Postfix log analysis : Date calculation problem

Joost van Baal joostvb at logreport.org
Wed Apr 19 09:56:20 CEST 2006 

Hi,

Op di 18 apr 2006 om 08:29:55 +0200 schreef Stephan Ruggiero:
> Am 18.04.2006 um 08:41 schrieb Joost van Baal:
> >Op di 18 apr 2006 om 08:29:16 +0200 schreef Stephan Ruggiero:
> >>
> >>I am analysing a postfix log file with several entries from Jan to
> >>Dec 2005.
> >>Basically, the report is well generated, but I encounter an issue
> >>I've not been able to solve:
> >>The "deliveries-by-period" and "volume-by-period" reports always are
> >>presented with dates relative to the day of the report generation
> >>(e.g. 2005-04-18 - 2006-04-17) instead of reflecting the dates in the
> >
> >>logs (2005-01-01 - 2005-12-31). I did not find any setting to have
> >>lire display the absolute dates.
> >
> >Do the timestamps in the raw logfile contain the year?

> No. Here's an extract of the logs:
> 
> Jun 23 19:38:24 slox41 postfix/smtpd[22549]: connect from xxx.xxx.xx 
> [193.174.61.x]
> Jun 23 19:38:24 slox41 postfix/smtpd[22549]: TLS connection  
> established from XXXX[193.174.61.x]: TLSv1 with cipher EDH-XX-DES- 
> CBC3-SHA (168/168 bits)
> Jun 23 19:38:24 slox41 postfix/smtpd[22549]: 9AFC66C0019:  
> client=xxx.xx[193.174.61.x]
> Jun 23 19:38:24 slox41 postfix/lmtp[22541]: D9B186C001A:  
> to=<xx at xx.xx>, relay=public/lmtp[public/lmtp], delay=5, status=sent  
> (250 2.1.5 Ok)
> Jun 23 19:38:24 slox41 postfix/cleanup[22550]: 9AFC66C0019: message- 
> id=0xaec16b3d.27435.1088005194.1
> Jun 23 19:38:24 slox41 postfix/smtpd[22537]: disconnect from  
> xxx.xxx.xx[193.174.61.x]

It's not exactly clear to me what's going on.  I generated a postfix
report using the lire 2.0.1-4 Debian package, which was just fine:

 Report generated: 2006-04-16 06:48:16 CEST
 Reporting on period:
 2006-04-09 06:48:24 CEST - 2006-04-14 06:25:09 CEST

 [...]

 Deliveries Attempts By 1d Period

 2006-04-09
 [...]
 2006-04-14

What does the "Report generated:" and "Reporting on period:" fields say
in your report?  Could you craft a small (posibly anonymized) logfile
which triggers this unwanted behaviour?

> If this is a problem: Is there a way to get around it?

Well, since syslog doesn't add the year to its timestamps, Lire uses
some heuristics to guess the year.  There might very well be a bug in
these heuristics.

Very likely someone has to take a close look at the code:

 postfix2dlf_pre(1)
uses
 Lire::Syslog::parse_bsd_syslog()
uses
 Lire::Time::syslog2cal()

The last one has the heuristics I mentioned.

Once the log is converted to DLF format, the modules

 Lire::Timeslot(3pm)
 Lire::Timegroup(3pm)

are used to generate reports.

Bye,

Joost

-- 
.    .                                        http://logreport.com/
| '.|                        /^LogReport$/
| Lire                                        http://logreport.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 829 bytes
Desc: Digital signature
Url : http://lists.logreport.org/pipermail/questions/attachments/20060419/c43cafd4/attachment.bin

More information about the Questions mailing list