Bug 467378

Summary: logwatch fails to parse some postfix logfile lines
Product: [Fedora] Fedora Reporter: Ivana Varekova <varekova>
Component: logwatchAssignee: Ivana Varekova <varekova>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 8CC: coocheenin, dusan, ondrejj, richardfearn, turchi, varekova
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-21 10:59:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivana Varekova 2008-10-17 08:29:56 UTC 
--- Additional comment from dusan on 2008-10-01 05:56:11 EDT ---

--------------------- Logwatch ------------------------ 

 Nested quantifiers in regex; marked by <-- HERE in m/[<(]?+ <-- HERE ._-dwsujbm[>)]?\W*/ at /usr/share/logwatch/scripts/services/postfix line 2166, <> line 78873.


Nested quantifiers in regex; marked by <-- HERE in m/[<(]?+ <-- HERE ._-user[>)]?\W*/ at /usr/share/logwatch/scripts/services/postfix line 2166, <> line 34488.

-------------maillog ----------------------------

Sep 29 08:48:25 mx1 postfix/smtp[12289]: 28383850F: to=<+._-user>, relay=mail.domain.cz[180.195.19.16]:25, delay=49137, delays=49110/27/0.02/0, dsn=4.7.0, status=....


It seems that character "+" in e-mail address logwatch script can't parse.

Dusan

--- Additional comment from varekova on 2008-10-14 07:29:54 EDT ---

Dusan which version of logwatch do you use?

--- Additional comment from dusan on 2008-10-14 08:02:33 EDT ---

I have logwatch-7.3.6-15.fc8

I also have another bad character... See logwatch mail:

--------------------- Postfix Begin ------------------------ 

 Nested quantifiers in regex; marked by <-- HERE in m/[<(]??? <-- HERE ??@dankong.net[>)]?\W*/ at /usr/share/logwatch/scripts/services/postfix line 2166, <> line 311694.


Thanks Dusan
Comment 1 Ivana Varekova 2008-10-17 09:32:33 UTC 
Dusan, please could you paste here your postfix logs - I can't reproduce your problem - perhaps there will be sufficient to have status in the log you post.
Thanks.
Comment 2 Dušan Hokův 2008-10-17 09:42:28 UTC 
Sep 29 08:48:25 mx1 postfix/smtp[12289]: 28383850F: to=<+._-user>,
relay=mail.domain.cz[180.195.19.16]:25, delay=49137, delays=49110/27/0.02/0,
dsn=4.7.0, status=....

and

Oct 11 08:26:27 mx1 postfix/qmgr[23382]: 0BF8FA188: from=<????@dankong.net>, size=2245, nrcpt=1 (queue active)
Oct 11 08:26:27 mx1 amavis[21689]: (21689-04) WARN: address modified (sender): <\325\305\276\262> -> <"\325\305\276\262"@dankong.net>
Oct 11 08:26:29 mx1 postfix/qmgr[23382]: 847DAA138: from=<????@dankong.net>, size=2728, nrcpt=1 (queue active)
Oct 11 08:26:29 mx1 amavis[21689]: (21689-04) Passed BAD-HEADER, [61.175.223.136] [61.175.223.136] <\325\305\276\262> -> <info>, Message-ID: <20081011062623.0BF8FA188.cz>, mail_id: 3mAn9N-YAOvW, Hits: 11.58, size: 2245, queued_as: 847DAA138, 2508 ms
Oct 11 08:26:35 mx1 postfix/smtp[21895]: A66B9A1BA: to=<????@dankong.net>, relay=61.175.223.136.dankong.net[61.175.223.136]:25, delay=5.5, delays=0.03/0/5/0.44, dsn=5.0.0, status=bounced (host 61.175.223.136.dankong.net[61.175.223.136] said: 501 input error. (in reply to MAIL FROM command))

I think that characters "+" and "?" in email address(propably spam) are problems for logwatch script...

Dusan
Comment 3 Fedora Update System 2008-10-17 11:27:27 UTC 
logwatch-7.3.6-18.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/logwatch-7.3.6-18.fc8
Comment 4 Dušan Hokův 2008-10-22 08:15:18 UTC 
I have another logwatch problem with unmatched entries. In the past days was a lot of connections to our smtp server, which was lost after command DATA (0 bytes). These connections are propably SPAM attempts I think. An e-mail from Logwatch is about 19MB, there are a lot of unmatched entries. I think these connection lost will be matched as "Connections lost" entry. Please fix this. See log:

--------------------- Postfix Begin ------------------------ 

       68   *Warning: Queue file size limit exceeded 
       23   *Warning: Error writing queue file 
     1044   *Warning: Pre-queue content-filter connection overload 
     1451   Miscellaneous warnings 
 
    7.409G  Bytes accepted                     7,955,097,115
   10.008G  Bytes delivered                   10,745,979,416
 ========   ================================================
 
   120074   Accepted                                  27.52%
   316225   Rejected                                  72.48%
 --------   ------------------------------------------------
   436299   Total                                    100.00%
 ========   ================================================
 
     2873   Reject relay denied                        0.91%
     4468   Reject recipient address                   1.41%
      414   Reject sender address                      0.13%
      162   Reject client host                         0.05%
   308308   Reject RBL                                97.50%
 --------   ------------------------------------------------
   316225   Total Rejects                            100.00%
 ========   ================================================
 
       23   4xx Reject unknown user                    7.26%
      294   4xx Reject sender address                 92.74%
 --------   ------------------------------------------------
      317   Total 4xx Rejects                        100.00%
 ========   ================================================
 
   376924   Connections made      
    29270   Connections lost      
   376890   Disconnections        
   120034   Removed from queue    
   130861   Sent via SMTP         
        2   Forwarded             
      633   Resent                
     6832   Deferred              
    41668   Deferrals             
      117   Bounce (local)        
    15459   Bounce (remote)       
       22   Expired and returned to sender 
     2247   Sender delay notification 
      119   DSNs delivered        
     4685   DSNs undeliverable    
 
     1730   Timeout (inbound)     
      259   Illegal address syntax in SMTP command 
       11   MX error              
      288   Numeric hostname      
        5   SMTP commands dialog error 
       27   Excessive errors in SMTP commands dialog 
    61432   Hostname verification errors 
       21   Hostname validation error 
     1405   Enabled PIX workaround 
 
 
 
 
 **Unmatched Entries**
        2   Oct 21 01:19:34 mx1 postfix/smtpd[17583]: lost connection after DATA (0 bytes) from sw.nobles.edu[66.228.80.2]
        2   Oct 21 13:06:29 mx1 postfix/smtp[12992]: connect to mail.bues.ru[82.146.62.193]:25: Connection refused
        2   Oct 21 13:07:02 mx1 postfix/smtpd[13427]: lost connection after DATA (0 bytes) from servincom-samba.gtss.ru[81.222.112.15]
        2   Oct 21 19:13:21 mx1 postfix/smtpd[17287]: lost connection after DATA (0 bytes) from 68-114-97-253.dhcp.slid.la.charter.com[68.114.97.253]
        2   Oct 21 12:50:40 mx1 postfix/smtpd[11532]: lost connection after DATA (0 bytes) from unknown[85.94.41.130]
        2   Oct 21 20:33:06 mx1 postfix/smtpd[24526]: lost connection after DATA (0 bytes) from 111-26.106-92.cust.bluewin.ch[92.106.26.111]
        2   Oct 21 19:17:41 mx1 postfix/smtpd[15919]: lost connection after DATA (0 bytes) from nj-76-1-246-15.dhcp.embarqhsd.net[76.1.246.15]
        2   Oct 21 23:53:46 mx1 postfix/smtpd[6400]: lost connection after DATA (0 bytes) from 85.pool85-50-71.dynamic.orange.es[85.50.71.85]
        2   Oct 21 10:26:00 mx1 postfix/smtpd[30815]: lost connection after DATA (0 bytes) from unknown[84.242.242.158]
        2   Oct 21 22:17:46 mx1 postfix/smtpd[709]: lost connection after DATA (0 bytes) from dslb-084-062-210-215.pools.arcor-ip.net[84.62.210.215]
        2   Oct 21 10:38:42 mx1 postfix/smtpd[32382]: lost connection after DATA (0 bytes) from unknown[87.245.186.170]
        2   Oct 21 13:14:22 mx1 postfix/smtp[12998]: connect to mail.bues.ru[82.146.62.193]:25: Connection refused
        2   Oct 21 19:17:37 mx1 postfix/smtpd[17714]: lost connection after DATA (0 bytes) from nj-76-1-246-15.dhcp.embarqhsd.net[76.1.246.15]
        2   Oct 21 01:44:07 mx1 postfix/smtpd[19133]: lost connection after DATA (0 bytes) from unknown[78.155.32.135]
        2   Oct 21 19:19:41 mx1 postfix/smtpd[17656]: lost connection after DATA (0 bytes) from 155.135.70-86.rev.gaoland.net[86.70.135.155]
        2   Oct 21 19:19:56 mx1 postfix/smtpd[17714]: lost connection after DATA (0 bytes) from 155.135.70-86.rev.gaoland.net[86.70.135.155]
        2   Oct 21 19:13:19 mx1 postfix/smtpd[16327]: lost connection after DATA (0 bytes) from 68-114-97-253.dhcp.slid.la.charter.com[68.114.97.253]
        2   Oct 21 01:24:52 mx1 postfix/smtpd[18089]: lost connection after DATA (0 bytes) from n9-c155.client.tomica.ru[78.140.9.155]
        2   Oct 21 03:57:11 mx1 postfix/smtp[24850]: connect to mail.brooktorkai.info[80.237.220.17]:25: Connection refused
        2   Oct 21 19:28:44 mx1 postfix/smtpd[17257]: lost connection after DATA (0 bytes) from pool-71-184-192-3.bstnma.fios.verizon.net[71.184.192.3]
        2   Oct 21 13:24:22 mx1 postfix/smtp[14917]: connect to mail.bues.ru[82.146.62.193]:25: Connection refused
        2   Oct 21 19:20:28 mx1 postfix/smtpd[17635]: lost connection after DATA (0 bytes) from.....................................

.....................


Thanks Dusan
Comment 5 Fedora Update System 2008-10-24 07:44:19 UTC 
logwatch-7.3.6-19.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/logwatch-7.3.6-19.fc8
Comment 6 Ivana Varekova 2008-10-24 07:52:52 UTC 
There is forgotten print command :( - so I'm fixing it.
Comment 7 Fedora Update System 2008-10-24 07:58:11 UTC 
logwatch-7.3.6-20.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/logwatch-7.3.6-20.fc8
Comment 8 Dušan Hokův 2008-10-24 08:15:12 UTC 
Similar problem is in fc9, please fix it too. Thanks Dusan
Comment 9 Fedora Update System 2008-10-24 23:53:43 UTC 
logwatch-7.3.6-20.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update logwatch'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-9186
Comment 10 Dušan Hokův 2008-10-26 06:47:12 UTC 
On fc8 (logwatch-7.3.6-20.fc8) is problem still here:

Unmatched entries:

        1   Oct 25 15:42:48 mx1 postfix/smtpd[7311]: timeout after DATA (0 bytes) from unknown[118.68.247.123]
        1   Oct 25 15:25:38 mx1 postfix/smtpd[4445]: timeout after DATA (0 bytes) from unknown[124.79.32.209]
        1   Oct 25 21:31:45 mx1 postfix/smtpd[5645]: timeout after DATA (419223 bytes) from mail2.penta.cz[212.20.119.21]
        1   Oct 25 04:27:24 mx1 postfix/smtpd[18884]: timeout after DATA (0 bytes) from unknown[60.166.215.208]
        1   Oct 25 12:26:00 mx1 postfix/smtpd[20397]: timeout after DATA (0 bytes) from unknown[124.119.119.206]
        1   Oct 25 09:09:23 mx1 postfix/smtp[5643]: 671568592: host mx10.hanmail.net[211.43.197.142] refused to talk to me: 554 5.7.1 CCRX 80.95.96.6: Connection refused. Your IP address is blocked(anti-spam).
        1   Oct 25 14:26:50 mx1 postfix/smtpd[30818]: timeout after DATA (0 bytes) from unknown[81.214.68.64]
        1   Oct 25 08:11:23 mx1 postfix/smtpd[30646]: timeout after DATA (0 bytes) from unknown[88.228.181.151]
        1   Oct 25 02:46:13 mx1 postfix/smtpd[8078]: timeout after DATA (0 bytes) from unknown[58.141.155.105]
        1   Oct 25 15:45:27 mx1 postfix/smtpd[8250]: timeout after DATA (0 bytes) from unknown[68.161.112.141]


On Fedora 9 (logwatch-7.3.6-25.fc9.noarch)
was this problem solved but another appear :-(
(outbound connections) Logwatch mail so long due this. :-(

**Unmatched Entries**
        2   Oct 25 13:48:49 mx1-new postfix/smtp[2677]: connect to mail.vva.com[160.79.200.82]:25: Connection refused
        2   Oct 25 11:08:49 mx1-new postfix/smtp[21138]: connect to bjrnet.com[128.241.53.90]:25: Connection refused
        2   Oct 25 13:28:49 mx1-new postfix/smtp[32318]: connect to bjrnet.com[128.241.53.90]:25: Connection refused
        2   Oct 25 08:48:49 mx1-new postfix/smtp[11649]: connect to barryland.com[208.73.210.32]:25: Connection refused
        2   Oct 25 11:28:49 mx1-new postfix/smtp[23013]: connect to mail.vva.com[160.79.200.82]:25: Connection refused
        2   Oct 25 12:28:50 mx1-new postfix/smtp[27708]: connect to 365translation.com[69.64.155.178]:25: Connection refused
        2   Oct 25 05:18:49 mx1-new postfix/smtp[29903]: connect to barryland.com[208.73.210.32]:25: Connection refused
        2   Oct 25 06:28:49 mx1-new postfix/smtp[757]: connect to bjrnet.com[128.241.53.90]:25: Connection refused
        2   Oct 25 13:28:49 mx1-new postfix/smtp[742]: connect to mail.vva.com[160.79.200.82]:25: Connection refused
        2   Oct 25 01:33:49 mx1-new postfix/smtp[14150]: connect to mail.MEETMYGUESTS.COM[70.38.29.245]:25: Connection refused
        1   Oct 25 13:09:19 mx1-new postfix/smtp[31370]: connect to mail.devoll.net[209.144.27.98]:25: Connection timed out
        1   Oct 25 10:24:19 mx1-new postfix/smtp[18398]: connect to mx.atomis.com.atomis.com[62.23.107.186]:25: Connection timed


Thanks for help.
Comment 11 Fedora Update System 2008-10-29 11:14:26 UTC 
logwatch-7.3.6-21.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/logwatch-7.3.6-21.fc8
Comment 12 Ivana Varekova 2008-10-29 13:04:48 UTC 
The problem you report for F-9 is fixed in Fedora9 cvs for now.
Comment 13 Dušan Hokův 2008-10-30 04:40:32 UTC 
(In reply to comment #11)
> logwatch-7.3.6-21.fc8 has been submitted as an update for Fedora 8.
> http://admin.fedoraproject.org/updates/logwatch-7.3.6-21.fc8

Now it works. Thank you.
Comment 14 Fedora Update System 2008-10-30 12:51:05 UTC 
logwatch-7.3.6-21.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update logwatch'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-9225
Comment 15 Fedora Update System 2008-11-06 04:07:24 UTC 
logwatch-7.3.6-21.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Jan ONDREJ 2008-11-08 07:15:21 UTC 
One type of message is still present:

        1   Nov  7 12:27:51 ns postfix/smtpd[19593]: too many errors after DATA (0 bytes) from lete.bart.sk[184.245.82.38]
        1   Nov  7 02:27:48 ns postfix/smtpd[11419]: too many errors after DATA (0 bytes) from lete.bart.sk[184.245.82.38]
        1   Nov  7 08:07:49 ns postfix/smtpd[12746]: too many errors after DATA (0 bytes) from lete.bart.sk[184.245.82.38]
        1   Nov  7 20:37:50 ns postfix/smtpd[4885]: too many errors after DATA (0 bytes) from lete.bart.sk[184.245.82.38]

[root@ns ~]# rpm -q logwatch postfix
logwatch-7.3.6-21.fc8
postfix-2.5.5-1.fc8

This happens only on one of my servers, but it is very disturbing.

Ivana, can you fix also this?
Comment 17 Ivana Varekova 2008-11-11 11:44:19 UTC 
Fixed in logwatch-7.3.6-22.fc8. - But please it would be great if you send all unparsed logs together (or whole /var/log/messages file).
Comment 18 Jan ONDREJ 2008-11-11 12:48:20 UTC 
Thank you.

These was last ones.
Comment 19 Fedora Update System 2008-11-12 02:58:13 UTC 
logwatch-7.3.6-22.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update logwatch'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-9585
Comment 20 Fedora Update System 2008-11-21 10:59:46 UTC 
logwatch-7.3.6-22.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Konstantin Coocheenin 2009-03-29 02:47:20 UTC 
(In reply to comment #20)
> logwatch-7.3.6-22.fc8 has been pushed to the Fedora 8 stable repository.  If
> problems still persist, please make note of it in this bug report.  

More unmatches entries in this RPM:
https://bugzilla.redhat.com/show_bug.cgi?id=492738