Retour


Analyse des unmatched entries avec logwatch

Présentation

Logwatch est un analyseur de log assez puissant. Il permet de faire le tour de l'activité des services en un coup d'oeil.
Malheureusement sous squeeze j'ai pu déceler plusieurs manques, notamment dans l'analyse de dovecot/sieve et de bind9.
J'ai donc décidé de maintenir ma propre version, bien entendue basée sur la version officielle.

Prérequis

Les symptômes sont toujours les mêmes, des lignes de log ne sont pas prises en charge par le script perl d'analyse.
A savoir qu'aucune expression régulière ne permet de matcher un cas et donc on se retrouve avec des lignes du type :
 **Unmatched Entries**
    dovecot: MANAGESIEVE(user@domaine.tld): Connection closed bytes=12/319: 3 Time(s)
 **Unmatched Entries**
    success resolving 'ip' (in 'domain.tld'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
Pour palier à ces cas voici un ensemble de patches. Le paquet mis à jour est bien entendu disponible sur le dépôt.

Patches inclus dans la version 7.3.6.cvs20090906-1squeeze4

Pour dovecot :
--- logwatch-7.3.6.cvs20090906/scripts/services/dovecot	2009-09-06 13:46:30.000000000 +0200
+++ logwatch-7.3.6.cvs20090906/scripts/services/dovecot	2012-10-21 16:30:50.000000000 +0200
@@ -138,6 +138,14 @@
          $ConnectionIMAP{$Host}++;
          $Connection{$Host}++;
        }
+   # added for deb-indus version
+   } elsif ($ThisLine =~ /^dovecot: deliver\(.*\): sieve:/) {
+         $Deliver++;	
+   } elsif ($ThisLine =~ /^dovecot: MANAGESIEVE\(.*\): Connection closed/) {
+         $ManageSieveClosed++;
+   } elsif ($ThisLine =~ /^dovecot: MANAGESIEVE\(.*\): Disconnected/) {
+         $ManageSieveClosed++;	
+   # end of deb-indus version
 
    } elsif ($ThisLine =~ /Disconnected \[/) {
       $Disconnected{"no reason"}++;
@@ -303,6 +311,15 @@
    print "\n\nTLS Initialization failed $TLSInitFail Time(s)";
 }
 
+# added for deb-indus version
+if ($Deliver > 0) {
+   print "\n* deb-indus version *\nDelivered by sieve service from user rules :\n  $Deliver messages";
+}
+if ($ManageSieveClosed > 0) {
+   print "\n* deb-indus version *\nManagesieve connections closed : $ManageSieveClosed\n";
+}
+# end of deb-indus version
+
 if (keys %OtherList) {
    print "\n\n**Unmatched Entries**\n";
    foreach $line (sort {$a cmp $b} keys %OtherList) {
Ce patch traite les lignes :
---> distribution via regle utilisateur avec sieve
dovecot: deliver(user@domaine.tld): sieve: msgid=<5475798465@mx.domaine.tld>: stored mail into mailbox 'INBOX': 1 Time(s)
---> deconnexions de managesieve
dovecot: MANAGESIEVE(user@domaine.tld): Disconnected: Logged out bytes=54/3771: 1 Time(s)
Pour bind9 :
--- logwatch-7.3.6.cvs20090906/scripts/services/named	2009-09-06 13:46:31.000000000 +0200
+++ logwatch-7.3.6.cvs20090906/scripts/services/named	2012-10-21 16:22:12.000000000 +0200
@@ -327,6 +327,16 @@
       $NUR{$Name}{$Address}++;
    } elsif (($Name,$Address) = ($ThisLine =~ /host unreachable resolving '(.*)': (.*)/)) {
       $HUR{$Name}{$Address}++;
+   # added for deb-indus version
+   } elsif ($ThisLine =~ /^success resolving .* after reducing the advertised EDNS UDP/) {
+      $SuccessResolvEDNS++;
+   } elsif ($ThisLine =~ /^success resolving .* after disabling EDNS/) {
+      $SuccessResolvEDNS++;
+   } elsif ($ThisLine =~ /^error \(unexpected RCODE SERVFAIL\) resolving .*/) {
+      $RcodeServfail++;
+   } elsif ($ThisLine =~ /^error \(unexpected RCODE REFUSED\) resolving .*/) {
+      $RcodeRefused++;
+   # end of deb-indus version
    } else {
       # Report any unmatched entries...
       # remove PID from named messages
@@ -597,6 +607,21 @@
    }               
 }
 
+# added for deb-indus version
+if ($SuccessResolvEDNS > 0)
+{
+    print "\n* deb-indus version *\nResolved after reducing/disabling EDNS packet : $SuccessResolvEDNS requests\n"
+}
+if ($RcodeServfail > 0)
+{
+    print "\n* deb-indus version *\nError RCODE SERVFAIL : $RcodeServfail requests\n"
+}
+if ($RcodeRefused > 0)
+{
+    print "\n* deb-indus version *\nError RCODE REFUSED : $RcodeRefused requests\n"
+}
+# end of deb-indus version
+
 if (keys %OtherList) {
    print "\n**Unmatched Entries**\n";
    foreach $line (sort {$a cmp $b} keys %OtherList) {
Ce patch traite les lignes :
success resolving 'ip/A' (in 'domaine'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
uccess resolving 'machine.domaine.tld/A' (in 'domaine.tld'?) after disabling EDNS: 1 Time(s)
error (unexpected RCODE SERVFAIL) resolving 'host.domaine.tld/A/IN': ip#53: 1 Time(s)
error (unexpected RCODE REFUSED) resolving 'host.domaine.tld/A/IN': ip#53: 1 Time(s)