multiple queue's in one sendmail log (was: Re: informations about sendmail logfiles)
Dominique Bogaerts
dominique.bogaerts at dieteren.be
Mon Jan 27 11:18:29 CET 2003
Hi,
1) We split already our sendmail. 2 sendmail for incoming mails ( one
from Internet - one from inside ) with 2 differents queue and binding to
differents ip address and one to send e-mail.
ex:
sendmail-public : bind to public ip adress => sent to antivirus ( bind
to localhost and a different port than 25 ) => sent to another sendmail
who send the e-mail after scanning ( bind to localhost and a different
port than 25 and the antivirus )
to resume : sendmail-public:25 => antivirus-localhost:XXX =>
sendmail-out-localhost:YYY
then we have already your first advise
note that the antivirus log is not going via syslog.
We put also a different name for the MTA ( DaemonPortOptions ).
2) We put just one version of sendmail ( 1 compilation ) and run 3
daemon from this sendmail. Ok, I know, it's little bit complicated and
maybe not a good way but, it's historical :-)).
So, recompile, now, it's not possible.
And for 2003, we are busy, now, to re-organize the SMTP gateway and
maybe change sendmail to postfix, so, we are going to keep in mind the
log "problem" : -).
So, thank you everybody for your cooperation, your help and your free
consulting.
Just for information and maybe a little improvement for Lire. We can
analyze log, ok. We can merge reports, ok. But is that possible to and a
summary page for all logs?
We have +- 15Mg/day of logfile. After 1 month, we must merge more than
300 Mg. You can imagine to have a summary for 1 year if we merge all of
this.
Is that possible to have ( ex in html ) a front-end page with some
informations summarized ( total mails/per month - total bytes/per month
) and hyperlinks into it for statistics day-to-day of per month ( maybe
better ). Also, if we analyze in pdf or rtf, a summary, it can be good.
Of course, it's just a suggestion.
have a nice day
Dominique
P.S: J'habite bruxelles et y travaille ( d'Ieteren, importateur de
voitures ). Je me posais justement la question en lisant le prénom,
arnaud, cela n'a pas vraiment l'air anglais :-), joost, non plus
d'ailleurs mais c'est assez amusant. J'ai même hésité à repondre en
français, plus façile pour se faire comprendre à la vue de mon anglais
:-). Ce sont seulement tes grands-parents qui sont belges?
Arnaud Taddei wrote:
>
> Ok Dominique, the problem comes before lire comes in place. IF you
> have your logs consolidating in this way this means many other things
> for me. What you really want to do is to get this split of course and
> then you will feel better. How to resolve this:
>
> Just now while in the train (it is 23:30!) I think that you should:
>
> 1)
> - setup an alias name for your machine like: anti-virus.domain
> - even reorganise your network interfaces. plumb an IP address for
> the sendmail which is your relay and one IP address for the
> anti-virus. Force sendmail to bind onto a specific address or if you
> cannot at least on a different port and reconfigure. All of this
> should take you one day of tests not more.
>
> Once your flows are separated you will at least get lines with
> different hostnames and thus a good criteria for splitting the log
>
> 2)
> - look in the way sendmail is configured and allocate a different log
> facility than the default one. Then reconfigure or even recompile one
> of the sendmails and then configure /etc/syslog.conf to take into
> account this new facitily and write it to a new file
>
> If you do 1) you will touch your architecture and it seems necessary.
> What you are describing means that you are going to fail on at least
> the Flexibility but potentially as well the Scalability and the
> Security criteria.
>
> Then if you do 1) + 2) you would improve several things.
>
> This was 5 minutes of free consulting :-)
>
> A++
>
> PS: (Mes grands-parents sont belges, t'habites ou?)
>
> Dominique Bogaerts wrote:
>
>> Hi Joost,
>>
>> sorry, but I think that my explanation was not correct,
>>
>> I resend you a e-mail that a I send to Arnaud Taddei
>>
>> thanks again for your help
>>
>> Dominique Bogaerts
>>
>>
>> Hi arnaud,
>>
>> As you know, all logfiles are sent to syslog.
>>
>> We run multiple sendmail on one server:
>>
>> it means that you have this kind of logfile :
>>
>> Oct 31 01:02:31 hostname sendmail[12737]: g9V02Tm12737:
>> from=<yyyyyyyyyy at yyyyyyyyyyyyyyyy>, size=1942, class=0, nrcpts=1,
>> msgid=<008401c28070$51f30a10$1a01a8c0 at neovi.com>, proto=ESMTP,
>> daemon=PUBLIC, relay=mail5.etransmail5.com [207.67.131.70]
>> Oct 31 01:02:31 hostname sendmail[12745]: g9V02VW12745:
>> from=<yyyyyyyyy at yyyyyyyyyyyyyyyyyyyyyy>, size=1979, class=0,
>> nrcpts=1, msgid=<008401c28070$51f30a10$1a01a8c0 at neovi.com>,
>> proto=ESMTP, daemon=OUT, relay=localhost [127.0.0.1]
>> Oct 31 01:02:31 hostname sendmail[12741]: g9V02Tm12737:
>> to=<xxxxxxxxxxxx at xxxxxxxxxxxx>, delay=00:00:01, xdelay=00:00:00,
>> mailer=esmtp, pri=31942, relay=localhost [127.0.0.1], dsn=2.0.0,
>> stat=Sent (g9V02VW12745 Message accepted for delivery)
>> Oct 31 01:02:31 hostname sendmail[12747]: g9V02VW12745:
>> to=<xxxxxxxxxxxxxxx at xxxxxxxxx>, delay=00:00:00, xdelay=00:00:00,
>> mailer=esmtp, pri=31979, relay=xxxxxxxxxxxxxxxx. [999.999.999.999],
>> dsn=2.0.0, stat=Sent (Mail accepted)
>>
>> One sendmail ( daemon=PUBLIC )receive all internet incoming e-mail
>> and sent them to a antivirus.
>> This antivirus forward the e-mail to a second sendmail ( daemon OUT
>> )which send the e-mail to destination
>>
>> So, on the logfile, we have 2 transaction for 1 e-mail : the first
>> sendmail which receive ( protection anti-relay) and the second which
>> send (with all redirection)
>>
>> Then all statistics that we do with Lire ( and also with all
>> statistics software )aren't correct because 1 e-mail count for 2 e-mail.
>>
>> I know that it's a special configuration, maybe i'm not really clear
>> with my explanation and also i know that it's not a "bug" in Lire but
>> it's to see if this kind of feature can be done .
>>
>> We are now busy to split our logfile to have "good " statistics but
>> if one software can be this done, it's, of course, better for us.
>>
>> thank you for your cooperation
>>
>> Dominique Bogaerts
>>
>>
>>
>>
>> Joost van Baal wrote:
>>
>>> Hi,
>>>
>>> On Thu, Jan 23, 2003 at 12:04:54PM +0100, Arnaud Taddei wrote:
>>>
>>>
>>>> Dominique Bogaerts wrote:
>>>>
>>>>
>>>>> We use sendmail with multiple queue to one server.
>>>>>
>>>>> the result of the logfile is a little "strange" but not surprised.
>>>>>
>>>>> Sendmail put all of his informations via Syslog. Syslog cannot
>>>>> permit one logfile for one queue.
>>>>>
>>>>> So, you can imagine the result with Lire... all are twice.
>>>>>
>>>>> We don't know if we are a lot of to use sendmail with multiple
>>>>> queue but we are a lot of people which use sendmail and which
>>>>> don't find a suitable application to analyze the sendmail's
>>>>> logfile. Lire do that greatly with a lot of useful information and
>>>>> fast.
>>>>>
>>>>> Is that possible to imagine this feature with Lire??
>>>>>
>>>>
>>>>
>>>> Dominique, I used to run sendmail with multiple queues too but I
>>>> don't understand what you mean by: 'all are twice'. Or what do you
>>>> mean by 'multiple queue'. Are these queues like: 1 queue for
>>>> messages not delivered in the last 30 minutes, one for the ones not
>>>> delivered in the last 2 hours, etc. or ??
>>>>
>>>
>>>
>>>
>>> I assume that's what Dominique means: a setup as given by Paul Pomes's
>>> re-mqueue, distributed with sendmail in the contrib/ area.
>>>
>>> When flushing one of your queue's, passing the `-L' flag to sendmail
>>> gives you a mean to track different queue's in your log. E.g.:
>>>
>>> /usr/lib/sendmail -L sm-queue-2 -oQ/var/spool/mqueue2 -q
>>>
>>> Once this is done, you can split your log in separate sendmail logs,
>>> and feed these individualy to the Lire engine.
>>>
>>> Dominique: does that solve your problem?
>>>
>>> Bye,
>>>
>>> Joost
>>>
>>>
>>>
>>
>
>
>
--
- - - - - - - - - - - - - - -
Dominique Bogaerts
d'Ieteren s.a. - InfoDriver
Network Administrator
dominique.bogaerts at dieteren.be
- - - - - - - - - - - - - - -
--
To UNSUBSCRIBE, email to questions-request at logreport.org with a subject of
"unsubscribe". Trouble? Send an email with subject "help" to
questions-request at logreport.org
More information about the Questions
mailing list