rsyslogd and postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

rsyslogd and postfix

@lbutlr
This might be of use to others out there. I decided that monitoring mail.log was too much of a pain with all the postscreen and dnsblog 'noise' from obscuring the information that I wanted to see, so I split those log events into their own log file using rsyslogd with the following lines in rsyslogd.conf (before the lines that log mail.log)

if $syslogtag contains 'postscreen' then /var/log/postscreen.log
if $syslogtag contains 'postscreen' then ~
if $syslogtag contains 'dnsblog' then /var/log/postscreen.log
if $syslogtag contains 'dnsblog' then ~

This lets me keep mail.log for quite a while and rotate off postscreen.log very quickly since it is not something I need to check very often at all.

I've been doing this for a week or two now and found it useful enough I thought it worth passing along.


Reply | Threaded
Open this post in threaded view
|

Re: rsyslogd and postfix

Mike.
On 4/25/2018 2:08 PM, @lbutlr wrote:

> This might be of use to others out there. I decided that monitoring mail.log was too much of a pain with all the postscreen and dnsblog 'noise' from obscuring the information that I wanted to see, so I split those log events into their own log file using rsyslogd with the following lines in rsyslogd.conf (before the lines that log mail.log)
>
> if $syslogtag contains 'postscreen' then /var/log/postscreen.log
> if $syslogtag contains 'postscreen' then ~
> if $syslogtag contains 'dnsblog' then /var/log/postscreen.log
> if $syslogtag contains 'dnsblog' then ~
>
> This lets me keep mail.log for quite a while and rotate off postscreen.log very quickly since it is not something I need to check very often at all.
>
> I've been doing this for a week or two now and found it useful enough I thought it worth passing along.

I have a similar log strategy but I let postfix do it for me.

For example, my postscreen entry in master.cf is:


smtp      inet  n       -       n       -       1       postscreen
        -o syslog_facility=local2



That sends the postscreen logging to the local2 log facility.
Reply | Threaded
Open this post in threaded view
|

Re: rsyslogd and postfix

@lbutlr
On 2018-04-26 (06:46 MDT), Mike <[hidden email]> wrote:

>
> I have a similar log strategy but I let postfix do it for me.
>
> For example, my postscreen entry in master.cf is:
>
>
> smtp      inet  n       -       n       -       1       postscreen
> -o syslog_facility=local2
>
>
>
> That sends the postscreen logging to the local2 log facility.

Sure that's a perfectly workable solution, but I am able to log the specific information that I nearly never need into a specific log file without having to keep track of which of the nearly identically named local1 local2 etc facilities is setup for what. It's also easy for me to add other data that I don't need in the logs (like I have one automated user who logins in ever 3 minutes. The only thing I ever need to know is if that login fails for some reason or all the warnings about hosts not resolving (but not any other warnings)). there's a lot more flexibility in configuring rsyslog than there is in simply using local1-local6.

But, whatever works for you is fine. I was just sharing what worked for *me* in case it was of use to someone else.

--
'Are you Death?' IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE
SCYTHE.

Reply | Threaded
Open this post in threaded view
|

Re: rsyslogd and postfix

Bill Shirley
Here's what I use for Shorewall messages:
/etc/rsyslog.d/00-shorewall.conf:
if $msg contains 'Shorewall' then {
  action(type="omfile" file="/var/log/shorewall.log")
# if ($syslogfacility == 0 and $syslogseverity >= 4) then stop  # warning
# if ($syslogfacility == 0 and $syslogseverity >= 5) then stop  # notice
  if ($syslogfacility == 0 and $syslogseverity >= 6) then stop  # info
}
Files in /etc/rsyslog.d/ are included before the /var/log/messages log line.  This
logs Shorewall messages to /var/log/shorewall.log.  If a log line has a severity
greater that 'info', it is also logged in /var/log/messages.

Bill

On 4/26/2018 3:08 PM, @lbutlr wrote:
On 2018-04-26 (06:46 MDT), Mike [hidden email] wrote:
I have a similar log strategy but I let postfix do it for me.

For example, my postscreen entry in master.cf is:


smtp      inet  n       -       n       -       1       postscreen
	-o syslog_facility=local2



That sends the postscreen logging to the local2 log facility.
Sure that's a perfectly workable solution, but I am able to log the specific information that I nearly never need into a specific log file without having to keep track of which of the nearly identically named local1 local2 etc facilities is setup for what. It's also easy for me to add other data that I don't need in the logs (like I have one automated user who logins in ever 3 minutes. The only thing I ever need to know is if that login fails for some reason or all the warnings about hosts not resolving (but not any other warnings)). there's a lot more flexibility in configuring rsyslog than there is in simply using local1-local6.

But, whatever works for you is fine. I was just sharing what worked for *me* in case it was of use to someone else.


Reply | Threaded
Open this post in threaded view
|

Re: rsyslogd and postfix

Dominic Raferd
>

While on the topic of rsyslogd, I have v8.16.0 and use these two lines
in rsyslogd.conf to get datetime YYYY-MM-DD HH:MM:SS formatting:

$template CustomFormat,"%timegenerated:::date-year%-%timegenerated:::date-month%-%timegenerated:::date-day%
%timegenerated:
::date-hour%:%timegenerated:::date-minute%:%timegenerated:::date-second%
%HOSTNAME% %syslogtag%%msg%\n"
$ActionFileDefaultTemplate CustomFormat
Reply | Threaded
Open this post in threaded view
|

Re: rsyslogd and postfix

Mike.
In reply to this post by @lbutlr
On 4/26/2018 3:08 PM, @lbutlr wrote:

> On 2018-04-26 (06:46 MDT), Mike <[hidden email]> wrote:
>>
>> I have a similar log strategy but I let postfix do it for me.
>>
>> For example, my postscreen entry in master.cf is:
>>
>>
>> smtp      inet  n       -       n       -       1       postscreen
>> -o syslog_facility=local2
>>
>>
>>
>> That sends the postscreen logging to the local2 log facility.
>
> Sure that's a perfectly workable solution, but I am able to log the specific information that I nearly never need into a specific log file without having to keep track of which of the nearly identically named local1 local2 etc facilities is setup for what. It's also easy for me to add other data that I don't need in the logs (like I have one automated user who logins in ever 3 minutes. The only thing I ever need to know is if that login fails for some reason or all the warnings about hosts not resolving (but not any other warnings)). there's a lot more flexibility in configuring rsyslog than there is in simply using local1-local6.
>
> But, whatever works for you is fine. I was just sharing what worked for *me* in case it was of use to someone else.
>


I wanted the solution to be a part of this thread.

I fully realize that different operators have differing requirements.

For my needs, the solution I posted satisfies my requirement quite
nicely.  You have more extensive requirements that requires more
extensive solutions.  :)


Reply | Threaded
Open this post in threaded view
|

Re: rsyslogd and postfix

Alex Regan
In reply to this post by Mike.
Hi,

On Thu, Apr 26, 2018 at 8:46 AM, Mike <[hidden email]> wrote:

> On 4/25/2018 2:08 PM, @lbutlr wrote:
>> This might be of use to others out there. I decided that monitoring mail.log was too much of a pain with all the postscreen and dnsblog 'noise' from obscuring the information that I wanted to see, so I split those log events into their own log file using rsyslogd with the following lines in rsyslogd.conf (before the lines that log mail.log)
>>
>> if $syslogtag contains 'postscreen' then /var/log/postscreen.log
>> if $syslogtag contains 'postscreen' then ~
>> if $syslogtag contains 'dnsblog' then /var/log/postscreen.log
>> if $syslogtag contains 'dnsblog' then ~
>>
>> This lets me keep mail.log for quite a while and rotate off postscreen.log very quickly since it is not something I need to check very often at all.
>>
>> I've been doing this for a week or two now and found it useful enough I thought it worth passing along.
>
> I have a similar log strategy but I let postfix do it for me.
>
> For example, my postscreen entry in master.cf is:
>
> smtp      inet  n       -       n       -       1       postscreen
>         -o syslog_facility=local2

I'm also using rsyslog on fedora but have considering storing my logs
in mariadb, along with those from amavisd-new and spamassassin. I've
configured amavisd-new to use JSON logging.

Is it possible to log directly to mariadb from postfix and skip
rsyslog entirely? It appears there are several third-party tools, but
there doesn't seem to be a native way...

Is it possible to configure postfix to log using JSON?

Is there an updated version of collate.pl? There's no version number
within the file, but the version I have produces "Use of uninitialized
value in concatenation" on line 112 on my system.

   111                          $transaction{$newid} =
   112                                  $_ . $transaction{$newid};
   113                          $seqno{$newid} = ++$i if (! exists
$seqno{$newid});
   114                  }