[[Monitoring]]
Trace: » Spam Filtering with j-chkmail » Upgrading j-chkmail » FAQ » Monitoring

Documentation

  1. Introduction
  2. Installation
  3. Concepts
  4. Filtering
    1. Spam Filtering
    2. Virus Filtering
  5. Miscelaneous
  6. Monitoring
  7. Maintenance
  8. Troubleshooting
  9. Tuning
  10. Security
  11. Reference
  12. How To, FAQ & Tips
  13. ChangeLog & ReleaseNotes
  14. ToDo & Wish Lists
Table of Contents

Monitoring

System log (syslog) and j-chkmail log files

The main rule of j-chkmail logging is : Each unusual thing j-chkmail find or does, is recorded somewhere for further analysis.

Main logging is done using syslog resources. Every connection is logged using this ressource and all action taken by the filter, other than transparent handling, generates a log line with a summary of the action. This is the first source of information to check when you're trying to understand what happened to some message as it includes not only the summary of what happened, but also two useful information if you need to investigate deeper : a unique message/connection ID (needed to check other j-chkmail log files) and the sendmail msgid (useful if you want to correlate the filter handling with a sendmail message ID).

Other than system log, j-chkmail maintains some log files inside /var/jchkmail directory. Currently the following text files are used : j-files, j-virus, j-xreport, j-regex and j-stats. This is the default location, but j-chkmail may use a remote UDP server to log the corresponding data.

Command line tools

j-printstats

j-chkmail periodically (once each 2 minutes) dumps its internal counters into some disk files. j-printstats is a command line tool which allows you to get many information about j-chkmail state based on these data. Eventually, the information may be old, but no more than 2 minutes old, and this may be enough.

Since j-printstats gets its data from summarized data, and not usual log files, it's answer is quite immediate.

Some examples of thing you can get with j-printstats :

term

# summary of j-chkmail activity since last time it was launched
j-printstats -a
# summary of j-chkmail activity in the last 18 hours
j-printstats -q -l 18h
# summary of activity of SMTP client 12.13.14.15 against this 
# mail server in the last 24 hours
j-printstats -q -l 1d 12.13.14.15
# which SMTP clients had connections rejected by connection rate
j-printstats -q -l 1d -m rt
# which SMTP clients are doing too many recipient errors
j-printstats -q -l 1d -m rb
# which SMTP clients had been rejected by greylisting
j-printstats -q -l 1d -m rg

You can get the list of all possible options with : 
# j-printstats -h

j-ndc

While j-printstats gets its work information from data recently saved by j-chkmail, j-ndc uses connects to the filter over some INET port/socket (like telnet), and can be use both to get real time information and to send commands to the filter. You can use j-ndc to connect to instances of the filter running on different computers.

Roughly speaking, you shall use j-ndc to get real-time information, or information in the really short past. If you want to get the summary on the filter activity on mean or longer past, j-printstats is the tool to use.

As an example, you can use j-ndc to list which remote SMTP clients have open connections being handled by the filter.

term

# j-ndc stats CONNOPEN
# [Connected to 127.0.0.1:2010]
200 OK - Waiting for commands !
200 OK for STATS CONNOPEN !
*** Open connections :
  138.102.122.218   :   1 : paris.inra.fr
  139.124.6.1       :   1 : iml.univ-mrs.fr
  206.190.49.39     :   1 : web53009.mail.re2.yahoo.com
  212.51.172.100    :   1 : srvmailgw.cci63.net
  216.239.58.190    :   1 : gv-out-0910.google.com
  62.193.216.46     :   1 : raq61.amenworld.com
  82.167.14.70      :   1 : unknown
  87.248.110.17     :   1 : omp101.mail.ukl.yahoo.com
    8 entries on database
200 STATS CONNOPEN done !

An example of things you can do :

term

# getting the filter version
j-ndc version
# listing open SMTP connections
j-ndc stats connopen
# getting server rates
j-ndc stats throttle
# reload configuration files
j-ndc reconfig
# reopening constant databases (after updating them)
j-ndc reload databases

For more info, see : j-ndc reference

Other "contrib" scripts

  1. j-xstat.pl - This script generate statistics about messages quarantined on the last 7 days. It uses /var/jchkmail/j-files or /var/jchkmail/j-virus to create statistics per file extension or virus type per day. It can also launch a CLI scanner (clamav, mcafee of sophos) to scan the quarantine directory to identify virus detected on messages containing attached XFILES.
  2. j-regex-stat.pl
  3. j-urlbl-stat.pl
  4. j-unwanted

Creating web pages

You can use the scripts found at contrib/rrd-jchkmail directory to greate graphical web pages representing the activity of the filter in real time. See an example at : http://j-chkmail.ensmp.fr/webgraph/

You can also use command line tools, launched by cron, to create text web pages.

doc/monitoring/start.txt · Last modified: 2009/02/16 10:52 by martins
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0