NAME

Log::Saftpresse::Plugin::Amavis - plugin to parse amavisd-new logs

VERSION

version 1.6

Description

This plugin parses Amavis log lines. Currently only JSON format log lines are parsed.

Synopsis

  <Plugin amavis>
    module = "Amavis"
    test_stats = 1
  </Plugin>

Options

test_stats (default: 1)

Enable/disable generation of a counter per spam/ham test.

Configure Amavis/Rsyslog for JSON output

First increase the maximum message size in rsyslog:

  $MaxMessageSize 32k

Then configure your $log_templ in amavisd.conf for JSON output:

  $logline_maxlen = ( 32*1024 ) - 50; # 32k max message size, keep 50 bytes for syslog
  $log_templ = <<'EOD';
  [:report_json]
  EOD

Input

This plugin expects a log line with

  'program' => 'amavis'

and an amavis report_json message like

  'message' => '(04529-01) {"@timestamp":"2015-06-12T04:51:48.725Z","action":["PASS"],...}'

Output

The plugin will outout the field log_id and will copy all fields in the JSON data structure to the event.

Counters

The plugin will create the following counters:

  <host>.total
  <host>.content_type.<content_type>
  <host>.action.<action>
  <host>.size
  <host>.score

If option test_stats is enabled:

  <host>.tests.<test>

AUTHOR

Markus Benning <ich@markusbenning.de>

COPYRIGHT AND LICENSE

This software is Copyright (c) 1998 by James S. Seymour, 2015 by Markus Benning.

This is free software, licensed under:

  The GNU General Public License, Version 2, June 1991