{"id":1638,"date":"2018-11-16T16:42:51","date_gmt":"2018-11-16T21:42:51","guid":{"rendered":"http:\/\/www.xavignu.com\/?p=1638"},"modified":"2018-11-16T16:42:51","modified_gmt":"2018-11-16T21:42:51","slug":"spamassassin-logs-to-a-different-file","status":"publish","type":"post","link":"https:\/\/www.xavignu.com\/?p=1638","title":{"rendered":"Spamassassin logs to a different file"},"content":{"rendered":"

Lately I’ve been looking at my mail logs and noticed that on them it gets written spam, postfix and dovecot messages among other, which is a little uncomfortable. We can use grep to filter, but perhaps a better approach is to send spamassassin logs to a different file.<\/p>\n

tail \/var\/log\/mail.log\r\nOct 16 17:13:11 myserver postfix\/smtpd[29869]: connect from unknown[185.234.219.254]\r\nOct 16 17:13:11 myserver postfix\/smtpd[29869]: warning: unknown[185.234.219.254]: SASL LOGIN authentication failed: Invalid authentication mechanism\r\nOct 16 17:13:11 myserver postfix\/smtpd[29869]: lost connection after AUTH from unknown[185.234.219.254]\r\nOct 16 17:13:11 myserver postfix\/smtpd[29869]: disconnect from unknown[185.234.219.254]\r\nOct 16 17:15:53 myserver postfix\/smtpd[29896]: warning: hostname 204.152.209.101.static.quadranet.com does not resolve to address 204.152.209.101\r\nOct 16 17:15:53 myserver postfix\/smtpd[29896]: connect from unknown[204.152.209.101]\r\nOct 16 17:15:53 myserver postfix\/smtpd[29896]: warning: unknown[204.152.209.101]: SASL LOGIN authentication failed: Invalid authentication mechanism\r\nOct 16 17:15:54 myserver postfix\/smtpd[29896]: disconnect from unknown[204.152.209.101]\r\nOct 16 17:16:41 myserver postfix\/smtpd[29896]: warning: hostname unassigned.quadranet.com does not resolve to address 192.161.170.229\r\nOct 16 17:16:41 myserver postfix\/smtpd[29896]: connect from unknown[192.161.170.229]\r\nOct 16 17:16:42 myserver postfix\/smtpd[29896]: Anonymous TLS connection established from unknown[192.161.170.229]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256\/256 bits)\r\nOct 16 17:17:03 myserver postfix\/smtpd[29896]: warning: eotzqh.kylieslowcase.fun.blackhole.securitysage.com: RBL lookup error: Host or domain name not found. Name service error for name=eotzqh.kylieslowcase.fun.blackhole.securitysage.com type=A: Host not found, try again\r\nOct 16 17:17:05 myserver postfix\/smtpd[29896]: DA88C2607C5: client=unknown[192.161.170.229]\r\nOct 16 17:17:06 myserver postfix\/cleanup[29903]: DA88C2607C5: message-id=\r\nOct 16 17:17:06 myserver postfix\/qmgr[1238]: DA88C2607C5: from=, size=32258, nrcpt=1 (queue active)\r\nOct 16 17:17:06 myserver postfix\/smtpd[29896]: disconnect from unknown[192.161.170.229]\r\nOct 16 17:17:08 myserver postfix\/pickup[29368]: 3D6B4260878: uid=5001 from=\r\nOct 16 17:17:08 myserver postfix\/pipe[29904]: DA88C2607C5: to=, relay=spamassassin, delay=26, delays=24\/0.01\/0\/1.9, dsn=2.0.0, status=sent (delivered via spamassassin service)\r\nOct 16 17:17:08 myserver postfix\/qmgr[1238]: DA88C2607C5: removed\r\nOct 16 17:17:08 myserver postfix\/cleanup[29903]: 3D6B4260878: message-id=\r\nOct 16 17:17:08 myserver postfix\/qmgr[1238]: 3D6B4260878: from=, size=32672, nrcpt=1 (queue active)\r\nOct 16 17:17:08 myserver postfix\/pipe[29908]: 3D6B4260878: to=, relay=dovecot, delay=0.22, delays=0.07\/0.01\/0\/0.14, dsn=2.0.0, status=sent (delivered via dovecot service)\r\nOct 16 17:17:08 myserver postfix\/qmgr[1238]: 3D6B4260878: removed\r\nOct 16 17:17:51 myserver postfix\/smtpd[29896]: connect from unknown[185.36.81.87]\r\nOct 16 17:17:51 myserver postfix\/smtpd[29896]: warning: unknown[185.36.81.87]: SASL LOGIN authentication failed: Invalid authentication mechanism\r\nOct 16 17:17:51 myserver postfix\/smtpd[29896]: lost connection after AUTH from unknown[185.36.81.87]\r\nOct 16 17:17:51 myserver postfix\/smtpd[29896]: disconnect from unknown[185.36.81.87]\r\nOct 16 17:18:49 myserver postfix\/smtpd[29896]: connect from unknown[187.55.179.130]\r\nOct 16 17:18:50 myserver postfix\/smtpd[29896]: warning: unknown[187.55.179.130]: SASL LOGIN authentication failed: Invalid authentication mechanism\r\nOct 16 17:18:50 myserver postfix\/smtpd[29896]: lost connection after AUTH from unknown[187.55.179.130]\r\nOct 16 17:18:50 myserver postfix\/smtpd[29896]: disconnect from unknown[187.55.179.130]\r\nOct 16 17:19:50 myserver postfix\/smtpd[29896]: warning: hostname 204.152.209.101.static.quadranet.com does not resolve to address 204.152.209.101\r\nOct 16 17:19:50 myserver postfix\/smtpd[29896]: connect from unknown[204.152.209.101]\r\nOct 16 17:19:51 myserver postfix\/smtpd[29896]: warning: unknown[204.152.209.101]: SASL LOGIN authentication failed: Invalid authentication mechanism\r\nOct 16 17:19:51 myserver postfix\/smtpd[29896]: disconnect from unknown[204.152.209.101]\r\nOct 16 17:21:21 myserver postfix\/anvil[29719]: statistics: max connection rate 1\/60s for (smtp:177.143.199.94) at Oct 16 17:12:24\r\n<\/pre>\n
<\/p>\n
In order to send spamassassin to a different file we will have to play with rsyslog. Add an entry as below to rsyslog.conf<\/p>\n
tail -2  \/etc\/rsyslog.conf\r\n# Adding log file for spamassassin\r\nlocal5.*;         \/var\/log\/spamassassin.log\r\n<\/pre>\n
Now what’s left is to edit systemd spamassassin file to enable rsyslog facility.<\/p>\n
grep ExecStart \/lib\/systemd\/system\/spamassassin.service\r\n#ExecStart=\/usr\/sbin\/spamd -d --pidfile=\/var\/run\/spamassassin.pid $OPTIONS\r\nExecStart=\/usr\/sbin\/spamd -s local5 -d --pidfile=\/var\/run\/spamassassin.pid $OPTIONS\r\n<\/pre>\n
Above we can see commented out the original ExecStart entry. Now we reload systemd spamassassin file and restart rsyslogd and spamassassin.<\/p>\n
sudo systemctl daemon-reload; sudo systemctl restart  rsyslog; sudo systemctl restart spamassassin\r\n<\/pre>\n
And we can see the spamassassin log file.<\/p>\n
ls -ltr \/var\/log\/spamassassin.log\r\nrw-r----- 1 root adm 17271 Oct 16 21:34 \/var\/log\/spamassassin.log\r\n<\/pre>\n
Reference:
\n1) SpamAssassin<\/a> wiki<\/p>\n","protected":false},"excerpt":{"rendered":"
Lately I’ve been looking at my mail logs and noticed that on them it gets written spam, postfix and dovecot messages among other, which is a little uncomfortable. We can use grep to filter, but perhaps a better approach is to send spamassassin logs to a different file. tail \/var\/log\/mail.log Oct 16 17:13:11 myserver postfix\/smtpd[29869]: […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[92],"tags":[20,6,101],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_shortlink":"https:\/\/wp.me\/pTQgt-qq","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1638"}],"collection":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1638"}],"version-history":[{"count":3,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1638\/revisions"}],"predecessor-version":[{"id":1641,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1638\/revisions\/1641"}],"wp:attachment":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1638"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1638"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}