[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Spamd log analyzer



A while back, someone somewhere posted this
#####################################################
#!/usr/bin/perl
#
# spamd statistics script.
#
# Changelog:
#	0.1 - basic reporting
#	0.2 - added CL switches, average calc and time in hh:mm:ss
#	0.3 - fixed integers in printf(), $counter wasn't counting per IP,
#		  changed "total" line (cosmetics)
#	0.3.1 - fixed column breaking with different IP lenghts, added total
#			average (secs/conn), added time when last connected
#
# Author:
#	Damir Horvat, [email protected]

use Getopt::Std;
getopts("thHvLr:f:");

if ($opt_h) { &usage; }
if ($opt_v) { print "$0 v0.3.1\n"; exit 1; }
if ($opt_f) { $logfile = $opt_f; } else { $logfile = "/var/log/spamd"; }
	
sub usage {
	print "\nUsage: $0 [-htHvL] [-r 'regexp'] [-f logfile]\n";

	print "\t-h\tprint this text\n";
	print "\t-t\tprint totals\n";
	print "\t-H\tprint human readable format\n";
	print "\t-v\tprint version \#\n";
	print "\t-L\tdatetime when last connected (breaks 80char width)\n";
	print "\t-r\t'regexp' to search for\n";
	print "\t-f\tlogfile to parse\n";

	print "\n\tMost common use: $0 -HLt\n";
	exit 1;
}

sub sec2hms {
	# Convert seconds to human readable format: HH:MM:SS
	my $sec = shift;

	my $h = $sec / 3600;
	my $m = $sec % 3600 /60;
	my $s = $sec % 60;

	return $h,$m,$s;
}

my %hosts = ();		# data holder
my $total_t = 0;	# total amount of seconds wasted.
my $total_c = 0;	# total number of connections made.
my $total_h = 0;	# total hosts connected.
my $total_a = 0;	# average on all connections.

open (S, "<$logfile") or die "Can't open $logfile: $!\n";
while (<S>) {
	if ($opt_r) {	# regexp set
		next if (! /seconds/);
		next if (! /$opt_r/);
	} else {
		next if (! /seconds/);
	}

my $count = 0; # counter.

	my @data = split('\s+');
	my $host = $data[5];
	my $time = $data[8];
	$total_t += $time;

my $datetime = "$data[0] $data[1] $data[2]";

	if ( ! $hosts{$host}) {
		$hosts{$host} = [$time, $count += 1, $datetime];
		$total_h += 1;
	} else {
		$hosts{$host}[0] += $time;
		$hosts{$host}[1] += 1;
		$hosts{$host}[2] = $datetime;
	}

}
close (S);

print "Spamd statistics: (";
print "regexp: \"$opt_r\", " if ($opt_r);
print "logfile: $logfile)\n";

print "\t\t\t\t\t\tAverage\n";
if ($opt_H) {
if ($opt_L) {
print "Host\t\t\tSeconds\tConnections\t(secs/conn)\tHh:Mm:Ss\tLast conn @\n";
} else {
print "Host\t\t\tSeconds\tConnections\t(secs/conn)\tHh:Mm:Ss\n";
}
} else {
if ($opt_L) {
print "Host\t\t\tSeconds\tConnections\t(secs/conn)\tLast conn @\n";
} else {
print "Host\t\t\tSeconds\tConnections\t(secs/conn)\n";
}
}


while ( (my $k, my $v) = each %hosts) {
	# Count each connection.
	$total_c += $$v[1];	

	my $avg = $$v[0]/$$v[1];
	$total_a += $avg;

	# FIXIT
	# Different IP lenghts cause columns to break. Printing spaces
	# seems to fix it.
	my $space = "      ";	# 6 spaces

	if ($opt_H) {
		(my $h, my $m, my $s) = &sec2hms($$v[0]);
		if ($opt_L) {
			printf ("$k$space\t%7d\t%11d%12.2f\t%10d:%2d:%2d\t$$v[2]\n",
				$$v[0], $$v[1], $avg, $h, $m, $s);
		} else {
			printf ("$k$space\t%7d\t%11d%12.2f\t%10d:%2d:%2d\n",
				$$v[0], $$v[1], $avg, $h, $m, $s);
		}
	} else {
		if ($opt_L) {
			printf ("$k$space\t%7d\t%11d%12.2f\t\t$$v[2]\n",
				$$v[0], $$v[1], $avg);
		} else {
			printf ("$k$space\t%7d\t%11d%12.2f\n",
				$$v[0], $$v[1], $avg);
		}

	}
			
}
if ($opt_t) {
	my $average = $total_a / $total_h;
	if ($opt_H) {
		print "----------------+--------------+-----------+";
		print "-----------+----------------+\n";
		($h, $m, $s) = &sec2hms($total_t);
		printf ("%10d hosts\t%7i\t%11i\t%7.2f%11d:%2d:%2d\n",
			$total_h, $total_t, $total_c, $average, $h, $m, $s);
	} else {
		print "----------------+--------------+-----------+";
		print "-----------+\n";
		printf ("%10d hosts\t%7d\t%11d%12.2f\n",
			$total_h, $total_t, $total_c, $average);
	}
}


################################################################ Which outputs something like this: Spamd statistics: (logfile: /var/log/spamd) Average Host Seconds Connections (secs/conn) 61.84.32.178: 14 2 7.00 220.121.48.190: 7 1 7.00 220.121.48.151: 7 1 7.00 211.158.83.141: 4 2 2.00 221.155.196.101: 17 1 17.00 211.204.195.254: 439 1 439.00 218.17.72.58: 403 1 403.00 219.153.156.45: 12 1 12.00 61.249.62.16: 4082 1 4082.00 218.17.230.108: 733 1 733.00 220.79.101.65: 18 1 18.00 221.147.96.204: 776 1 776.00 61.140.60.63: 1643 4 410.75 221.155.192.12: 13 1 13.00 220.121.48.157: 7 1 7.00 221.147.96.213: 439 1 439.00 211.158.126.168: 2 1 2.00 211.216.136.208: 7 1 7.00 221.147.96.239: 1955 1 1955.00 218.17.74.127: 774 1 774.00 218.17.76.63: 769 1 769.00 61.84.57.50: 12 1 12.00 220.126.214.144: 6 1 6.00 210.102.36.251: 246 1 246.00 211.196.205.135: 403 1 403.00 221.146.87.210: 438 1 438.00 211.158.74.73: 20 1 20.00 211.221.72.149: 4 1 4.00 210.102.36.191: 428 2 214.00 221.147.96.130: 3238 1 3238.00 61.102.85.120: 7 1 7.00 192.168.2.139: 382 4 95.50 220.116.165.66: 3494 1 3494.00 61.73.45.151: 16 1 16.00 218.54.75.178: 111 1 111.00 211.158.44.254: 2 1 2.00 219.248.240.10: 65 5 13.00 219.153.152.233: 160 1 160.00 218.17.71.177: 27030 1 27030.00 220.71.86.138: 1231 1 1231.00 61.73.20.88: 433 1 433.00 221.155.199.103: 15 1 15.00 219.91.102.126: 6 1 6.00 211.218.7.189: 435 1 435.00 218.17.230.178: 1741 1 1741.00 221.154.7.173: 7 1 7.00 218.17.75.160: 595 1 595.00 220.116.209.18: 2238 1 2238.00 218.17.71.112: 620 1 620.00 220.166.98.222: 405 1 405.00 220.71.86.160: 1368 1 1368.00 219.153.155.41: 19 1 19.00 222.101.164.110: 20 1 20.00



Mark Gangl wrote:

I am running OpenBSD 3.5 on a mail server, using postfix with pf and spamd redirection. I have syslog setup to redirect log info from spamd to a separate log file. I was hoping someone knows of a spamd log analyzing tool that I could run via cron and receive an email spamd report.

Basically I would like to get stats on the ip addresses that I am blocking (including number of times and length), along with what email address they are claiming to come from and where they are going. I try to manually read my logs when I can to see if I am being to restrictive on what I block, but the process is getting rather tedious.

Searching the openbsd list archives turns up a possible lead, but the link in the email is dead (http://archives.neohapsis.com/archives/openbsd/2003-09/0995.html).

Thanks,
Mark