forked from cwarden/exidblog
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
70 lines (53 loc) · 2.93 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
exidblog is a PHP program which parses an Exim 4 log file (mainlog) and stores
the data in each line in a MySQL database. It is useful in centralizing
logging from a number of MTA's.
exidblog is composed of a PHP class, EximDatabaseLogger which does all of the
work, and two simple scripts, mainlog2db.php and stdin2db.php, which just
initialize an instance of the parser and pass log file data to it. Much of the
parsing code is based on eximstats.
stdin2db.php reads from stdin until end of file and is useful for loading in
old log files.
mainlog2db.php reads continuously from a log file using a `tail --follow`
process and is meant to be started at boot and run constantly.
Database credentials and the path to the mainlog file, used by both
stdin2db.php and mainlog2db.php, are stored in /etc/exidblog.conf. The path to
config file can be overridden by setting the environment variable
EXIDBLOG_CONF.
This package includes a Debian init script to start mainlog2db.php.
Before using exidblog, two database tables must be created using the included
exidblog.sql file, and a MySQL user must be given access to the log table.
Additionally, a record containing the fully-qualified hostname for each host
that will be logging to the database must be inserted into the mta table.
A number of changes must be made to the Exim config file in order for exidblog
to properly capture all relevant data.
log_selector must contain at least the following selectors:
+subject
+received_recipients
+received_sender
+sender_on_delivery
+smtp_confirmation
In order to log rejected spam and malware, exiscan-acl must be used.
The intended recipients for messages rejected by exiscan-acl must be stored in
an acl message variable ($acl_m9 in this documentation). The log_message must
reference this variable. (A future version of exidblog will use $recipients).
To set the $acl_m9 variable, add the following line below any accept statements in your RCPT acl:
set acl_m9 = ${if def:acl_m9{$acl_m9:$local_part@$domain}{$local_part@$domain}}
For example:
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
set acl_m9 = ${if def:acl_m9{$acl_m9:$local_part@$domain}{$local_part@$domain}}
Here are the log_message settings for messages rejected during the DATA acl by exiscan-acl.
Spam:
log_message = SPAM ($spam_score) RCPT=$acl_m9 SUB=${quote:$h_subject:} MSGID=$h_message-id:
Malware:
log_message = MALWARE ($malware_name) RCPT=$acl_m9 SUB=${quote:$h_subject:} MSGID=$h_message-id:
MIME Error (rejected based on exiscan-acl's demime_errorlevel):
log_message = MIME_ERROR ($demime_reason) RCPT=$acl_m9 SUB=${quote:$h_subject:} MSGID=$h_message-id:
Disallowed attachments:
log_message = BAD_ATTACHMENT (.$found_extension) RCPT=$acl_m9 SUB=${quote:$h_subject:} MSGID=$h_message-id:
-------------------------------------------------------------------------------
Email me with any questions/comments.
Christian G. Warden