Thứ Hai, 28 tháng 12, 2009
Packages are used for building source
lm_sensors sysstat diffutils bzip2 gcc cpp gcc-c++ make autoconf libtool doxygen pkgconfig rpm-build
Thứ Ba, 22 tháng 12, 2009
Setting up Splunk with Syslog-ng and a FIFO
Assumptions ¶
* You have a supported Splunk platform and root access to the server.
* You are installing Splunk 3.3.x or higher.
The facts at abc company ¶
What is a FIFO? ¶
A FIFO is an old programming term that stands for First In First Out. A more accurate name for what you're setting up is a Named Pipe. Basically, what it is, is a special file on your UNIX system that receives input from some program and sends that information to another program. You can think of it as a stack. One program puts things on the stack, and another program takes stuff off the stack, but it starts with the first item that went on.
Why Syslog-ng? ¶
Well basically because the standard syslog daemon sucks. Seriously, the standard syslog daemon that comes with your typical UNIX is very limited. Syslog-ng is very flexible and includes support for many things that the standard syslog daemon does not, including, but not limited to: multiple sources and destinations, extensive filtering including regex support, the ability to read and write to pipes, and much more. It's also extremely efficient on system resources.
Syslog-ng installation ¶
Depending on your platform, the procedure for installing syslog-ng may vary widely. On Linux platforms, you will most likely be using RPM or Debs. On Solaris, it's quite likely that Sun Freeware will have a package that will work for you.
Examples for common platforms ¶
redhat variant# yum install syslog-ng
debian variant# apt-get install syslog-ng
gentoo# emerge syslog-ng
Run this command to install syslog-ng to abc company's servers:
server# yum install syslog-ng
To have the latest version, see Appendix F - Upgrading Syslog-ng.
Syslog deactivate ¶
Whistle syslog and syslog-ng are programs that have same purposes, please deactivate syslog before using the syslog-ng:
/etc/rc.d/init.d/syslog stop
chmod 644 /etc/rc.d/init.d/syslog
chkconfig syslog off
rm -f /etc/logrotate.d/syslog
Creating the FIFO ¶
Select a place on your filesystem for the FIFO to live. It doesn't matter much where as the FIFO will only buffer a limited amount of lines that will consume an insignificant amount of resources. I would suggest /var as that is where most sockets and pipes on the system are located by default. I gave mine a subdirectory called syslog-ng for the sake of tidiness.
Example command to create the FIFO: ¶
server# mkfifo /opt/syslog_fifo
Remember this location as you will need to put it in your syslog-ng and splunk config files.
Configuring syslog-ng ¶
In most installs of syslog-ng, your main configuration file will be located in /usr/local/etc/syslog-ng.conf (or /etc/syslog-ng.conf). At a minimum, you will need to set up a source that accepts remote connections [assuming that you wish to send logs from multiple systems to be included in your Splunk index], and a destination for your FIFO. It would also be wise to log to a location on the filesystem as well. Here's the first bit:
source remote {
udp();
};
destination splunk {
pipe("/opt/syslog_fifo");
};
log {
source(remote);
destination(splunk);
};
That will be sufficient to send the logs only to your named pipe. However, I would recommend that you also set up syslog-ng to log to a location on the local filesystem like so:
destination hosts {
file("/opt/hosts/$HOST/messages"
owner(root) group(logs) perm(0640) dir_perm(0750) create_dirs(yes));
};
log {
source(remote);
destination(hosts);
};
Note that the $HOST moniker is a magic variable in syslog-ng that is replaced by the hostname of the system that is sending the logs. It's quite handy. The create_dirs bit automatically creates the subdirectories if they do not exist.
See Apendix A for the initial configuration of syslog-ng at abc company.
Configuring Splunk ¶
For this portion, I will assume that Splunk was installed in it's default location of /opt. If you have installed in a different location, adjust the paths accordingly.
inputs.conf (3.x.x) ¶
Splunk Init script ¶
As root, you run:
splunk enable boot-start
This will create an init script (or other configuration change) appropriate for your operating system.
Reference:
http://www.splunk.com/doc/latest/installation/ConfigSystemStartup
http://www.splunk.com/doc/latest/installation/RunningNonRoot
Making a secondary syslog-ng server ¶
Create another instance of syslog-ng reduces the risk of losting log files.
Installing a secondary server is not different to installing the primary, except for the configuration file:
Primary server
Secondary server
* Destination directive:
d_local
file("/opt/syslog-ng/192.168.XX.YY/$YEAR/$MONTH/$DAY/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
file("/opt/syslog-ng/$YEAR/$MONTH/$DAY/192.168.XX.YY/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
* Destination directive:
d_separatedbyhosts
file("/opt/syslog-ng/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
file("/opt/syslog-ng/$YEAR/$MONTH/$DAY/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
Forward to Splunk
Yes
Currently No
Forward the local log files
N/A
Forward from the secondary server to the primary server.
Debugging FIFOs ¶
If you are having problems with your FIFO, the first thing that you should do is to verify that it it getting data put into it by syslog-ng. I have written a small tool called Piper that can help you do this. Download Piper and run the following command:
./piper.pl -d debug.log /opt/syslog_fifo
Then check your debug.log to make sure that it contains data. If it does contain data, then syslog-ng and the FIFO that you created are working properly and you should re-examine your Splunk config. If it looks correct, contact Splunk support for assistance. If your debug.log does not contain any data, then something is most likely wrong with your syslog-ng config. First try restarting syslog-ng to make sure that your changes have applied. If that doesn't do the trick, examine your syslog-ng configuration closely and make sure that you didn't miss any semicolons or other necessary syntax.
Apendix A – The configuration of syslog-ng for the primary syslog-ng server at abc company ¶
Apendix B – daily crond script to compress log file ¶
[root@syslog ~]# cat /etc/cron.daily/syslog-ng
#!/bin/sh
/usr/bin/find /opt/syslog-ng ! -name "*bz2" -type f ! -path "*`/bin/date +%Y/%m/%d`*" -exec /usr/bin/bzip2 {} \;
Caution.
Make sure that this script can be executable.
Apendix B.1 – logrotate script of local syslog files ¶
[root@syslog ~]# cat /etc/logrotate.d/syslog-ng
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/kern /opt/syslog-ng-internal/syslog-ng.log {
monthly
rotate 12
compress
postrotate
/etc/rc.d/init.d/syslog-ng reload 2>/dev/null
endscript
}
Caution.
Remember always disable the logrotate script /etc/logrotate.d/syslog associated with syslog program by commenting all commands or removing this file.
Apendix B.2 – logrotate script of Splunk log files ¶
By default, Splunk does not rotate some log files. So this script below will rotate logs that have too many lines.
[root@syslog ~]# touch /etc/logrotate.d/splunk
[root@syslog ~]# vim /etc/logrotate.d/splunk
[root@syslog ~]# cat /etc/logrotate.d/splunk
/opt/splunk/var/log/splunk/splunkd.log /opt/splunk/var/log/splunk/audit.log /opt/splunk/var/log/splunk/splunklogger.log /opt/splunk/var/log/splunk/python.log /opt/splunk/var/log/splunk/license_audit.log /opt/splunk/var/log/splunk/web_service.log {
missingok
monthly
rotate 12
create 0600 splunk splunk
}
Apendix C – the configuration of syslogd on Linux servers ¶
System messages on Linux server are logged to syslog-ng server by syslogd daemon. The main configuration file of syslogd is located at /etc/syslog.conf.
Here is a sample of syslog.conf file on Linux servers at abc company:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# log messages to syslog-ng servers
*.* @192.168.XX.YY
*.* @192.168.XX.YY
Important:
- Do not use syslogd on syslog-ng server. This will prevent syslog-ng from receiving log messages.
- Verify that the SSH daemon use LogFacilitate? = authpriv & LogLevel? = VERBOSE.
Apendix D – logging Windows applications using Datagram SyslogAgent? ¶
Unfortunately all Windows OSes does not support syslog protocol. They are only have Event Viewer, which stores all messages created by themselves. The event tool also receives messages from some applications supported to do this. To make the syslog server collect messages from Windows-based clients, we (DongA) use SyslogAgent from Datagram. This software is licenced under GNU GPL.
Download this software with the URI: http://download.eab.com.vn/pub/windows/server-installation/syslogagent_setup.zip. Read the setup-guide.txt on the zip file to install this software.
Merge these registries below to configure:
Windows Registry Editor Version 5.00
# Configure Syslog Agent parameters
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram]
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent]
"UsePingBeforeSend"=hex:00
"Syslog"="192.168.XX.YY"
"SendToPort"=dword:00000202
"ForwardToMirror"=hex:01
"Syslog1"="192.168.XX.YY"
"SendToBackupPort"=dword:00000202
"ForwardEventLogs"=hex:01
"ForwardApplicationLogs"=hex:01
"EventLogPollInterval"=dword:00000002
"LastRun"=dword:00000001
"EventIDFilterList"="1,1000,1001,17,4321,6013,7001,7035,7036,7040,4786,515,528,610,560"
"TCPDelivery"=hex:00
"CarrigeReturnReplacementCharInASCII"=dword:00000020
"LineFeedReplacementCharInASCII"=dword:00000020
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\Application]
"Information"=dword:00000001
"Information Priority"=dword:000000be
"Warning"=dword:00000001
"Warning Priority"=dword:000000bc
"Error"=dword:00000001
"Error Priority"=dword:000000bb
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:000000be
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:000000bd
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\Security]
"Information"=dword:00000001
"Information Priority"=dword:00000026
"Warning"=dword:00000001
"Warning Priority"=dword:00000024
"Error"=dword:00000001
"Error Priority"=dword:00000023
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:00000026
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000025
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\System]
"Information"=dword:00000001
"Information Priority"=dword:0000001e
"Warning"=dword:00000001
"Warning Priority"=dword:0000001c
"Error"=dword:00000001
"Error Priority"=dword:0000001b
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:0000001e
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:0000001d
# make the Syslog Agent service start automatically
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Syslog Agent]
"DisplayName"="Syslog Agent"
"Description"="Forwards Event logs to Syslog Server"
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"DependOnService"=hex(7):45,00,76,00,65,00,6e,00,74,00,4c,00,6f,00,67,00,00,00,\
00,00
"DependOnGroup"=hex(7):00,00
To filter out some messages, fill the EventIDFilterList parameter with event Ids, e.g.:
"EventIDFilterList"="1,1000,1001,17,4321,6013,7001,7035,7036,7040,4786,515,528,610,560"
To enable mirror delivery, make sure the clients have these registries below:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent]
"UsePingBeforeSend"=hex:00
"ForwardToMirror"=hex:01
"Syslog1"="192.168.2.23"
"SendToBackupPort"=dword:00000202
Apendix E – Upgrading Syslog-ng ¶
Stop the 'monit' service
/etc/init.d/monit stop
Stop syslog-ng
/etc/init.d/syslog-ng stop
* You have a supported Splunk platform and root access to the server.
* You are installing Splunk 3.3.x or higher.
The facts at abc company ¶
What is a FIFO? ¶
A FIFO is an old programming term that stands for First In First Out. A more accurate name for what you're setting up is a Named Pipe. Basically, what it is, is a special file on your UNIX system that receives input from some program and sends that information to another program. You can think of it as a stack. One program puts things on the stack, and another program takes stuff off the stack, but it starts with the first item that went on.
Why Syslog-ng? ¶
Well basically because the standard syslog daemon sucks. Seriously, the standard syslog daemon that comes with your typical UNIX is very limited. Syslog-ng is very flexible and includes support for many things that the standard syslog daemon does not, including, but not limited to: multiple sources and destinations, extensive filtering including regex support, the ability to read and write to pipes, and much more. It's also extremely efficient on system resources.
Syslog-ng installation ¶
Depending on your platform, the procedure for installing syslog-ng may vary widely. On Linux platforms, you will most likely be using RPM or Debs. On Solaris, it's quite likely that Sun Freeware will have a package that will work for you.
Examples for common platforms ¶
redhat variant# yum install syslog-ng
debian variant# apt-get install syslog-ng
gentoo# emerge syslog-ng
Run this command to install syslog-ng to abc company's servers:
server# yum install syslog-ng
To have the latest version, see Appendix F - Upgrading Syslog-ng.
Syslog deactivate ¶
Whistle syslog and syslog-ng are programs that have same purposes, please deactivate syslog before using the syslog-ng:
/etc/rc.d/init.d/syslog stop
chmod 644 /etc/rc.d/init.d/syslog
chkconfig syslog off
rm -f /etc/logrotate.d/syslog
Creating the FIFO ¶
Select a place on your filesystem for the FIFO to live. It doesn't matter much where as the FIFO will only buffer a limited amount of lines that will consume an insignificant amount of resources. I would suggest /var as that is where most sockets and pipes on the system are located by default. I gave mine a subdirectory called syslog-ng for the sake of tidiness.
Example command to create the FIFO: ¶
server# mkfifo /opt/syslog_fifo
Remember this location as you will need to put it in your syslog-ng and splunk config files.
Configuring syslog-ng ¶
In most installs of syslog-ng, your main configuration file will be located in /usr/local/etc/syslog-ng.conf (or /etc/syslog-ng.conf). At a minimum, you will need to set up a source that accepts remote connections [assuming that you wish to send logs from multiple systems to be included in your Splunk index], and a destination for your FIFO. It would also be wise to log to a location on the filesystem as well. Here's the first bit:
source remote {
udp();
};
destination splunk {
pipe("/opt/syslog_fifo");
};
log {
source(remote);
destination(splunk);
};
That will be sufficient to send the logs only to your named pipe. However, I would recommend that you also set up syslog-ng to log to a location on the local filesystem like so:
destination hosts {
file("/opt/hosts/$HOST/messages"
owner(root) group(logs) perm(0640) dir_perm(0750) create_dirs(yes));
};
log {
source(remote);
destination(hosts);
};
Note that the $HOST moniker is a magic variable in syslog-ng that is replaced by the hostname of the system that is sending the logs. It's quite handy. The create_dirs bit automatically creates the subdirectories if they do not exist.
See Apendix A for the initial configuration of syslog-ng at abc company.
Configuring Splunk ¶
For this portion, I will assume that Splunk was installed in it's default location of /opt. If you have installed in a different location, adjust the paths accordingly.
inputs.conf (3.x.x) ¶
Splunk Init script ¶
As root, you run:
splunk enable boot-start
This will create an init script (or other configuration change) appropriate for your operating system.
Reference:
http://www.splunk.com/doc/latest/installation/ConfigSystemStartup
http://www.splunk.com/doc/latest/installation/RunningNonRoot
Making a secondary syslog-ng server ¶
Create another instance of syslog-ng reduces the risk of losting log files.
Installing a secondary server is not different to installing the primary, except for the configuration file:
Primary server
Secondary server
* Destination directive:
d_local
file("/opt/syslog-ng/192.168.XX.YY/$YEAR/$MONTH/$DAY/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
file("/opt/syslog-ng/$YEAR/$MONTH/$DAY/192.168.XX.YY/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
* Destination directive:
d_separatedbyhosts
file("/opt/syslog-ng/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
file("/opt/syslog-ng/$YEAR/$MONTH/$DAY/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
Forward to Splunk
Yes
Currently No
Forward the local log files
N/A
Forward from the secondary server to the primary server.
Debugging FIFOs ¶
If you are having problems with your FIFO, the first thing that you should do is to verify that it it getting data put into it by syslog-ng. I have written a small tool called Piper that can help you do this. Download Piper and run the following command:
./piper.pl -d debug.log /opt/syslog_fifo
Then check your debug.log to make sure that it contains data. If it does contain data, then syslog-ng and the FIFO that you created are working properly and you should re-examine your Splunk config. If it looks correct, contact Splunk support for assistance. If your debug.log does not contain any data, then something is most likely wrong with your syslog-ng config. First try restarting syslog-ng to make sure that your changes have applied. If that doesn't do the trick, examine your syslog-ng configuration closely and make sure that you didn't miss any semicolons or other necessary syntax.
Apendix A – The configuration of syslog-ng for the primary syslog-ng server at abc company ¶
Apendix B – daily crond script to compress log file ¶
[root@syslog ~]# cat /etc/cron.daily/syslog-ng
#!/bin/sh
/usr/bin/find /opt/syslog-ng ! -name "*bz2" -type f ! -path "*`/bin/date +%Y/%m/%d`*" -exec /usr/bin/bzip2 {} \;
Caution.
Make sure that this script can be executable.
Apendix B.1 – logrotate script of local syslog files ¶
[root@syslog ~]# cat /etc/logrotate.d/syslog-ng
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/kern /opt/syslog-ng-internal/syslog-ng.log {
monthly
rotate 12
compress
postrotate
/etc/rc.d/init.d/syslog-ng reload 2>/dev/null
endscript
}
Caution.
Remember always disable the logrotate script /etc/logrotate.d/syslog associated with syslog program by commenting all commands or removing this file.
Apendix B.2 – logrotate script of Splunk log files ¶
By default, Splunk does not rotate some log files. So this script below will rotate logs that have too many lines.
[root@syslog ~]# touch /etc/logrotate.d/splunk
[root@syslog ~]# vim /etc/logrotate.d/splunk
[root@syslog ~]# cat /etc/logrotate.d/splunk
/opt/splunk/var/log/splunk/splunkd.log /opt/splunk/var/log/splunk/audit.log /opt/splunk/var/log/splunk/splunklogger.log /opt/splunk/var/log/splunk/python.log /opt/splunk/var/log/splunk/license_audit.log /opt/splunk/var/log/splunk/web_service.log {
missingok
monthly
rotate 12
create 0600 splunk splunk
}
Apendix C – the configuration of syslogd on Linux servers ¶
System messages on Linux server are logged to syslog-ng server by syslogd daemon. The main configuration file of syslogd is located at /etc/syslog.conf.
Here is a sample of syslog.conf file on Linux servers at abc company:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# log messages to syslog-ng servers
*.* @192.168.XX.YY
*.* @192.168.XX.YY
Important:
- Do not use syslogd on syslog-ng server. This will prevent syslog-ng from receiving log messages.
- Verify that the SSH daemon use LogFacilitate? = authpriv & LogLevel? = VERBOSE.
Apendix D – logging Windows applications using Datagram SyslogAgent? ¶
Unfortunately all Windows OSes does not support syslog protocol. They are only have Event Viewer, which stores all messages created by themselves. The event tool also receives messages from some applications supported to do this. To make the syslog server collect messages from Windows-based clients, we (DongA) use SyslogAgent from Datagram. This software is licenced under GNU GPL.
Download this software with the URI: http://download.eab.com.vn/pub/windows/server-installation/syslogagent_setup.zip. Read the setup-guide.txt on the zip file to install this software.
Merge these registries below to configure:
Windows Registry Editor Version 5.00
# Configure Syslog Agent parameters
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram]
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent]
"UsePingBeforeSend"=hex:00
"Syslog"="192.168.XX.YY"
"SendToPort"=dword:00000202
"ForwardToMirror"=hex:01
"Syslog1"="192.168.XX.YY"
"SendToBackupPort"=dword:00000202
"ForwardEventLogs"=hex:01
"ForwardApplicationLogs"=hex:01
"EventLogPollInterval"=dword:00000002
"LastRun"=dword:00000001
"EventIDFilterList"="1,1000,1001,17,4321,6013,7001,7035,7036,7040,4786,515,528,610,560"
"TCPDelivery"=hex:00
"CarrigeReturnReplacementCharInASCII"=dword:00000020
"LineFeedReplacementCharInASCII"=dword:00000020
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\Application]
"Information"=dword:00000001
"Information Priority"=dword:000000be
"Warning"=dword:00000001
"Warning Priority"=dword:000000bc
"Error"=dword:00000001
"Error Priority"=dword:000000bb
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:000000be
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:000000bd
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\Security]
"Information"=dword:00000001
"Information Priority"=dword:00000026
"Warning"=dword:00000001
"Warning Priority"=dword:00000024
"Error"=dword:00000001
"Error Priority"=dword:00000023
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:00000026
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000025
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\System]
"Information"=dword:00000001
"Information Priority"=dword:0000001e
"Warning"=dword:00000001
"Warning Priority"=dword:0000001c
"Error"=dword:00000001
"Error Priority"=dword:0000001b
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:0000001e
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:0000001d
# make the Syslog Agent service start automatically
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Syslog Agent]
"DisplayName"="Syslog Agent"
"Description"="Forwards Event logs to Syslog Server"
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"DependOnService"=hex(7):45,00,76,00,65,00,6e,00,74,00,4c,00,6f,00,67,00,00,00,\
00,00
"DependOnGroup"=hex(7):00,00
To filter out some messages, fill the EventIDFilterList parameter with event Ids, e.g.:
"EventIDFilterList"="1,1000,1001,17,4321,6013,7001,7035,7036,7040,4786,515,528,610,560"
To enable mirror delivery, make sure the clients have these registries below:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent]
"UsePingBeforeSend"=hex:00
"ForwardToMirror"=hex:01
"Syslog1"="192.168.2.23"
"SendToBackupPort"=dword:00000202
Apendix E – Upgrading Syslog-ng ¶
Stop the 'monit' service
/etc/init.d/monit stop
Stop syslog-ng
/etc/init.d/syslog-ng stop
Cấu hình hỗ trợ syslog tập trung về Syslog servers
*Nix
Dùng 02 daemon syslogd và klogd, file config: /etc/syslog.conf.
Bổ sung các dòng sau vào cuối file /etc/syslog.conf:
#
# log messages to syslog-ng servers
*.* @192.168.XX.YY
*.* @192.168.XX.YY
Restart syslog để cấu hình có hiệu lực:
# /etc/init.d/syslog restart
Windows
Cài đặt Datagram SyslogAgent? để lưu tập trung Windows Event Log về Syslog servers.
Tham khảo Setting up Splunk with Syslog-ng and a FIFO, Apendix D – logging Windows applications using Datagram SyslogAgent.
Các ứng dụng không hỗ trợ syslog trên Linux
OpenLDAP
Chỉnh giá trị loglevel trong file config của OpenLDAP, fullpath: /etc/openldap/slapd.conf
#loglevel 0
loglevel 256
Restart OpenLDAP và sau đó restart syslog daemon:
# /etc/init.d/syslog restart
# /etc/init.d/ldap restart
(Bắt buộc restart syslog daemon để OpenLDAP có thể ghi log vào log file và gửi tập trung về Syslog servers)
Local log file của OpenLDAP: /var/log/ldap.log
Radius
Default path of File config: /etc/raddb/radiusd.conf
...
logdir = ${localstatedir}/log/radius
...
# For FreeRADIUS Version 1.1.1+
#log_destination = syslog >> plz edit the '/etc/sysconfig/minion' to remove the radius log file from the config
# FreeRADIUS Version 1.0.1
log_file = ${logdir}/radius.log
...
# These directives control how access to and requests of the FreeRADIUS server are logged.
# The log_stripped_names control instructs FreeRADIUS whether to include the full User-Name attribute as it appeared in the packet.
# The log_auth directive specifies whether to log authentication requests or simply carry them out without logging.
# The log_auth_badpass control, when set to yes, causes radiusd to log the bad password that was attempted, while the log_auth_goodpass logs the password if it's correct.
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
...
Do đó Log file của Radius thường là: /var/log/radius/radiusd.log (nếu dùng FreeRADIUS Version 1.0.1)
Restart Radius daemon:
# /etc/init.d/radiusd restart
Vì FreeRADIUS Version 1.0.1 không hỗ trợ syslog nên để lưu log tập trung ứng dụng này, cần dùng thêm log_minion đã đề cập ở trên.
Zimbra
Tương tự FreeRADIUS Version 1.0.1, một số log của Zimbra cũng không hỗ trợ syslog: Tomcat log, Zimbra audit.log, Zimbra mailbox.log,..., nên cũng cần cài đặt log_minion hỗ trợ lưu log tập trung.
File config của minon dành cho Zimbra:
SYSLOG_HOST="192.168.XX.YY"
APPLICATION_NAME="minion"
TAIL_FILES="/opt/zimbra/log/audit.log,/opt/zimbra/log/mailbox.log,/opt/zimbra/log/clamd.log,/opt/zimbra/log/sync.log,/tmp/logprocess.out,/var/log/null.log"
SYSLOG_FACILITY="local2"
FORWARD_TO_MIRROR=1
SYSLOG_HOST2="192.168.XX.YY"
Các ứng dụng không hỗ trợ Windows Event Log trên Windows
Tương tự mục Windows, sử dụng Datagram SyslogAgent?.
Cisco Routers / Switches
(config)# logging enable
(config)# logging trap informational
(config)# logging 192.168.XX.YY
(config)# login on-failure log
(config)# login on-success log
(config)# write memory
Lưu ý:
• Hạn chế logging trap debugging, chỉ sử dụng level debug khi xử lý sự cố;
Tham khảo:
• Logging authentication events from IOS http://www.ossec.net/dcid/?p=18
• Cisco IOS Login Enhancements http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_login.html
• Cisco IOS Software System Messages http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124sup/124sms/index.htm
• Cisco IOS Release 12.4 System Messages, Volume 1 of 2, LOGIN Messages http://www.cisco.com/en/US/docs/ios/12_4/system/messages/Vol1/sm_14h.html#wp392924
Dùng 02 daemon syslogd và klogd, file config: /etc/syslog.conf.
Bổ sung các dòng sau vào cuối file /etc/syslog.conf:
#
# log messages to syslog-ng servers
*.* @192.168.XX.YY
*.* @192.168.XX.YY
Restart syslog để cấu hình có hiệu lực:
# /etc/init.d/syslog restart
Windows
Cài đặt Datagram SyslogAgent? để lưu tập trung Windows Event Log về Syslog servers.
Tham khảo Setting up Splunk with Syslog-ng and a FIFO, Apendix D – logging Windows applications using Datagram SyslogAgent.
Các ứng dụng không hỗ trợ syslog trên Linux
OpenLDAP
Chỉnh giá trị loglevel trong file config của OpenLDAP, fullpath: /etc/openldap/slapd.conf
#loglevel 0
loglevel 256
Restart OpenLDAP và sau đó restart syslog daemon:
# /etc/init.d/syslog restart
# /etc/init.d/ldap restart
(Bắt buộc restart syslog daemon để OpenLDAP có thể ghi log vào log file và gửi tập trung về Syslog servers)
Local log file của OpenLDAP: /var/log/ldap.log
Radius
Default path of File config: /etc/raddb/radiusd.conf
...
logdir = ${localstatedir}/log/radius
...
# For FreeRADIUS Version 1.1.1+
#log_destination = syslog >> plz edit the '/etc/sysconfig/minion' to remove the radius log file from the config
# FreeRADIUS Version 1.0.1
log_file = ${logdir}/radius.log
...
# These directives control how access to and requests of the FreeRADIUS server are logged.
# The log_stripped_names control instructs FreeRADIUS whether to include the full User-Name attribute as it appeared in the packet.
# The log_auth directive specifies whether to log authentication requests or simply carry them out without logging.
# The log_auth_badpass control, when set to yes, causes radiusd to log the bad password that was attempted, while the log_auth_goodpass logs the password if it's correct.
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
...
Do đó Log file của Radius thường là: /var/log/radius/radiusd.log (nếu dùng FreeRADIUS Version 1.0.1)
Restart Radius daemon:
# /etc/init.d/radiusd restart
Vì FreeRADIUS Version 1.0.1 không hỗ trợ syslog nên để lưu log tập trung ứng dụng này, cần dùng thêm log_minion đã đề cập ở trên.
Zimbra
Tương tự FreeRADIUS Version 1.0.1, một số log của Zimbra cũng không hỗ trợ syslog: Tomcat log, Zimbra audit.log, Zimbra mailbox.log,..., nên cũng cần cài đặt log_minion hỗ trợ lưu log tập trung.
File config của minon dành cho Zimbra:
SYSLOG_HOST="192.168.XX.YY"
APPLICATION_NAME="minion"
TAIL_FILES="/opt/zimbra/log/audit.log,/opt/zimbra/log/mailbox.log,/opt/zimbra/log/clamd.log,/opt/zimbra/log/sync.log,/tmp/logprocess.out,/var/log/null.log"
SYSLOG_FACILITY="local2"
FORWARD_TO_MIRROR=1
SYSLOG_HOST2="192.168.XX.YY"
Các ứng dụng không hỗ trợ Windows Event Log trên Windows
Tương tự mục Windows, sử dụng Datagram SyslogAgent?.
Cisco Routers / Switches
(config)# logging enable
(config)# logging trap informational
(config)# logging 192.168.XX.YY
(config)# login on-failure log
(config)# login on-success log
(config)# write memory
Lưu ý:
• Hạn chế logging trap debugging, chỉ sử dụng level debug khi xử lý sự cố;
Tham khảo:
• Logging authentication events from IOS http://www.ossec.net/dcid/?p=18
• Cisco IOS Login Enhancements http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_login.html
• Cisco IOS Software System Messages http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124sup/124sms/index.htm
• Cisco IOS Release 12.4 System Messages, Volume 1 of 2, LOGIN Messages http://www.cisco.com/en/US/docs/ios/12_4/system/messages/Vol1/sm_14h.html#wp392924
Postfix DSN Status Script
Centos postfix DSN translation script - tells you what your mail is doing. In case you have no clue what we are chatting about view your maillog/mail.log :
Oct 1 00:35:01 ghosting postfix/smtp[1437]: ABA987666094: to=, relay=gmail-smtp-in.l.google.com[209.85.222.73]:25, delay=9881, delays=9880/0.01/0.22/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1254342900 5si70217753pzk.88)
This largely tells you what has been done with your mail when the "status=xxxxxx" line or the message of why your mail fails is "vague".
file: centos_postfix_dsn_translator.sh
#!/bin/bash
##########################################
# Postfix DSN Script Based off of rfc3463
# http://www.faqs.org/rfcs/rfc3463.html
# Written by L.C.
# DSN rfc's refer to rfc3461-rfc3464
##########################################
######################################################
# Persistent Transient Failure Aka Deferred 4.xxx.xxx
######################################################
# Other or Undefined Status #
echo "Deferred :: 4.0.0 :: Other Undefined Status :"`cat /var/log/maillog | grep -c "dsn=4.0.0"`
echo " "
# Address Status #
echo "Deferred :: 4.1.0 :: Other address status :"`cat /var/log/maillog | grep -c "dsn=4.1.0"`
echo "Deferred :: 4.1.1 :: Bad destination mailbox address :"`cat /var/log/maillog | grep -c "dsn=4.1.1"`
echo "Deferred :: 4.1.2 :: Bad destination system address :"`cat /var/log/maillog | grep -c "dsn=4.1.2"`
echo "Deferred :: 4.1.3 :: Bad destination mailbox address syntax :"`cat /var/log/maillog | grep -c "dsn=4.1.3"`
echo "Deferred :: 4.1.4 :: Destination mailbox address ambiguous :"`cat /var/log/maillog | grep -c "dsn=4.1.4"`
echo "Deferred :: 4.1.5 :: Destination mailbox address valid :"`cat /var/log/maillog | grep -c "dsn=4.1.5"`
echo "Deferred :: 4.1.6 :: Mailbox has moved :"`cat /var/log/maillog | grep -c "dsn=4.1.6"`
echo "Deferred :: 4.1.7 :: Bad sender's mailbox address syntax :"`cat /var/log/maillog | grep -c "dsn=4.1.7"`
echo "Deferred :: 4.1.8 :: Bad sender's system address :"`cat /var/log/maillog | grep -c "dsn=4.1.8"`
echo " "
# Mailbox Status #
echo "Deferred :: 4.2.0 :: Other or undefined mailbox status :"`cat /var/log/maillog | grep -c "dsn=4.2.0"`
echo "Deferred :: 4.2.1 :: Mailbox disabled, not accepting messages :"`cat /var/log/maillog | grep -c "dsn=4.2.1"`
echo "Deferred :: 4.2.2 :: Mailbox full :"`cat /var/log/maillog | grep -c "dsn=4.2.2"`
echo "Deferred :: 4.2.3 :: Message length exceeds administrative limit :"`cat /var/log/maillog | grep -c "dsn=4.2.3"`
echo "Deferred :: 4.2.4 :: Mailing list expansion problem :"`cat /var/log/maillog | grep -c "dsn=4.2.4"`
echo " "
# Mail system status #
echo "Deferred :: 4.3.0 :: Other or undefined mail system status :"`cat /var/log/maillog | grep -c "dsn=4.3.0"`
echo "Deferred :: 4.3.1 :: Mail system full :"`cat /var/log/maillog | grep -c "dsn=4.3.1"`
echo "Deferred :: 4.3.2 :: System not accepting network messages :"`cat /var/log/maillog | grep -c "dsn=4.3.2"`
echo "Deferred :: 4.3.3 :: System not capable of selected features :"`cat /var/log/maillog | grep -c "dsn=4.3.3"`
echo "Deferred :: 4.3.4 :: Message too big for system :"`cat /var/log/maillog | grep -c "dsn=4.3.4"`
echo " "
# Network and Routing Status #
echo "Deferred :: 4.4.0 :: Other or undefined network or routing status :"`cat /var/log/maillog | grep -c "dsn=4.4.0"`
echo "Deferred :: 4.4.1 :: No answer from host :"`cat /var/log/maillog | grep -c "dsn=4.4.1"`
echo "Deferred :: 4.4.2 :: Bad connection :"`cat /var/log/maillog | grep -c "dsn=4.4.2"`
echo "Deferred :: 4.4.3 :: Routing server failure :"`cat /var/log/maillog | grep -c "dsn=4.4.3"`
echo "Deferred :: 4.4.4 :: Unable to route :"`cat /var/log/maillog | grep -c "dsn=4.4.4"`
echo "Deferred :: 4.4.5 :: Network congestion :"`cat /var/log/maillog | grep -c "dsn=4.4.5"`
echo "Deferred :: 4.4.6 :: Routing loop detected :"`cat /var/log/maillog | grep -c "dsn=4.4.6"`
echo "Deferred :: 4.4.7 :: Delivery time expired :"`cat /var/log/maillog | grep -c "dsn=4.4.7"`
echo " "
# Mail Delivery Protocol Status #
echo "Deferred :: 4.5.0 :: Other or undefined protocol status :"`cat /var/log/maillog | grep -c "dsn=4.5.0"`
echo "Deferred :: 4.5.1 :: Invalid command :"`cat /var/log/maillog | grep -c "dsn=4.5.1"`
echo "Deferred :: 4.5.2 :: Syntax error :"`cat /var/log/maillog | grep -c "dsn=4.5.2"`
echo "Deferred :: 4.5.3 :: Too many recipients :"`cat /var/log/maillog | grep -c "dsn=4.5.3"`
echo "Deferred :: 4.5.4 :: Invalid command arguments :"`cat /var/log/maillog | grep -c "dsn=4.5.4"`
echo "Deferred :: 4.5.5 :: Wrong protocol version :"`cat /var/log/maillog | grep -c "dsn=4.5.5"`
echo " "
# Message Content or Message Media Status #
echo "Deferred :: 4.6.0 :: Other or undefined media error :"`cat /var/log/maillog | grep -c "dsn=4.6.0"`
echo "Deferred :: 4.6.1 :: Media not supported :"`cat /var/log/maillog | grep -c "dsn=4.6.1"`
echo "Deferred :: 4.6.2 :: Conversion required and prohibited :"`cat /var/log/maillog | grep -c "dsn=4.6.2"`
echo "Deferred :: 4.6.3 :: Conversion required but not supported :"`cat /var/log/maillog | grep -c "dsn=4.6.3"`
echo "Deferred :: 4.6.4 :: Conversion with loss performed :"`cat /var/log/maillog | grep -c "dsn=4.6.4"`
echo "Deferred :: 4.6.5 :: Conversion failed :"`cat /var/log/maillog | grep -c "dsn=4.6.5"`
echo " "
# Security or Policy Status #
echo "Deferred :: 4.7.0 :: Other or undefined security status :"`cat /var/log/maillog | grep -c "dsn=4.7.0"`
echo "Deferred :: 4.7.1 :: Delivery not authorized, message refused :"`cat /var/log/maillog | grep -c "dsn=4.7.1"`
echo "Deferred :: 4.7.2 :: Mailing list expansion prohibited :"`cat /var/log/maillog | grep -c "dsn=4.7.2"`
echo "Deferred :: 4.7.3 :: Security conversion required but not possible :"`cat /var/log/maillog | grep -c "dsn=4.7.3"`
echo "Deferred :: 4.7.4 :: Security features not supported :"`cat /var/log/maillog | grep -c "dsn=4.7.4"`
echo "Deferred :: 4.7.5 :: Cryptographic failure :"`cat /var/log/maillog | grep -c "dsn=4.7.5"`
echo "Deferred :: 4.7.6 :: Cryptographic algorithm not supported :"`cat /var/log/maillog | grep -c "dsn=4.7.6"`
echo "Deferred :: 4.7.7 :: Message integrity failure :"`cat /var/log/maillog | grep -c "dsn=4.7.7"`
echo " "
############################################
# Permanent Failure's Aka Bounces 5.xxx.xxx
############################################
# Other or Undefined Status #
echo "Bounced :: 5.0.0 :: Other Undefined Status :"`cat /var/log/maillog | grep -c "dsn=5.0.0"`
echo " "
# Address Status #
echo "Bounced :: 5.1.0 :: Other address status :"`cat /var/log/maillog | grep -c "dsn=5.1.0"`
echo "Bounced :: 5.1.1 :: Bad destination mailbox address :"`cat /var/log/maillog | grep -c "dsn=5.1.1"`
echo "Bounced :: 5.1.2 :: Bad destination system address :"`cat /var/log/maillog | grep -c "dsn=5.1.2"`
echo "Bounced :: 5.1.3 :: Bad destination mailbox address syntax :"`cat /var/log/maillog | grep -c "dsn=5.1.3"`
echo "Bounced :: 5.1.4 :: Destination mailbox address ambiguous :"`cat /var/log/maillog | grep -c "dsn=5.1.4"`
echo "Bounced :: 5.1.5 :: Destination mailbox address valid :"`cat /var/log/maillog | grep -c "dsn=5.1.5"`
echo "Bounced :: 5.1.6 :: Mailbox has moved :"`cat /var/log/maillog | grep -c "dsn=5.1.6"`
echo "Bounced :: 5.1.7 :: Bad sender's mailbox address syntax :"`cat /var/log/maillog | grep -c "dsn=5.1.7"`
echo "Bounced :: 5.1.8 :: Bad sender's system address :"`cat /var/log/maillog | grep -c "dsn=5.1.8"`
echo " "
# Mailbox Status #
echo "Bounced :: 5.2.0 :: Other or undefined mailbox status :"`cat /var/log/maillog | grep -c "dsn=5.2.0"`
echo "Bounced :: 5.2.1 :: Mailbox disabled, not accepting messages :"`cat /var/log/maillog | grep -c "dsn=5.2.1"`
echo "Bounced :: 5.2.2 :: Mailbox full :"`cat /var/log/maillog | grep -c "dsn=5.2.2"`
echo "Bounced :: 5.2.3 :: Message length exceeds administrative limit :"`cat /var/log/maillog | grep -c "dsn=5.2.3"`
echo "Bounced :: 5.2.4 :: Mailing list expansion problem :"`cat /var/log/maillog | grep -c "dsn=5.2.4"`
echo " "
# Mail system status #
echo "Bounced :: 5.3.0 :: Other or undefined mail system status :"`cat /var/log/maillog | grep -c "dsn=5.3.0"`
echo "Bounced :: 5.3.1 :: Mail system full :"`cat /var/log/maillog | grep -c "dsn=5.3.1"`
echo "Bounced :: 5.3.2 :: System not accepting network messages :"`cat /var/log/maillog | grep -c "dsn=5.3.2"`
echo "Bounced :: 5.3.3 :: System not capable of selected features :"`cat /var/log/maillog | grep -c "dsn=5.3.3"`
echo "Bounced :: 5.3.4 :: Message too big for system :"`cat /var/log/maillog | grep -c "dsn=5.3.4"`
echo " "
# Network and Routing Status #
echo "Bounced :: 5.4.0 :: Other or undefined network or routing statu :"`cat /var/log/maillog | grep -c "dsn=5.4.0"`
echo "Bounced :: 5.4.1 :: No answer from host :"`cat /var/log/maillog | grep -c "dsn=5.4.1"`
echo "Bounced :: 5.4.2 :: Bad connection :"`cat /var/log/maillog | grep -c "dsn=5.4.2"`
echo "Bounced :: 5.4.3 :: Routing server failure :"`cat /var/log/maillog | grep -c "dsn=5.4.3"`
echo "Bounced :: 5.4.4 :: Unable to route :"`cat /var/log/maillog | grep -c "dsn=5.4.4"`
echo "Bounced :: 5.4.5 :: Network congestion :"`cat /var/log/maillog | grep -c "dsn=5.4.5"`
echo "Bounced :: 5.4.6 :: Routing loop detected :"`cat /var/log/maillog | grep -c "dsn=5.4.6"`
echo "Bounced :: 5.4.7 :: Delivery time expired :"`cat /var/log/maillog | grep -c "dsn=5.4.7"`
echo " "
# Mail Delivery Protocol Status #
echo "Bounced :: 5.5.0 :: Other or undefined protocol status :"`cat /var/log/maillog | grep -c "dsn=5.5.0"`
echo "Bounced :: 5.5.1 :: Invalid command :"`cat /var/log/maillog | grep -c "dsn=5.5.1"`
echo "Bounced :: 5.5.2 :: Syntax error :"`cat /var/log/maillog | grep -c "dsn=5.5.2"`
echo "Bounced :: 5.5.3 :: Too many recipients :"`cat /var/log/maillog | grep -c "dsn=5.5.3"`
echo "Bounced :: 5.5.4 :: Invalid command arguments :"`cat /var/log/maillog | grep -c "dsn=5.5.4"`
echo "Bounced :: 5.5.5 :: Wrong protocol version :"`cat /var/log/maillog | grep -c "dsn=5.5.5"`
echo " "
# Message Content or Message Media Status #
echo "Bounced :: 5.6.0 :: Other or undefined media error :"`cat /var/log/maillog | grep -c "dsn=5.6.0"`
echo "Bounced :: 5.6.1 :: Media not supported :"`cat /var/log/maillog | grep -c "dsn=5.6.1"`
echo "Bounced :: 5.6.2 :: Conversion required and prohibited :"`cat /var/log/maillog | grep -c "dsn=5.6.2"`
echo "Bounced :: 5.6.3 :: Conversion required but not supported :"`cat /var/log/maillog | grep -c "dsn=5.6.3"`
echo "Bounced :: 5.6.4 :: Conversion with loss performed :"`cat /var/log/maillog | grep -c "dsn=5.6.4"`
echo "Bounced :: 5.6.5 :: Conversion failed :"`cat /var/log/maillog | grep -c "dsn=5.6.5"`
echo " "
# Security or Policy Status #
echo "Bounced :: 5.7.0 :: Other or undefined security status :"`cat /var/log/maillog | grep -c "dsn=5.7.0"`
echo "Bounced :: 5.7.1 :: Delivery not authorized, message refused :"`cat /var/log/maillog | grep -c "dsn=5.7.1"`
echo "Bounced :: 5.7.2 :: Mailing list expansion prohibited :"`cat /var/log/maillog | grep -c "dsn=5.7.2"`
echo "Bounced :: 5.7.3 :: Security conversion required but not possible :"`cat /var/log/maillog | grep -c "dsn=5.7.3"`
echo "Bounced :: 5.7.4 :: Security features not supported :"`cat /var/log/maillog | grep -c "dsn=5.7.4"`
echo "Bounced :: 5.7.5 :: Cryptographic failure :"`cat /var/log/maillog | grep -c "dsn=5.7.5"`
echo "Bounced :: 5.7.6 :: Cryptographic algorithm not supported :"`cat /var/log/maillog | grep -c "dsn=5.7.6"`
echo "Bounced :: 5.7.7 :: Message integrity failure :"`cat /var/log/maillog | grep -c "dsn=5.7.7"`
echo " "
############################################
# Custom Errors x.8.xxx & Success 2.xxx.xxx
############################################
echo "Sent Mail :: 2.0.0 :: Message Sent :"`cat /var/log/maillog | grep -c "dsn=2.0.0"`
echo " "
echo "Custom successes :: 2.8.x :: Custom sent Message :"`cat /var/log/maillog | grep "dsn=2." | grep -v "dsn=2.0.0" | grep -c "dsn=2."`
echo "Custom deferres :: 4.8.x :: Custom defferes Message :"`cat /var/log/maillog | grep -c "dsn=4.8."`
echo "Custom failures :: 5.8.x :: Custom Failure Message :"`cat /var/log/maillog | grep -c "dsn=5.8."`
############################################
# Filter for all bounced mail
############################################
cat /var/log/maillog | grep ": to=<" | grep -v "dsn=4." | grep -v "dsn=2." | awk '{print $7}' | grep -v "to=<\esozm" | grep -v "to=<\root" > bounced.log
Source http://melinko2003.blogspot.com/2009/10/centos-postfix-dns-status-script.html
Oct 1 00:35:01 ghosting postfix/smtp[1437]: ABA987666094: to=, relay=gmail-smtp-in.l.google.com[209.85.222.73]:25, delay=9881, delays=9880/0.01/0.22/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1254342900 5si70217753pzk.88)
This largely tells you what has been done with your mail when the "status=xxxxxx" line or the message of why your mail fails is "vague".
file: centos_postfix_dsn_translator.sh
#!/bin/bash
##########################################
# Postfix DSN Script Based off of rfc3463
# http://www.faqs.org/rfcs/rfc3463.html
# Written by L.C.
# DSN rfc's refer to rfc3461-rfc3464
##########################################
######################################################
# Persistent Transient Failure Aka Deferred 4.xxx.xxx
######################################################
# Other or Undefined Status #
echo "Deferred :: 4.0.0 :: Other Undefined Status :"`cat /var/log/maillog | grep -c "dsn=4.0.0"`
echo " "
# Address Status #
echo "Deferred :: 4.1.0 :: Other address status :"`cat /var/log/maillog | grep -c "dsn=4.1.0"`
echo "Deferred :: 4.1.1 :: Bad destination mailbox address :"`cat /var/log/maillog | grep -c "dsn=4.1.1"`
echo "Deferred :: 4.1.2 :: Bad destination system address :"`cat /var/log/maillog | grep -c "dsn=4.1.2"`
echo "Deferred :: 4.1.3 :: Bad destination mailbox address syntax :"`cat /var/log/maillog | grep -c "dsn=4.1.3"`
echo "Deferred :: 4.1.4 :: Destination mailbox address ambiguous :"`cat /var/log/maillog | grep -c "dsn=4.1.4"`
echo "Deferred :: 4.1.5 :: Destination mailbox address valid :"`cat /var/log/maillog | grep -c "dsn=4.1.5"`
echo "Deferred :: 4.1.6 :: Mailbox has moved :"`cat /var/log/maillog | grep -c "dsn=4.1.6"`
echo "Deferred :: 4.1.7 :: Bad sender's mailbox address syntax :"`cat /var/log/maillog | grep -c "dsn=4.1.7"`
echo "Deferred :: 4.1.8 :: Bad sender's system address :"`cat /var/log/maillog | grep -c "dsn=4.1.8"`
echo " "
# Mailbox Status #
echo "Deferred :: 4.2.0 :: Other or undefined mailbox status :"`cat /var/log/maillog | grep -c "dsn=4.2.0"`
echo "Deferred :: 4.2.1 :: Mailbox disabled, not accepting messages :"`cat /var/log/maillog | grep -c "dsn=4.2.1"`
echo "Deferred :: 4.2.2 :: Mailbox full :"`cat /var/log/maillog | grep -c "dsn=4.2.2"`
echo "Deferred :: 4.2.3 :: Message length exceeds administrative limit :"`cat /var/log/maillog | grep -c "dsn=4.2.3"`
echo "Deferred :: 4.2.4 :: Mailing list expansion problem :"`cat /var/log/maillog | grep -c "dsn=4.2.4"`
echo " "
# Mail system status #
echo "Deferred :: 4.3.0 :: Other or undefined mail system status :"`cat /var/log/maillog | grep -c "dsn=4.3.0"`
echo "Deferred :: 4.3.1 :: Mail system full :"`cat /var/log/maillog | grep -c "dsn=4.3.1"`
echo "Deferred :: 4.3.2 :: System not accepting network messages :"`cat /var/log/maillog | grep -c "dsn=4.3.2"`
echo "Deferred :: 4.3.3 :: System not capable of selected features :"`cat /var/log/maillog | grep -c "dsn=4.3.3"`
echo "Deferred :: 4.3.4 :: Message too big for system :"`cat /var/log/maillog | grep -c "dsn=4.3.4"`
echo " "
# Network and Routing Status #
echo "Deferred :: 4.4.0 :: Other or undefined network or routing status :"`cat /var/log/maillog | grep -c "dsn=4.4.0"`
echo "Deferred :: 4.4.1 :: No answer from host :"`cat /var/log/maillog | grep -c "dsn=4.4.1"`
echo "Deferred :: 4.4.2 :: Bad connection :"`cat /var/log/maillog | grep -c "dsn=4.4.2"`
echo "Deferred :: 4.4.3 :: Routing server failure :"`cat /var/log/maillog | grep -c "dsn=4.4.3"`
echo "Deferred :: 4.4.4 :: Unable to route :"`cat /var/log/maillog | grep -c "dsn=4.4.4"`
echo "Deferred :: 4.4.5 :: Network congestion :"`cat /var/log/maillog | grep -c "dsn=4.4.5"`
echo "Deferred :: 4.4.6 :: Routing loop detected :"`cat /var/log/maillog | grep -c "dsn=4.4.6"`
echo "Deferred :: 4.4.7 :: Delivery time expired :"`cat /var/log/maillog | grep -c "dsn=4.4.7"`
echo " "
# Mail Delivery Protocol Status #
echo "Deferred :: 4.5.0 :: Other or undefined protocol status :"`cat /var/log/maillog | grep -c "dsn=4.5.0"`
echo "Deferred :: 4.5.1 :: Invalid command :"`cat /var/log/maillog | grep -c "dsn=4.5.1"`
echo "Deferred :: 4.5.2 :: Syntax error :"`cat /var/log/maillog | grep -c "dsn=4.5.2"`
echo "Deferred :: 4.5.3 :: Too many recipients :"`cat /var/log/maillog | grep -c "dsn=4.5.3"`
echo "Deferred :: 4.5.4 :: Invalid command arguments :"`cat /var/log/maillog | grep -c "dsn=4.5.4"`
echo "Deferred :: 4.5.5 :: Wrong protocol version :"`cat /var/log/maillog | grep -c "dsn=4.5.5"`
echo " "
# Message Content or Message Media Status #
echo "Deferred :: 4.6.0 :: Other or undefined media error :"`cat /var/log/maillog | grep -c "dsn=4.6.0"`
echo "Deferred :: 4.6.1 :: Media not supported :"`cat /var/log/maillog | grep -c "dsn=4.6.1"`
echo "Deferred :: 4.6.2 :: Conversion required and prohibited :"`cat /var/log/maillog | grep -c "dsn=4.6.2"`
echo "Deferred :: 4.6.3 :: Conversion required but not supported :"`cat /var/log/maillog | grep -c "dsn=4.6.3"`
echo "Deferred :: 4.6.4 :: Conversion with loss performed :"`cat /var/log/maillog | grep -c "dsn=4.6.4"`
echo "Deferred :: 4.6.5 :: Conversion failed :"`cat /var/log/maillog | grep -c "dsn=4.6.5"`
echo " "
# Security or Policy Status #
echo "Deferred :: 4.7.0 :: Other or undefined security status :"`cat /var/log/maillog | grep -c "dsn=4.7.0"`
echo "Deferred :: 4.7.1 :: Delivery not authorized, message refused :"`cat /var/log/maillog | grep -c "dsn=4.7.1"`
echo "Deferred :: 4.7.2 :: Mailing list expansion prohibited :"`cat /var/log/maillog | grep -c "dsn=4.7.2"`
echo "Deferred :: 4.7.3 :: Security conversion required but not possible :"`cat /var/log/maillog | grep -c "dsn=4.7.3"`
echo "Deferred :: 4.7.4 :: Security features not supported :"`cat /var/log/maillog | grep -c "dsn=4.7.4"`
echo "Deferred :: 4.7.5 :: Cryptographic failure :"`cat /var/log/maillog | grep -c "dsn=4.7.5"`
echo "Deferred :: 4.7.6 :: Cryptographic algorithm not supported :"`cat /var/log/maillog | grep -c "dsn=4.7.6"`
echo "Deferred :: 4.7.7 :: Message integrity failure :"`cat /var/log/maillog | grep -c "dsn=4.7.7"`
echo " "
############################################
# Permanent Failure's Aka Bounces 5.xxx.xxx
############################################
# Other or Undefined Status #
echo "Bounced :: 5.0.0 :: Other Undefined Status :"`cat /var/log/maillog | grep -c "dsn=5.0.0"`
echo " "
# Address Status #
echo "Bounced :: 5.1.0 :: Other address status :"`cat /var/log/maillog | grep -c "dsn=5.1.0"`
echo "Bounced :: 5.1.1 :: Bad destination mailbox address :"`cat /var/log/maillog | grep -c "dsn=5.1.1"`
echo "Bounced :: 5.1.2 :: Bad destination system address :"`cat /var/log/maillog | grep -c "dsn=5.1.2"`
echo "Bounced :: 5.1.3 :: Bad destination mailbox address syntax :"`cat /var/log/maillog | grep -c "dsn=5.1.3"`
echo "Bounced :: 5.1.4 :: Destination mailbox address ambiguous :"`cat /var/log/maillog | grep -c "dsn=5.1.4"`
echo "Bounced :: 5.1.5 :: Destination mailbox address valid :"`cat /var/log/maillog | grep -c "dsn=5.1.5"`
echo "Bounced :: 5.1.6 :: Mailbox has moved :"`cat /var/log/maillog | grep -c "dsn=5.1.6"`
echo "Bounced :: 5.1.7 :: Bad sender's mailbox address syntax :"`cat /var/log/maillog | grep -c "dsn=5.1.7"`
echo "Bounced :: 5.1.8 :: Bad sender's system address :"`cat /var/log/maillog | grep -c "dsn=5.1.8"`
echo " "
# Mailbox Status #
echo "Bounced :: 5.2.0 :: Other or undefined mailbox status :"`cat /var/log/maillog | grep -c "dsn=5.2.0"`
echo "Bounced :: 5.2.1 :: Mailbox disabled, not accepting messages :"`cat /var/log/maillog | grep -c "dsn=5.2.1"`
echo "Bounced :: 5.2.2 :: Mailbox full :"`cat /var/log/maillog | grep -c "dsn=5.2.2"`
echo "Bounced :: 5.2.3 :: Message length exceeds administrative limit :"`cat /var/log/maillog | grep -c "dsn=5.2.3"`
echo "Bounced :: 5.2.4 :: Mailing list expansion problem :"`cat /var/log/maillog | grep -c "dsn=5.2.4"`
echo " "
# Mail system status #
echo "Bounced :: 5.3.0 :: Other or undefined mail system status :"`cat /var/log/maillog | grep -c "dsn=5.3.0"`
echo "Bounced :: 5.3.1 :: Mail system full :"`cat /var/log/maillog | grep -c "dsn=5.3.1"`
echo "Bounced :: 5.3.2 :: System not accepting network messages :"`cat /var/log/maillog | grep -c "dsn=5.3.2"`
echo "Bounced :: 5.3.3 :: System not capable of selected features :"`cat /var/log/maillog | grep -c "dsn=5.3.3"`
echo "Bounced :: 5.3.4 :: Message too big for system :"`cat /var/log/maillog | grep -c "dsn=5.3.4"`
echo " "
# Network and Routing Status #
echo "Bounced :: 5.4.0 :: Other or undefined network or routing statu :"`cat /var/log/maillog | grep -c "dsn=5.4.0"`
echo "Bounced :: 5.4.1 :: No answer from host :"`cat /var/log/maillog | grep -c "dsn=5.4.1"`
echo "Bounced :: 5.4.2 :: Bad connection :"`cat /var/log/maillog | grep -c "dsn=5.4.2"`
echo "Bounced :: 5.4.3 :: Routing server failure :"`cat /var/log/maillog | grep -c "dsn=5.4.3"`
echo "Bounced :: 5.4.4 :: Unable to route :"`cat /var/log/maillog | grep -c "dsn=5.4.4"`
echo "Bounced :: 5.4.5 :: Network congestion :"`cat /var/log/maillog | grep -c "dsn=5.4.5"`
echo "Bounced :: 5.4.6 :: Routing loop detected :"`cat /var/log/maillog | grep -c "dsn=5.4.6"`
echo "Bounced :: 5.4.7 :: Delivery time expired :"`cat /var/log/maillog | grep -c "dsn=5.4.7"`
echo " "
# Mail Delivery Protocol Status #
echo "Bounced :: 5.5.0 :: Other or undefined protocol status :"`cat /var/log/maillog | grep -c "dsn=5.5.0"`
echo "Bounced :: 5.5.1 :: Invalid command :"`cat /var/log/maillog | grep -c "dsn=5.5.1"`
echo "Bounced :: 5.5.2 :: Syntax error :"`cat /var/log/maillog | grep -c "dsn=5.5.2"`
echo "Bounced :: 5.5.3 :: Too many recipients :"`cat /var/log/maillog | grep -c "dsn=5.5.3"`
echo "Bounced :: 5.5.4 :: Invalid command arguments :"`cat /var/log/maillog | grep -c "dsn=5.5.4"`
echo "Bounced :: 5.5.5 :: Wrong protocol version :"`cat /var/log/maillog | grep -c "dsn=5.5.5"`
echo " "
# Message Content or Message Media Status #
echo "Bounced :: 5.6.0 :: Other or undefined media error :"`cat /var/log/maillog | grep -c "dsn=5.6.0"`
echo "Bounced :: 5.6.1 :: Media not supported :"`cat /var/log/maillog | grep -c "dsn=5.6.1"`
echo "Bounced :: 5.6.2 :: Conversion required and prohibited :"`cat /var/log/maillog | grep -c "dsn=5.6.2"`
echo "Bounced :: 5.6.3 :: Conversion required but not supported :"`cat /var/log/maillog | grep -c "dsn=5.6.3"`
echo "Bounced :: 5.6.4 :: Conversion with loss performed :"`cat /var/log/maillog | grep -c "dsn=5.6.4"`
echo "Bounced :: 5.6.5 :: Conversion failed :"`cat /var/log/maillog | grep -c "dsn=5.6.5"`
echo " "
# Security or Policy Status #
echo "Bounced :: 5.7.0 :: Other or undefined security status :"`cat /var/log/maillog | grep -c "dsn=5.7.0"`
echo "Bounced :: 5.7.1 :: Delivery not authorized, message refused :"`cat /var/log/maillog | grep -c "dsn=5.7.1"`
echo "Bounced :: 5.7.2 :: Mailing list expansion prohibited :"`cat /var/log/maillog | grep -c "dsn=5.7.2"`
echo "Bounced :: 5.7.3 :: Security conversion required but not possible :"`cat /var/log/maillog | grep -c "dsn=5.7.3"`
echo "Bounced :: 5.7.4 :: Security features not supported :"`cat /var/log/maillog | grep -c "dsn=5.7.4"`
echo "Bounced :: 5.7.5 :: Cryptographic failure :"`cat /var/log/maillog | grep -c "dsn=5.7.5"`
echo "Bounced :: 5.7.6 :: Cryptographic algorithm not supported :"`cat /var/log/maillog | grep -c "dsn=5.7.6"`
echo "Bounced :: 5.7.7 :: Message integrity failure :"`cat /var/log/maillog | grep -c "dsn=5.7.7"`
echo " "
############################################
# Custom Errors x.8.xxx & Success 2.xxx.xxx
############################################
echo "Sent Mail :: 2.0.0 :: Message Sent :"`cat /var/log/maillog | grep -c "dsn=2.0.0"`
echo " "
echo "Custom successes :: 2.8.x :: Custom sent Message :"`cat /var/log/maillog | grep "dsn=2." | grep -v "dsn=2.0.0" | grep -c "dsn=2."`
echo "Custom deferres :: 4.8.x :: Custom defferes Message :"`cat /var/log/maillog | grep -c "dsn=4.8."`
echo "Custom failures :: 5.8.x :: Custom Failure Message :"`cat /var/log/maillog | grep -c "dsn=5.8."`
############################################
# Filter for all bounced mail
############################################
cat /var/log/maillog | grep ": to=<" | grep -v "dsn=4." | grep -v "dsn=2." | awk '{print $7}' | grep -v "to=<\esozm" | grep -v "to=<\root" > bounced.log
Source http://melinko2003.blogspot.com/2009/10/centos-postfix-dns-status-script.html
Đăng ký:
Bài đăng (Atom)