• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Logwatch for Plesk 10.4, Centos 5 - patches/how-to!

B

bluik

Basic Pleskian
Hi,

I just installed a new server with Plesk 10.4 and Centos 5. I see that stock logwatch is largery incompatible with the Plesk 10.4/Postfix installation with a lot of log lines "unmatched".

So I will create my customized logwatch with proper regex for Plesk 10.4/Postfix installation. I would send the diffs here so that other people can benefit and improve them.

Before I start on this, has anyone else done it before so I do not waste my time?
 
You can post it here and I will show your patch to our developers. I think it would be interesting for them.
 
This is not a busy server, and the first mail just 30 minutes ago was 9 MB in size. Most of it in "unmatched" lines from scripts:
pop3
imapd
proftpd-messages

I might use logwatch scripts from CentOS/RHEL 6 as base if there were enough goodness in them. If I remember correctly the logwatch scripts from it can be just copied over the ones from CentOS 5 and there were some significant improvements in the new version.
 
First revision diffs

First of all, latest logwatch scripts at logwatch SVN tree would provide significant benefits over the old version '7.3-9.el5_6' shipped with latest CentOS 5 (apparently, it is not from Plesk repo right?). For example proftpd service can properly parse the login from /var/log/secure while the old version tries to use /var/log/messages (and the logins do not go to this file). I will try later to just use them. But for now, first version of the diffs with most important fixes.

Anyone understanding the diffs will see right away that they are very simple. I acknowledge that I am not doing any ground-breaking rocket surgery here.
With this set of diffs, my daily logwatch message went down from 9 MB to "just" 1 MB, so there is a lot of work left with 'unmatched entries' flooding the daily report.

IMPORTANT: I take no responsibility whatsoever. If you decide to patch your logwatch, you cannot hold me liable for anything and are on your own. I will however try to help if anyone have problem because of these since it may help to improve the scripts. I welcome any comments and encourage to join the effort in fixing the very bad logwatch in CentOS 5+Plesk 10.4 with Postfix combo.

IMAP:
- Logout stats: Now mostly correct with list of users; how many logouts and how much downloaded. Mbox size shows 0, I will look into that later.
- CAVEAT: Still have few unmatched entries, will be checked in second revision.
--- imapd.orig 2012-03-28 07:11:49.000000000 +0200
+++ imapd 2012-03-27 06:05:22.000000000 +0200
@@ -43,13 +43,13 @@
# Don't care about these...
} elsif ( ($User, $Host) = ( $ThisLine =~ /^Login user=(.*?) host=(.*\[.*\])$/ ) ) {
$Login{$User}{$Host}++;
- } elsif ( ($User, $Host) = ( $ThisLine =~ /^LOGIN, user=(.*?), ip=\[(.*)\], protocol=IMAP$/o ) ) {
+ } elsif ( ($User, $Host) = ( $ThisLine =~ /LOGIN, user=(.*?), ip=\[(.*)\], protocol=IMAP$/o ) ) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^Authenticated user=(.*) host=(.*\[.*\])$/ ) ) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^Preauthenticated user=(.*) host=(.*)$/ ) ) {
$Login{$User}{$Host}++;
- } elsif ( ($Host) = ( $ThisLine =~ /^imap service init from (.*)$/ ) ) {
+ } elsif ( ($Host) = ( $ThisLine =~ /^IMAP connect from @ \[(.*)\]/ ) ) {
$ConnectionNonSSL{$Host}++;
$Connection{$Host}++;
} elsif ( ($Host) = ( $ThisLine =~ /^imaps SSL service init from (.*)$/ ) ) {
@@ -67,7 +67,7 @@
} elsif ( ($User, $Host) = ( $ThisLine =~ /^Logout user=(.*?) host=(.*\[.*\])$/) ) {
$Logout{$User}{$Host}++;
$Logout2{$User}++;
- } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], headers=(\d+), body=(\d+)/o ) ) {
+ } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], headers=(\d+), body=(\d+)/o ) ) {
$Logout{$User}{$Host}++;
$Logout2{$User}++;
$DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2;
Click to expand...

POP3:
- Logout stats: Same as IMAP above.
- CAVEAT: A ton of unmatched entries.
- TODO: Fix unmatched: "FAILED: spam - short names not allowed from " - count or ignore. Should probably count, opinions?
--- pop3~ 2012-03-28 07:10:14.000000000 +0200
+++ pop3 2012-03-27 06:05:58.000000000 +0200
@@ -103,7 +103,7 @@
$Logout{$User}{$Host}++;
$Logout2{$User}++;
$Connection{$Host}++;
- } elsif (($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], top=(\d+), retr=(\d+)/o)) {
+ } elsif (($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], top=(\d+), retr=(\d+)/o)) {
$DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2;
$Logout{$User}{$Host}++;
$Logout2{$User}++;
Click to expand...

PROFTP-MESSAGES:
- Just fix ignored messages.
- CAVEAT: There will be no output from proftpd-messages module of logwatch under normal circumstances after the patch. The old logwatch in CentOS 5 requires a large change to read the logins from secure logfile instead of messages.

--- proftpd-messages~ 2012-03-28 07:10:15.000000000 +0200
+++ proftpd-messages 2012-03-27 07:02:57.000000000 +0200
@@ -44,12 +44,14 @@
( $ThisLine =~ /^(ANONYMOUS )?FTP login as \'.*\' from [^ ]+ \[.*\] to .*/ ) or
( $ThisLine =~ /PAM\(.*\): Authentication failure/ ) or
( $ThisLine =~ /^data_sendfile/ ) or
+ ( $ThisLine =~ /Preparing to chroot to directory \'\/var\/www\/vhosts\/./ ) or
( $ThisLine =~ / - FTP session opened/ ) or
( $ThisLine =~ / - FTP session closed/ ) or
( $ThisLine =~ / - No certificate files found/ ) or
- ( $ThisLine =~ /FTP (no transfer|session idle) timeout, disconnected/ ) or
+ ( $ThisLine =~ /(FTP no transfer|Client session idle) timeout, disconnected/ ) or
( $ThisLine =~ / masquerading as / ) or
- ( $ThisLine =~ /FTP login timed out, disconnected/ )
+ ( $ThisLine =~ /(FTP login|Session) timed out, disconnected/ ) or
+ ( $ThisLine =~ /Login timeout exceeded, disconnected/ )
) {
#We don't care about these
} elsif ( ($Host,$IP,$Email,) = ( $ThisLine =~ /^FTP session opened: ftp\/ftp (.*)\[(.*)\] (.*)$/ ) ) {
Click to expand...

Patching instructions:
Patch with something like `patch /usr/share/logwatch/scripts/services/[filename] <[file you saved the diff to]`
So for example for imapd, I saved the diff to "imapd.diff", so I patch with `patch /usr/share/logwatch/script/services/imapd <imapd.diff` (need root of course).
 
Last edited:
third revision diffs

imapd:
--- imapd~ 2012-03-27 05:42:52.000000000 +0300
+++ imapd 2012-03-31 10:46:17.000000000 +0300
@@ -38,18 +38,19 @@
if (
($ThisLine =~ /^Initializing */) or
($ThisLine =~ /^spgetpwnam: can't find user: */) or
- ($ThisLine =~ /^couriertls: read: Connection reset by peer/ )
+ ($ThisLine =~ /^couriertls: read: Connection reset by peer/) or
+ ($ThisLine =~ /digascii: [a-f0-9]*, response: /)
) {
# Don't care about these...
} elsif ( ($User, $Host) = ( $ThisLine =~ /^Login user=(.*?) host=(.*\[.*\])$/ ) ) {
$Login{$User}{$Host}++;
- } elsif ( ($User, $Host) = ( $ThisLine =~ /^LOGIN, user=(.*?), ip=\[(.*)\], protocol=IMAP$/o ) ) {
+ } elsif ( ($User, $Host) = ( $ThisLine =~ /LOGIN, user=(.*?), ip=\[(.*)\], protocol=IMAP$/o ) ) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^Authenticated user=(.*) host=(.*\[.*\])$/ ) ) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^Preauthenticated user=(.*) host=(.*)$/ ) ) {
$Login{$User}{$Host}++;
- } elsif ( ($Host) = ( $ThisLine =~ /^imap service init from (.*)$/ ) ) {
+ } elsif ( ($Host) = ( $ThisLine =~ /^IMAP connect from @ \[(.*)\]/ ) ) {
$ConnectionNonSSL{$Host}++;
$Connection{$Host}++;
} elsif ( ($Host) = ( $ThisLine =~ /^imaps SSL service init from (.*)$/ ) ) {
@@ -67,7 +68,12 @@
} elsif ( ($User, $Host) = ( $ThisLine =~ /^Logout user=(.*?) host=(.*\[.*\])$/) ) {
$Logout{$User}{$Host}++;
$Logout2{$User}++;
- } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], headers=(\d+), body=(\d+)/o ) ) {
+ } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /(LOGOUT|TIMEOUT|DISCONNECTED), (user=.*, )?ip=\[(.*)\], headers=(\d+), body=(\d+)/o ) ) {
+ if ( ($dummy) = ( $User =~ /user=(.*)/ ) ) {
+ $User = $dummy;
+ } else {
+ $User = "unknown";
+ }
$Logout{$User}{$Host}++;
$Logout2{$User}++;
$DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2;
Click to expand...

pop3:
--- pop3~ 2012-03-27 06:04:56.000000000 +0300
+++ pop3 2012-04-01 04:28:48.000000000 +0300
@@ -60,7 +60,7 @@
($ThisLine =~ /^maildrop: can't read message$/) or
($ThisLine =~ /^mailbox: mailbox content has been changed$/) or
($ThisLine =~ /^(sktbuff|maildrop): write: Connection reset by peer$/) or
- ($ThisLine =~ /^(sktbuff|maildrop): write: Connection timed out$/) or ($ThisLine =~ /^mailspool_build_index.*: skipping c-client metadata$/) or
+ ($ThisLine =~ /^(sktbuff|maildrop|couriertls): (write|read): Connection timed out$/) or ($ThisLine =~ /^mailspool_build_index.*: skipping c-client metadata$/) or
($ThisLine =~ /^open: Permission denied$/) or
($ThisLine =~ /^read: Broken pipe$/) or
($ThisLine =~ /^read: Connection reset by peer$/) or
@@ -71,14 +71,15 @@
($ThisLine =~ /tpop3d startup succeeded$/) or
($ThisLine =~ /^disconnected, user=/i) or
($ThisLine =~ /^timeout, user=/i) or
- ($ThisLine =~ /^connection, ip=/i)
- or ($ThisLine =~ /^Connection, ip=/o)
+ ($ThisLine =~ /^connection, ip=/i) or
+ ($ThisLine =~ /Connection, ip=/) or
+ ($ThisLine =~ /digascii: [a-f0-9]*, response: /)
) {
# Don't care about these...
} elsif (
(($User, $Host) = ( $ThisLine =~ /^user (.*?) authenticated - (.*)$/ )) or
(($User, $Host) = ( $ThisLine =~ /^fork_child: \[\d\].*\((.*)\): began session for `(.*)' with .*; child PID is \d+$/ ))
- or (($User, $Host) = ( $ThisLine =~ /^LOGIN, user=(.*?), ip=\[(.*)\]$/ ))
+ or (($User, $Host) = ( $ThisLine =~ /LOGIN, user=(.*?), ip=\[(.*)\]$/ ))
) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Downloaded,$DownloadSize,$Left,$LeftSize) = ( $ThisLine =~ /^Stats: (.*?) (.*?) (.*?) (.*?) (.*?)$/) ) {
@@ -103,7 +104,7 @@
$Logout{$User}{$Host}++;
$Logout2{$User}++;
$Connection{$Host}++;
- } elsif (($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], top=(\d+), retr=(\d+)/o)) {
+ } elsif (($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], top=(\d+), retr=(\d+)/o)) {
$DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2;
$Logout{$User}{$Host}++;
$Logout2{$User}++;
@@ -120,6 +121,8 @@
$LoginFailed{"$Host ($User)"}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^authentication failed: no such user: (.*?) - (.*)/ ) ) {
$LoginFailed{"$Host (UNKNOWN: $User)"}++;
+ } elsif ( ($Host) = ( $ThisLine =~ /LOGIN FAILED, ip=\[(.*)\]/ ) ) {
+ $LoginFailed{"$Host"}++;
} elsif ( ($User) = ( $ThisLine =~ /^auth_pam_new_user_pass: pam_authenticate\((.*)\): Authentication failure/) ){
$LoginFailed{$User}++;
} elsif ( ($User) = ( $ThisLine =~ /^authcontext_new_user_pass: rejecting login attempt by `(.*)' with empty password$/) ) {
Click to expand...

There are no longer any important unmatched entries. Failed logins are now accounted for properly.
 
You must log in or register to reply here.

Similar threads

O
Resolved Update Plesk 18.0.68 on CentOS7 result in no website reachable and email not working anymore
Replies
3
Views
628
Onkeltom01
O
Jürgen_T
Question Safe to enable postgrey with free Plesk Email Security (Amavis + SpamAssassin + ClamAV)?
Replies
1
Views
272
ChristophRo
ChristophRo
S
Backup and Restore function not working as expected?
Replies
4
Views
3K
seqoi
S
A
Question Setup Plesk behind a load Balancer
Replies
2
Views
857
trialotto
T
R
Resolved WP Toolkit/Wordpress Toolkit - older version screenshot issue
Replies
4
Views
3K
rhall
R
Back
Top