[rsyslog] mail log ip filter spamhaus rsyslog

Robert Schetterer robert at schetterer.org
Fri Nov 25 23:16:40 CET 2011 

Am 25.11.2011 22:10, schrieb Rainer Gerhards:
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Robert Schetterer
>> Sent: Friday, November 25, 2011 9:01 PM
>> To: rsyslog-users
>> Subject: [rsyslog] mail log ip filter spamhaus rsyslog
>>
>> Hi @ll,
>> i am new to this list
>> and not very familar with rsyslog so sorry if my question was
>> asked/answered before
>>
>> i wanna goal, filtering spamhaus rbl ips from postfix mail log
>> i allready done
>> ( on suse )
>>
>> mail.info
>> -/var/log/mail.info;RSYSLOG_TraditionalFileFormat
>> if $msg contains 'blocked using zen.spamhaus.org' then
>> /var/log/spamhaus.log;RSYSLOG_TraditionalFileFormat
>>
>> this works fine, but as i have a lot of spambots
>> fail2ban ist to slow with this allready filtered log
>>
>> so i wann have a second or combinated rsyslog rule which results
>> only in the ip
>>
>> a relevant log  entry example looks like this
>>
>> postfix/postscreen[32120]: NOQUEUE: reject: RCPT from
>> [190.24.212.146]:57855: 550 5.7.1 Service unavailable; client
>> [190.24.212.146] blocked using zen.spamhaus.org;
>> from=<someone at somewhere.de>, to=<someone at somwhere.de>, proto=ESMTP,
>> helo=<MCRISTALCRE>
>>
>> the plan would be , set the ip output to i.e fifo pipe
>> and read the output via some daemon script/program to create an
>> iptables
>> ip reject rule with timestamp via ipset map, which expires auto after
>> 24
>> h, this should fast as possible
>>
>> so anybody with an example for filtering this ?
>>
>> by the way
>> someone speculated rsyslog may able to do the whole job
>> filtering ip and do the ipset action in one step , is this true ?
>> i am not that far in the docs yet
> 
> I have to admit that I do not fully understand your question. But it has been
> a long and busy day today ;) Could you try to describe in two or three
> sentences what you actually want to achieve?

ok

this is a exmaple from the mail log

postfix/postscreen[32120]: NOQUEUE: reject: RCPT from
[190.24.212.146]:57855: 550 5.7.1 Service unavailable; client

( this is the relevant match part )
[190.24.212.146] blocked using zen.spamhaus.org;


from=<someone at somewhere.de>, to=<someone at somwhere.de>, proto=ESMTP,
helo=<MCRISTALCRE>

i wann have filtered 190.24.212.146 only by rsyslog
and do this
echo +190.24.212.146 > /proc/net/xt_recent/SMTP

if possible directly all done from rsyslog

if not ,its enough to pipe fifo 190.24.212.146 only
i will script some daemon reading the fifo then

but as someother answered i think rsyslog could do it in one step

clear now?




> 
> rainer
>>
>> --
>> Best Regards
>>
>> MfG Robert Schetterer
>>
>> Germany/Munich/Bavaria
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/

More information about the rsyslog mailing list