[Mimedefang] Graphdefang questions
John Kirkland
jpk at bl.org
Wed Dec 11 11:12:01 EST 2002
Please forgive the brevity of my reply. I am typing this message from
Armenia, and my internet connectivity is TERRIBLE. I will be back home in
Austin this coming weekend.
Regarding question #1, try setting a topN value. Mostlikely, the problem
is that there are way too many bars in the stacked bar. I don't think
that the output will be what you are looking for, though. A histogram
representation would be better, but I've not gotten around to adding that.
Regarding question #2, I have setup my cron entries such that the log
rotation happens after the graphdefang runs. While I could lose several
seconds of log lines, this hasn't been a big concern for me. I could add
the ability to check the end of a rolled over file under certain
conditions. I'm also looking into using File::ReadBackwards which will
very quickly read a file from the end to the beginning... this will make
it such that large syslog files can be parsed very quickly.
Regarding question #3, I have done this myself for a different log format:
http://hdnetwork.org/~jpk/gshield/
There are 2 issues for doing this:
a. The event is kernel. The parsing code in graphdefang assumes a PID
attached to the end of the event (i.e. mimedefang.pl[1234] ). Since the
event, kernel, doesn't have a PID with brackets around it, graphdefang
won't parse the line as a valid syslog line. I've fixed this in my dev
code (not released), but I'm not yet happy with the new method.
b. You would need to add a new loop to graphdefanglib.pl for the event
'kernel'. You would add a regex that extracts the relevant data and
inserts it into the available variables. I chose recipient=dst_ip and
sender=src_ip.
Regards,
John
More information about the MIMEDefang
mailing list