Tuesday, January 01, 2019

Re: CVS: cvs.openbsd.org: src (maillog simplified)

On Fri, Dec 21, 2018 at 06:59:58PM +0100, Gilles Chehade wrote:
> On Fri, Dec 21, 2018 at 06:56:57PM +0100, Walter Alejandro Iglesias wrote:
> > Hello Gilles,
> >
> > In article <20181221145201.GA90310@ams-1.poolp.org> Gilles Chehade <gilles@poolp.org> wrote:
> > > On Fri, Dec 21, 2018 at 07:41:41AM -0700, Gilles Chehade wrote:
> > > > CVSROOT: /cvs
> > > > Module name: src
> > > > Changes by: gilles@cvs.openbsd.org 2018/12/21 07:41:41
> > > >
> > > > Modified files:
> > > > usr.sbin/smtpd : smtp_session.c
> > > >
> > > > Log message:
> > > > start simplifying log lines, they're no longer intended to be parseable, we
> > > > have a reporting API for tools that want to analyze events, maillog is just
> > > > for us, hoomans.
> > > >
> > >
> > > that was not the best way to phrase my commit log ... sorry
> > >
> > > i meant they're no longer intended to be friendlier to scripts than to
> > > humans: there will still be in a format that's easy to quickly script,
> > > but they will hold information easily readable by humans, not a lot of
> > > unrelated context infos so tools can generate dashboards out of single
> > > lines.
> > >
> > > logs for humans, event reports for tools.
> > >
> >
> > Since long I've been greping IPs from spammers and attackers from
> > /var/log/maillog, /var/log/authlog and /var/log/daemon using a shell
> > script I wrote that automatically includes them in a file read by a pf
> > table. In the case of maillog, it relies in the address="" and host=""
> > info currently included.
> >
> > Will it appear sender's IP and hostname in /var/log/maillog after this
> > change?
> >
>
> yes, you'll still be able to grep that information from maillog

You selected carefully the words in your answer. :-)

Indeed, I still can grep "IP" and "host" in maillog, but they are alone
in a first line and the only way to associate them with the following
lines containing the from= to= and result= (to know what "happened" with
that connection) is by using the connection id, what will *painfully*
overcomplicate my scripts.

I don't know what's the opinion of the rest about this change. I'd
highly appreciate you to include again the IP on each line of info as
before. :-)

>
> --
> Gilles Chehade @poolpOrg
>
> https://www.poolp.org tip me: https://paypal.me/poolpOrg


Walter

No comments:

Post a Comment