I was wondering if there was a way to make pflogsumm ignore some entries when creating a report. I have RAV antivirus with Postfix and when someone sends an attachment it will pass the mail to RAV for scanning then back to Postfix. That creates multiple entries in the log file, and when running pflogsumm it will give a number that's way off. Here's an example of how the log file looks like.
Jun 30 09:08:51 mailgate postfix/smtpd[16671]: connect from somewhere.com[xxx.xxx.xxx.xxx] Jun 30 09:08:53 mailgate postfix/smtpd[16671]: 4A38C70: client=somewhere.com[xxx.xxx.xxx.xxx] Jun 30 09:09:02 mailgate postfix/cleanup[16672]: 4A38C70: message-id=<[EMAIL PROTECTED]> Jun 30 09:09:02 mailgate postfix/qmgr[171]: 4A38C70: from=<[EMAIL PROTECTED]>, size=1808, nrcpt=1 (queue active) Jun 30 09:09:02 mailgate ravpostfix[16690]: data received... begin scanning... Jun 30 09:09:02 mailgate ravmd[16691]: scanning with global configuration Jun 30 09:09:02 mailgate ravmd[16691]: mail from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> Jun 30 09:09:02 mailgate ravmd[16691]: not found in the white/black list. Jun 30 09:09:02 mailgate ravmd[16691]: file </var/rav/tmp/->(RAV16690)> Jun 30 09:09:02 mailgate ravmd[16691]: file_ok Jun 30 09:09:02 mailgate ravmd[16691]: mime part </var/rav/tmp/->(RAV16690)->(part0000:)> Jun 30 09:09:02 mailgate ravmd[16691]: part_ok Jun 30 09:09:02 mailgate ravmd[16691]: mime part </var/rav/tmp/->(RAV16690)->(part0001:)> Jun 30 09:09:02 mailgate ravmd[16691]: part_ok Jun 30 09:09:02 mailgate ravmd[16691]: end_ok Jun 30 09:09:02 mailgate ravpostfix[16690]: scanning returns OK... sending file... Jun 30 09:09:02 mailgate postfix/smtpd[16583]: connect from localhost[127.0.0.1] Jun 30 09:09:02 mailgate postfix/smtpd[16583]: 3435083: client=localhost[127.0.0.1] Jun 30 09:09:02 mailgate postfix/cleanup[16577]: 3435083: message-id=<[EMAIL PROTECTED]> Jun 30 09:09:02 mailgate postfix/qmgr[171]: 3435083: from=<[EMAIL PROTECTED]>, size=1979, nrcpt=1 (queue active) Jun 30 09:09:02 mailgate postfix/smtpd[16583]: disconnect from localhost[127.0.0.1] Jun 30 09:09:02 mailgate postfix/smtp[16589]: 4A38C70: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1], delay=9, status=sent (250 Ok) Jun 30 09:09:02 mailgate postfix/smtpd[16671]: disconnect from somewhere.com[xxx.xxx.xxx.xxx] Jun 30 09:09:02 mailgate postfix/smtp[16651]: 3435083: to=<[EMAIL PROTECTED]>, relay=10.25.1.6[10.25.1.6], delay=0, status=sent (250 Message queued) >From my understanding, pflogsumm looks for the "from" and "to" fields. Looking at this you can see that it will count the one E-mail couple times. Thanks.
