Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
As an administrator for multiple servers, I run AMaViS - A Mail Virus Scanner with F-Prot Antivirus for Linux Workstations - for home users, to filter viri from my users mail.

Lately I've been getting 30 mails a day with (mainly W32/Netsky.B@mm) notices so I decided I'd write a logparser and put the email notifications off. It reads the amavis.log (be sure to turn syslog off) AND the saved email-part.

Below is the code, it works out of the box with f-prot, but should be fairly easy to change to other scanners. Output is currently like this:

At 8 Mar 11:51:45 f-prot detected a virus
found in /var/amavis/amavis-11543378/parts/msg-6011-2.pif
Name virus: W32/Netsky.B@mm
Message saved as: /var/virusmails/virus-20040308-115145-6011
to: myadres@mydomain.nl
from: somemoronthatusesoutlook@hisdomain.com
subject: hello
Virus Mailserver: node-c-6dbe.a2000.nl
ipadres server: 62.194.109.190
-----------------------

Small update:

Included clamav as a scanner (thanks juerd).

Further code cleenups might follow when I have the time ;). To add the scanner in Limbic~Region's code rewrite add:

if ( $line =~ /FOUND/ ) { ($loc, $vir) = ( split( / /, $line ) )[0, 1]; }
#!/usr/bin/perl -W # # Descr: An amavis logfile/virusmail parser # when using f-prot for linux, home edition or clamav # should pretty easy to fix with others # # $Id: vircount v 0.02 2003/03/08 1:12:24 teabag Exp $ use strict; # config my $logfile = "/var/amavis/amavis.log"; my $fprotdir = "/var/virusmails"; my $virprog = "f-prot"; #or clamav # end config my ( @logbuffer, @logbuffer2, $loc, $vir, $file, $time, $month, $day, +$date, $sserv2, $senderserv, $from, $to, $subject ); my $div = "-----------------------\n"; open( LOGFILE, "<$logfile" ) || die "Error opening local log file: $!"; @logbuffer = <LOGFILE>; close(LOGFILE) || die "Error closing local log file: $!"; foreach my $line (@logbuffer) { unless ( $line !~ /Infection:/ ) { $loc = ( split( / /, $line ) )[0]; $vir = ( split( / /, $line ) )[3]; } unless ( $line !~ /FOUND/) { $loc = ( split( / /, $line ) )[0]; $vir = ( split( / /, $line ) )[1]; } unless ( $line !~ /quarantined/ ) { $file = ( split( / /, $line ) )[12]; $time = ( split( / /, $line ) )[3]; $month = ( split( / /, $line ) )[0]; $day = ( split( / /, $line ) )[2]; chomp( $time, $file, $loc, $vir, $month, $day ); $date = "$day $month $time"; print "At $date $virprog detected a virus\nfound in $loc\n"; print "Name virus: $vir\nMessage saved as: $fprotdir/$file\n"; &checkwhosi(); } } if ($vir eq "") { print "no viri received\n"; exit; } sub checkwhosi { open( VIRFILE, "<$fprotdir/$file" ) || die "Error opening viral log file: $!"; @logbuffer2 = <VIRFILE>; close(VIRFILE) || die "Error closing viral log file: $!"; foreach my $line2 (@logbuffer2) { unless ( $line2 !~ /Received:/ ) { $senderserv = ( split( / /, $line2 ) )[2]; $sserv2 = ( split( / /, $line2 ) )[3]; $sserv2 =~ s/\[//; $sserv2 =~ s/\]//; $sserv2 =~ s/\(//; chomp( $senderserv, $sserv2 ); } if ( $line2 =~ m/From:/ ) { $from = ( split( / /, $line2 ) )[1]; } if ( $line2 =~ m/To:/ ) { $to = ( split( / /, $line2 ) )[1]; } if ( $line2 =~ m/Subject:/ ) { $subject = ( split( / /, $line2 ) )[1]; } } chomp( $from, $to, $subject ); print "to: $to\nfrom: $from\nsubject: $subject\n"; print "Virus Mailserver: $senderserv\nipadres server: $sse +rv2\n"; print $div; }

In reply to amavis logfile/viruspart parser by teabag

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others wandering the Monastery: (5)
As of 2024-03-29 10:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found