-
Notifications
You must be signed in to change notification settings - Fork 2
Generate spamassassin and rspamd daily reports for used rules
License
croessner/rulestats
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Intro:
------
These scripts are little helpers for logrotate to produce reports. Each report
prints out all spam rules that have been in use by spamassassin and rspamd. The
reports are devided into ham and spam sections, each sorted by score (you can
change this in the scripts header).
There are some requirements that must be done before these scripts work. First
of all, amavisd-new must use a special log template and second rspamd must log
to syslog (I did not test a regular file. Maybe it does not have this
requirement).
For both, a working regular expression pattern has been defined in the scripts
headers. If the scripts do not generate the reports, then you might need to
tweak the matching rules.
logrotate:
----------
My logrotate script looks something like this:
/var/log/mail.log
{
rotate 14
daily
missingok
notifempty
compress
compresscmd /usr/bin/pbzip2
compressoptions -9
compressext .bz2
dateext
delaycompress
sharedscripts
postrotate
DATE=$(date +"%Y%m%d")
/usr/local/sbin/create-spamassassin-report.py \
< /var/log/mail.log-${DATE} | \
mail -s "Report: spamassassin" root
/usr/bin/rspamadm configdump -j | \
/usr/local/sbin/create-rspamd-report.py \
/var/log/mail.log-${DATE} | \
mail -s "Report: rspamd" root
kill -HUP $(cat /run/rsyslogd.pid) &>/dev/null || true
endscript
}
This example combines statistics for spamassassin and rspamd, if both are logged
to syslog.
This usage guarentees that you will get a full 24 hour report. I have placed the
two scripts under /usr/local/sbin. If you prefer another place, you must adpot
the paths in the logrotate snippet. Note: If you use a separate log file for
rspamd, it might look like this:
/var/log/rspamd/rspamd.log{
daily
rotate 4
delaycompress
compress
notifempty
missingok
postrotate
DATE=$(date +"%Y%m%d")
/usr/bin/rspamadm configdump -j | \
/usr/local/sbin/create-rspamd-report.py \
/var/log/rspamd/rspamd.log-${DATE} | \
mail -s "Report: rspamd" root
test -r /run/rspamd/rspamd.pid && kill -USR1 $(cat /run/rspamd/rspamd.pid) &>/dev/null
endscript
}
As of writing this document, HUP is broken in rspamd. You must call USR1 for log
rotation!
General requirements:
---------------------
A python 2.x interpreter. Maybe python 3 does also work, but I did not try it
yet.
Requirements for amavisd-new:
-----------------------------
I have copied template code directly out of amavisd and have slithly modified
it:
# template derived from /usr/sbin/amavisd ~ line 33886
$log_recip_templ = '
[?%#D|#|Passed #
[? [:ccat|major] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER-[:ccat|minor]|SPAMMY|SPAM|\
UNCHECKED[?[:ccat|minor]||-ENCRYPTED|]|BANNED (%F)|INFECTED (%V)]#
{[:actions_performed]}#
,[?%p|| %p][?%a||[?%l|| LOCAL] [:client_addr_port]][?%e|| \[%e\]] [:mail_addr_decode_octets|%s] -> [%D|[:mail_addr_decode_octets|%D]|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: [:mail_addr_decode_octets|%m]]#
[? %r ||, Resent-Message-ID: [:mail_addr_decode_octets|%r]]#
[? %i ||, mail_id: %i]#
, Hits: [:SCORE]#
, size: %z#
[? [:partition_tag] ||, pt: [:partition_tag]]#
[~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\
[remote_mta_smtp_response|[~%x|["queued as ([0-9A-Za-z]+)$"]|["%1"]|["%0"]]|/]#
#, Subject: [:dquote|[:mime2utf8|[:header_field_octets|Subject]|100|1]]#
#, From: [:uquote|[:mail_addr_decode_octets|[:rfc2822_from]]]#
[? %#T ||, Tests: \[[%T|,]\]]#
[? [:dkim|sig_sd] ||, dkim_sd=[:dkim|sig_sd]]#
[? [:dkim|newsig_sd] ||, dkim_new=[:dkim|newsig_sd]]#
, %y ms#
]
[?%#O|#|Blocked #
[? [:ccat|major|blocking] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER-[:ccat|minor]|SPAMMY|SPAM|\
UNCHECKED[?[:ccat|minor]||-ENCRYPTED|]|BANNED (%F)|INFECTED (%V)]#
{[:actions_performed]}#
,[?%p|| %p][?%a||[?%l|| LOCAL] [:client_addr_port]][?%e|| \[%e\]] [:mail_addr_decode_octets|%s] -> [%O|[:mail_addr_decode_octets|%O]|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: [:mail_addr_decode_octets|%m]]#
[? %r ||, Resent-Message-ID: [:mail_addr_decode_octets|%r]]#
[? %i ||, mail_id: %i]#
, Hits: [:SCORE]#
, size: %z#
[? [:partition_tag] ||, pt: [:partition_tag]]#
#, Subject: [:dquote|[:mime2utf8|[:header_field_octets|Subject]|100|1]]#
#, From: [:uquote|[:mail_addr_decode_octets|[:rfc2822_from]]]#
[? %#T ||, Tests: \[[%T|,]\]]#
[? [:dkim|sig_sd] ||, dkim_sd=[:dkim|sig_sd]]#
[? [:dkim|newsig_sd] ||, dkim_new=[:dkim|newsig_sd]]#
, %y ms#
]';
This will produce log lines similar to that (wrapped for better reading):
Jul 20 08:46:29 mx amavis[28805]: (28805-02) Passed CLEAN {AcceptedInternal},
AM.PDP-SOCK LOCAL [...] [...]
<...> -> <...>, Queue-ID: 3rvS9v2QF9zGpTb,
Message-ID: <...>, mail_id:
p_hA7G_XqiqP, Hits: 1.439, size:
1631, Tests:
[BAYES_50=0.8,DCC_CHECK=1.1,DIGEST_MULTIPLE=0.293,PYZOR_CHECK=1.392,RCVD_IN_SBL=0.141,RP_MATCHES_RCVD=-1.287,DSPAM.Innocent=-1.000],
2452 ms
Requirements for rspamd:
------------------------
Only if you want to have rspamd log to syslog, follow these extra steps!
I personally like to have mail related logging at one place and not devided into
several different files. For that I have told rspamd to log into syslog by
override statement:
rspamd.conf.override:
logging {
type = "syslog";
facility = "mail";
level = "info";
.include "$CONFDIR/logging.inc"
}
This will produce log lines similar like this (wrapped for better reading)::
Jul 20 08:50:43 mx rspamd[12384]: <5c3ffd>; task; rspamd_task_write_log: id:
<...>, qid: <3rvSGm6s5gzGpVW>, ip:
..., from: <...>,
(default: T (reject): [22.79/15.00]
[DBL_SPAM,MIME_GOOD,URIBL_BLACK,RBL_SPAMHAUS_SBL,FORGED_SENDER,RBL_SPAMHAUS_CSS,FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN,BAYES_SPAM]),
len: 2045, time: 15.999ms real, 7.253ms virtual, dns req: 30
If you prefer not to let rspamd log to syslog and you want to stay with the
default rspamd.log file, you need to call the stats script in another logrotate
script similar to this:
Notes:
------
For examples how the reports look like, please see the provided examples.
Have fun...
About
Generate spamassassin and rspamd daily reports for used rules
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published