logcheck — amavisd-new filter

Tested using Debian 7 Wheezy. To be added to /etc/logcheck/ignore.d.server/

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|SPAM|SPAMMY),( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked SPAM,( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, [[:digit:]]+ ms$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (BAD-HEADER),.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked BANNED \([.,_ [:alnum:]-]+\),( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( quarantine: [/[:alnum:]-]+,)?( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, [[:digit:]]+ ms$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Passed (CLEAN|SPAM|SPAMMY),( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( $(added by[^)]+|sfid-[_[:xdigit:]]+)$)?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Blocked SPAM,( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( $(added by[^)]+|sfid-[_[:xdigit:]]+)$)?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, [[:digit:]]+ ms$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Passed (BAD-HEADER),.*$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Blocked BANNED $[.,_ [:alnum:]-]+$,( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( quarantine: [/[:alnum:]-]+,)?( Message-ID: <[^>]+>( $(added by[^)]+|sfid-[_[:xdigit:]]+)$)?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, [[:digit:]]+ ms$

With javascript enabled, the above regex block has a toolbar with a copy-to-clipboard button.

I have quite a few of these custom filters, I’ll post some more at another time.

One thought on “logcheck — amavisd-new filter”

Guillaume November 12, 2013 at 9:43 pm

I now have this for the first line:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Passed (CLEAN|SPAM(MY)?) {Relayed(Inbound|Internal|OpenRelay)},( LOCAL)?( \[[[:xdigit:].:]{3,39}\](:[[:digit:]]{4,5})?){0,2} ]*> -> ]*>(,]*>)*,( Queue-ID: [[:xdigit:]]{11},)?( Message-ID: ]+>( $(added by[^)]+|sfid-[_[:xdigit:]]+)$)?,)?( Resent-Message-ID: ]+>,)? mail_id: [-+_[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$

Reply ↓

#!/usr/bin/nooblet.org

/* not just your average nub */

logcheck — amavisd-new filter

One thought on “logcheck — amavisd-new filter”

Leave a Reply Cancel reply