/mail.smtp;mailOkFail
#smtp结束
这个配置会生成如下的日志
Nov 15 15:31:58 3FBFA101459: to=<366334509@qq.com>, relay=mx3.qq.com[112.90.142.53]:25, delay=18626, delays=0.06/18618/4.1/2.9, dsn=2.0.0, status=sent (250 Ok: queued as )
Nov 15 15:32:05 73564104C90: to=<4034655433@163.com>, relay=163mx02.mxmail.netease.com[220.181.12.78]:25, delay=1.3, delays=0.08/1.1/0.04/0.09, dsn=2.0.0, status=sent (250 Mail OK queued as mx28,TsCowECpdUdVFcJO3CfmBQ--.1495S2 1321342293)
Nov 15 15:32:34 5D9E8100940: to=<36785011@qq.com>, relay=mx3.qq.com[112.95.240.190]:25, delay=18661, delays=0.07/18655/1.2/4.7, dsn=2.0.0, status=sent (250 Ok: queued as )
Nov 15 15:32:44 ABB30104CA1: to=<404001724@163.com>, relay=163mx01.mxmail.netease.com[220.181.12.65]:25, delay=11, delays=0.08/3/7.7/0.7, dsn=2.0.0, status=sent (250 Mail OK queued as mx15,QcCowEBZclZ0FcJOL4G2AQ--.1330S2 1321342331)
Nov 15 15:33:05 6F3E010145B: to=<36794443@qq.com>, relay=mx3.qq.com[112.90.142.116]:25, delay=18692, delays=0.09/18691/0.32/0.68, dsn=2.0.0, status=sent (250 Ok: queued as )
因为我的本意是想统计smtp发送的成功数量,所以需要干净这个日志好统计.
且rsyslog它也运行把日志重定向到网站或是某个程序上.
如定向到程序上是
mail.debug ^ /sbin/php /var/www/email/logrec.php
这样写就能把这个日志的内容做为一个参数传给php.或是程序的arg[1];
-------
更加细化的分选
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#only log smtpd domain error
$template mailOkFail,"%timegenerated% %msg%\n"
if ($syslogtag startswith 'postfix/smtpd[') and ($msg contains 'Domain not found') then /var/log/mail.smtpd.domain.err;mailOkFail
#send ok
if ($syslogtag startswith 'postfix/smtp[') and ($msg contains 'status=sent') then /var/log/mail.smtp.sent;mailOkFail
#bound status=bounced
if ($syslogtag startswith 'postfix/smtp[') and ($msg contains 'status=bounced') then /var/log/mail.smtp.bounced;mailOkFail
#deferred
if ($syslogtag startswith 'postfix/smtp[') and ($msg contains 'status=deferred') then /var/log/mail.smtp.deferred;mailOkFail
但是查看 了一下,发现日志中没有信的标题(某种程序上,如不存在相同标题的信)或是发件人(发件人与信相关,且唯一,因为向外发,用户并不重要),需要更改postfix程序在每个日志中都有mail from 和rcpt to这样就可以从日志中根据mail from区别不同信,而进行一封信的统计
更多推荐
所有评论(0)