POSTFIX-LOGWATCH(1)                                        POSTFIX-LOGWATCH(1)



NAME
       postfix-logwatch - A Postfix log parser and analysis utility

SYNOPSIS
       postfix-logwatch [options] [logfile ...]

DESCRIPTION
       The  postfix-logwatch(1)  utility is a Postfix MTA log parser that pro-
       duces summaries, details, and statistics  regarding  the  operation  of
       Postfix.

       This utility can be used as a standalone program, or as a Logwatch fil-
       ter module to produce Postfix summary and detailed reports from  within
       Logwatch.

       Postfix-logwatch  is  able to produce a wide range of reports with data
       grouped and sorted as much as possible to reduce  noise  and  highlight
       patterns.   Brief  summary  reports provide a quick overview of general
       Postfix operations and message delivery, calling out warnings that  may
       require  attention.   Detailed reports provide easy to scan, hierarchi-
       cally-arranged and organized information, with as much or little detail
       as desired.

       Postfix-logwatch  outputs two principal sections: a Summary section and
       a Detailed section.  For readability and quick scanning, all  event  or
       hit  counts appear in the left column, followed by brief description of
       the event type, and finally additional statistics or count  representa-
       tions may appear in the rightmost column.

       The following segment from a sample Summary report illustrates:

           ****** Summary ********************************************

                 81   *Warning: Connection rate limit reached (anvil)
                146   Warned

             68.310M  Bytes accepted                        71,628,177
             97.645M  Bytes delivered                      102,388,245
           ========   ================================================

               3464   Accepted                                  41.44%
               4895   Rejected                                  58.56%
           --------   ------------------------------------------------
               8359   Total                                    100.00%
           ========   ================================================

       The report warns that anvil's connection rate was hit 81 times, a Post-
       fix access check WARN action was logged  146  times,  and  a  total  of
       68.310 megabytes (71,628,177 bytes) were accepted into the Postfix sys-
       tem, delivering 97.645 megabytes of data (due to multiple  recipients).
       The Accepted and Rejected lines show that Postfix accepted 3464 (41.44%
       of the total messages) and rejected 4895 (the remaining 58.56%) of  the
       8359 total messages (temporary rejects show up elsewhere).

       There are dozens of sub-sections available in the Detailed report, each
       of whose output can be controlled in various  ways.   Each  sub-section
       attempts to group and present the most meaningful data at superior lev-
       els, while pushing less useful or noisy data towards  inferior  levels.
       The  goal is to provide as much benefit as possible from smart grouping
       of data, to allow faster report scanning, pattern  identification,  and
       problem  solving.   Data is always sorted in descending order by count,
       and then numerically by IP address or alphabetically as appropriate.

       The following MX errors segment from a sample  Detailed  report  illus-
       trates the basic hierarchical level structure of postfix-logwatch:

           ****** Detailed *******************************************

                261   MX errors --------------------------------------
                261      Unable to look up MX host
                222         Host not found
                 73            foolishspammer.local
                 60            completely.bogus.domain.example
                 11            friend.example.com
                 39         No address associated with hostname
                 23            dummymx.sample.net
                 16            pushn.spam.sample.com


       The postfix-logwatch utility reads from STDIN or from the named Postfix
       logfile.  Multiple logfile arguments may be specified,  each  processed
       in  order.  The user running postfix-logwatch must have read permission
       on each named log file.

   Options
       The options listed below  affect  the  operation  of  postfix-logwatch.
       Options specified later on the command line override earlier ones.  Any
       option may be abbreviated to an unambiguous length.


       -f config_file
       --config_file config_file
              Use an alternate configuration file config_file instead  of  the
              default.  This option may be used more than once.  Multiple con-
              figuration files will be processed in the order presented on the
              command line.  See CONFIGURATION FILE below.

       --debug keywords
              Output  debug  information  during the operation of postfix-log-
              watch.  The parameter keywords is one or  more  comma  or  space
              separated  keywords.   To obtain the list of valid keywords, use
              --debug xxx where xxx is any invalid keyword.

       --[no]delays
              Enables (disables) output  of  the  message  delays  percentiles
              report.   The  delays  percentiles  report shows percentiles for
              each of the 4 delivery latency times reported by Postfix (avail-
              able in version 2.3 and later) in the form delays=a/b/c/d, where
              a is the amount of time before the active queue  (includes  time
              for  previous delivery attempts and time in the deferred queue),
              b is the amount of time in the active queue up to delivery agent
              handoff,  c  is  the  amount  of  time  spent making connections
              (including DNS, HELO and TLS) and d is the amount of time  spent
              delivering  the  message.   The total delay shown comes from the
              delay= field in a message delivery log line.

              Note: This report may consume a large amount of memory;  if  you
              have no use for it, disable the delays report.


       --delays_percentiles p1 [p2 ...]
              Specifies  the percentiles to be used in the message delays per-
              centiles report.  The percentiles p1, p2, ... range  from  0  to
              100,  inclusively.   The  order  of the list is not sorted - the
              report will output the percentiles  columns  in  the  order  you
              specify.

       --detail level
              Sets  the  maximum  detail  level for postfix-logwatch to level.
              This option is global,  overriding  any  other  output  limiters
              described below.

              The  postfix-logwatch  utility  produces  a  Summary  section, a
              Detailed section, and additional report  sections.   With  level
              less than 5, postfix-logwatch will produce only the Summary sec-
              tion.  At level 5 and above, the Detailed section, and any addi-
              tional  report  sections are candidates for output.  Each incre-
              mental increase in level generates one  additional  hierarchical
              sub-level  of  output in the Detailed section of the report.  At
              level 10, all levels are output.  Lines that exceed the  maximum
              report  width  (specified  with  max_report_width)  will be cut.
              Setting level to 11 will prevent lines in the report from  being
              cut (see also --line_style).

       --help Print  usage  information  and a brief description about command
              line options.

       --ignore_service pattern
              Ignore log lines that contain the  postfix  service  name  post-
              fix/service.  The parameter service is a regular expression.

              Note: if you use parenthesis in your regular expression, be sure
              they are cloistering and not capturing: use  (?:pattern) instead
              of (pattern).

       --ipaddr_width width
              Specifies  that IP addresses in address/hostname pairs should be
              printed with a field width of width characters.  Increasing  the
              default may be useful for systems using long IPv6 addresses.

       -l limiter=levelspec
       --limit limiter=levelspec
              Sets the level limiter limiter with the specification levelspec.

       --line_style style
              Specifies  how  to  handle  long report lines.  Three styles are
              available: full, truncate, and wrap.  Setting style to full will
              prevent  cutting  lines to max_report_width; this is what occurs
              when detail is 11  or  higher.   When  style  is  truncate  (the
              default),   long   lines   will   be   truncated   according  to
              max_report_width.  Setting style to wrap will wrap lines  longer
              than  max_report_width  such that left column hit counts are not
              obscured.  This option takes  precedence  over  the  line  style
              implied  by  the  detail level.  The options --full, --truncate,
              and --wrap are synonyms.

       --[no]long_queue_ids
              Enables (disables) interpretation of long queue IDs  in  Postfix
              (>= 2.9) logs.

       --nodetail
              Disables  the Detailed section of the report, and all supplemen-
              tal reports.  This option provides  a  convenient  mechanism  to
              quickly  disable  all  sections under the Detailed report, where
              subsequent command line options may re-enable one or  more  sec-
              tions to create specific reports.

       --[no]summary

       --show_summary
              Enables  (disables) displaying of the the Summary section of the
              report.  The variable Posfix_Show_Summary in used in a  configu-
              ration file.

       --recipient_delimiter delimiter
              Split  email  delivery  addresses  using the recipient delimiter
              character delimiter.  This should generally  match  the  recipi-
              ent_delimiter  specified  in the Postfix parameter file main.cf,
              or the default value indicated in postconf  -d  recipient_delim-
              iter.   This  is  very useful for obtaining per-alias statistics
              when a recipient delimeter is used for mail delivery.

       --reject_reply_patterns r1 [r2 ...]
              Specifies the list of  reject  reply  patterns  used  to  create
              reject  groups.   Each  entry  in  the  list r1 [r2 ...] must be
              either a three character regular expression reply  code  of  the
              form [45][0-9.][0-9.], or the word "Warn".  The "." in the regu-
              lar expression is a literal dot which matches any  reject  reply
              subcode;  this  wildcarding  allows  creation  of  broad rejects
              groups.  List order is preserved, in that reject reports will be
              output  in  the same order as the entries in the list.  Specific
              reject reply codes will take priority  over  wildcard  patterns,
              regardless of the list order.

              The  default  list is "5.. 4.. Warn", which creates three groups
              of rejects: permanent rejects, temporary  reject  failures,  and
              reject warnings (as in warn_if_reject).

              This  feature  allows, for example, distinguishing 421 transmis-
              sion channel closures from 45x errors (eg. 450 mailbox  unavail-
              able,  451  local  processing errors, 452 insufficient storage).
              Such a grouping would be configured with the list: "421 4..  5..
              Warn".  See RFC 2821 for more information about reply codes.

              See  also  CONFIGURATION  FILE regarding using reject_reply_pat-
              terns within a configuration file.

       --[no]sect_vars
       --show_sect_vars boolean
              Enables (disables) supplementing  each  Detailed  section  title
              with  the  name  of that section's level limiter.  The name dis-
              played is the command line option (or configuration  file  vari-
              able)  used to limit that section's output.  With the large num-
              ber of level limiters available in postfix-logwatch, this a con-
              venient  mechanism  for  determining exactly which level limiter
              affects a section.

       --syslog_name namepat
              Specifies the syslog service name that postfix-logwatch uses  to
              match  syslog  lines.  Only log lines whose service name matches
              the perl regular expression namepat will be used by postfix-log-
              watch;  all  non-matching  lines  are silently ignored.  This is
              useful when a pre-installed Postfix package uses  a  name  other
              than  the  default (postfix), or when multiple Postfix instances
              are in use and per-instance reporting is desired.

              The pattern namepat should match the  syslog_name  configuration
              parameter  specified  in the Postfix parameter file main.cf, the
              master control file master.cf, or the default value as indicated
              by the output of postconf -d syslog_name.

              Note: if you use parenthesis in your regular expression, be sure
              they are cloistering and not capturing: use  (?:pattern) instead
              of (pattern).

       --[no]unknown
       --show_unknown boolean
              Enables  (disables)  display  of  the  postfix-generated name of
              'unknown' in formated IP/hostname  pairs  in  Detailed  reports.
              Default: enabled.

       --version
              Print postfix-logwatch version information.

   Level Limiters
       The  output  of every section in the Detailed report is controlled by a
       level limiter.  The name of the level limiter variable will  be  output
       when  the  sect_vars  option is set.  Level limiters are set either via
       command line in standalone mode with --limit limiter=levelspec  option,
       or  via  configuration  file variable $postfix_limiter=levelspec.  Each
       limiter requires a levelspec argument,  which  is  described  below  in
       LEVEL CONTROL.

       The list of level limiters is shown below.

       There  are several level limiters that control reject sub-sections (eg.
       rejectbody, rejectsender, etc.).  Because the list of  reject  variants
       is  not  known until runtime after reject_reply_patterns is seen, these
       reject limiters are shown below generically, with the prefix  ###.   To
       use one of these reject limiters, substitute ### with one of the reject
       reply codes in effect, replacing each dot with  an  x  character.   For
       example,  using  the  default  reject_reply_patterns  list  of "5.. 4..
       Warn", three rejectbody  variants  are  valid:  --limit  5xxrejectbody,
       --limit  4xxrejectbody  and  --limit warnrejectbody.  As a convenience,
       you may entirely eliminate the ### prefix, and  instead  use  the  bare
       rejectXXX option, and all reject level limiter variations will be auto-
       generated based on the reject_reply_patterns list.   For  example,  the
       command line segment:

           ... --reject_reply_patterns "421 5.." \
                   --limit rejectrbl="1:10:"

       would automatically become:

           ... --reject_reply_patterns "421 5.." \
                   --limit 421rejectrbl="1:10:" --limit 5xxrejectrbl="1:10:"

       See reject_reply_patterns above, and comments in the configuration file
       postfix-logwatch.conf.


       [ THIS SECTION IS NOT YET COMPLETE ]

       AttrError
              Errors obtaining attribute data from service.
       BCCed  Messages that triggered access, header_checks or body_checks BCC
              action. (postfix 2.6 experimental branch)
       BounceLocal
       BounceRemote
              Local and remote bounces.  A bounce is considered a local bounce
              if the relay was one of none, local, virtual, avcheck,  maildrop
              or 127.0.0.1.
       ByIpRejects
              Regrouping  by  client  host  IP  address of all 5xx (permanent)
              reject variants.
       CommunicationError
              Postfix errors talking to one of its services.
       Anvil  Anvil rate or concurrency limits.
       ConnectionInbound
              Connections made to the smtpd server.
       ConnectionLostInbound
              Connections lost to the smtpd server.
       ConnectionLostOutbound
              Connections lost during smtp communications with remote MTA.
       ConnectToFailure
              Failures reported by smtp when connecting to remote MTA.
       DatabaseGeneration
              Warnings noted when binary database map  file  requires  postmap
              update from newer source file.
       Deferrals
       Deferred
              Message delivery deferrals.  A single deferred message will have
              one or more deferrals many times.
       Deliverable
              Address verification indicates recipient address is deliverable.
       Delivered
              Number of messages handed-off to a delivery agent such as  local
              or virtual.
       Discarded
              Messages  that  triggered  access,  header_checks or body_checks
              DISCARD action.
       DNSError
              Any one of several errors encounted during DNS lookups.
       EnvelopeSenderDomains
              List of sending domains.  (2  levels:  envelope  sender  domain,
              localpart)
       EnvelopeSenders
              List of envelope senders.  (1 level: envelope sender)
       Error  Postfix general error messages.
       FatalConfigError
              Fatal main.cf or master.cf configuration errors.
       FatalError
              Postfix general fatal messages.
       Filtered
              Messages  that  triggered  access,  header_checks or body_checks
              FILTER action.
       Forwarded
              Messages forwarded by MDA for one address class to another  (eg.
              local -> virtual).
       HeloError
              XXXXXXXXXXX
       Hold   Messages  that were placed on hold by postsuper, or triggered by
              access, header_checks or body_checks HOLD action.
       HostnameValidationError
              Invalid hostname detected.
       HostnameVerification
              Lookup of hostname does not map back to the IP of the peer  (ie.
              the  remote system connecting to smtpd).  Also known as forward-
              confirmed reverse DNS (FCRDNS).  When the reverse  name  has  no
              DNS  entry, the message "host not found, try again" is included;
              otherwise, it is not (e.g. when the reverse has some IP address,
              but not the one Postfix expects).
       IllegalAddrSyntax
              Illegal syntax in an email address provided during the MAIL FROM
              or RCPT TO dialog.
       LdapError
              Any LDAP errors during LDAP lookup.
       MailerLoop
              An MX lookup for the best mailer to use to  deliver  mail  would
              result in a sending to ourselves.
       MapProblem
              Problem with an access table map that needs correcting.
       MessageWriteError
              Postfix  encountered  an  error  when trying to create a message
              file somewhere in the spool directory.
       NumericHostname
              A hostname was found that was numeric, instead of alphabetic.
       PanicError
              Postfix general panic messages.
       PixWorkaround
              Workarounds were enabled to avoid remote Cisco  PIX  SMTP  "fix-
              ups".
       PolicydWeight
              Summarization of policyweight/policydweight results.
       PolicySpf
              Summarization of PolicySPF results.
       Postgrey
              Summarization of Postgrey results.
       Postscreen
              Summarization of 2.7's postscreen and verify services.
       DNSBLog
              Summarization of 2.7's dnsblog service.
       Prepended
              Messages  that  triggered  header_checks  or body_checks PREPEND
              action.
       ProcessExit
              Postfix services that exited unexpectedly.
       ProcessLimit
              A Postfix service has reached or exceeded the maximum number  of
              processes allowed.
       QueueWriteError
              Problems writing a Postfix queue file.
       RblError
              Lookup errors for RBLs.
       Redirected
              Messages that triggered access, header_checks or body_checks RE-
              DIRECT action.
       ###RejectBody
              Messages that triggered body_checks REJECT action.
       ###RejectClient
              Messages     rejected     by     client     access      controls
              (smtpd_client_restrictions).
       ###RejectConfigError
              Message rejected due to server configuration errors.
       ###RejectContent
              Messages rejected by message_reject_characters.
       ###RejectData
              Messages   rejected   at   DATA   stage   in  SMTP  conversation
              (smtpd_data_restrictions).
       ###RejectEtrn
              Messages  rejected  at   ETRN   stage   in   SMTP   conversation
              (smtpd_etrn_restrictions).
       ###RejectHeader
              Messages that triggered header_checks REJECT action.
       ###RejectHelo
              Messages  rejected  at  HELO/EHLO  stage  in  SMTP  conversation
              (smtpd_helo_restrictions).
       ###RejectInsufficientSpace
              Messages rejected due to insufficient storage space.
       ###RejectLookupFailure
              Messages rejected due to temporary DNS lookup failures.
       ###RejectMilter
              Milter rejects.  No reject reply code  is  available  for  these
              rejects,  but  an extended 5.7.1 DSN is provided.  These rejects
              are forced into the generic 5xx rejects group.  If you  redefine
              reject_reply_patterns  such that it does not contain the pattern
              5.., milter rejects will not be output.
       ###RejectRbl
              Messages rejected by an RBL hit.
       ###RejectRecip
              Messages rejected by recipient  access  controls  (smtpd_recipi-
              ent_restrictions).
       ###RejectRelay
              Messages rejected by relay access controls.
       ###RejectSender
              Messages      rejected     by     sender     access     controls
              (smtpd_sender_restrictions).
       ###RejectSize
              Messages rejected due to excessive message size.
       ###RejectUnknownClient
              Messages rejected by unknown client access controls.
       ###RejectUnknownReverseClient
              Messages rejected by unknown reverse client access controls.
       ###RejectUnknownUser
              Messages rejected by unknown user access controls.
       ###RejectUnverifiedClient
              Messages rejected by unverified client access controls.
       ###RejectVerify
              Messages rejected dueo to address verification failures.
       Replaced
              Messages that triggered  header_checks  or  body_checks  REPLACE
              action.
       ReturnedToSender
              Messages  returned  to  sender  due  to exceeding queue lifetime
              (maximal_queue_lifetime).
       SaslAuth
              SASL authentication successes, includes SASL  method,  username,
              and sender when present.
       SaslAuthFail
              SASL authentication failures.
       Sent   Messages sent via the SMTP delivery agent.
       SentLmtp
              Messages sent via the LMTP delivery agent.
       SmtpConversationError
              Errors during the SMTP/ESMTP dialog.
       SmtpProtocolViolation
              Protocol violation during the SMTP/ESMTP dialog.
       StartupError
              Errors during Postfix server startup.
       TimeoutInbound
              Connections to smtpd that timed out.
       TlsClientConnect
              TLS client connections.
       TlsOffered
              TLS communication offerred.
       TlsServerConnect
              TLS server connections.
       TlsUnverified
              Unverified TLS connections.
       Undeliverable
              Address  verification  indicates recipient address is undeliver-
              able.
       Warn   Messages that triggered  access,  header_checks  or  body_checks
              WARN action.
       WarnConfigError
              Warnings regarding Postfix configuration errors.
       WarningsOther
              Postfix general warning messages.


LEVEL CONTROL
       The  Detailed  section  of  the report consists of a number of sub-sec-
       tions, each of which is controlled  both  globally  and  independently.
       Two  settings  influence  the output provided in the Detailed report: a
       global detail level (specified with --detail) which has final (big ham-
       mer) output-limiting control over the Detailed section, and sub-section
       specific detail settings (small hammer), which allow  further  limiting
       of  the output for a sub-section.  Each sub-section may be limited to a
       specific depth level, and each sub-level may be limited with top  N  or
       threshold limits.  The levelspec argument to each of the level limiters
       listed above is used to accomplish this.

       It is probably best to continue explanation of sub-level limiting  with
       the  following well-known outline-style hierarchy, and some basic exam-
       ples:

           level 0
              level 1
                 level 2
                    level 3
                       level 4
                       level 4
                 level 2
                    level 3
                       level 4
                       level 4
                       level 4
                    level 3
                       level 4
                    level 3
              level 1
                 level 2
                    level 3
                       level 4

       The simplest form of output limiting  suppresses  all  output  below  a
       specified  level.   For example, a levelspec set to "2" shows only data
       in levels 0 through 2.  Think of this as collapsing  each  sub-level  2
       item, thus hiding all inferior levels (3, 4, ...), to yield:

           level 0
              level 1
                 level 2
                 level 2
              level 1
                 level 2

       Sometimes  the  volume  of  output in a section is too great, and it is
       useful to suppress any data that does not exceed  a  certain  threshold
       value.   Consider a dictionary spam attack, which produces very lengthy
       lists of hit-once recipient email or IP addresses.  Each  sub-level  in
       the  hierarchy can be threshold-limited by setting the levelspec appro-
       priately.  Setting levelspec to the value "2::5" will suppress any data
       at level 2 that does not exceed a hit count of 5.

       Perhaps  producing a top N list, such as top 10 senders, is desired.  A
       levelspec of "3:10:" limits level 3 data to only the top 10 hits.

       With those simple examples out of the way, a levelspec is defined as  a
       whitespace- or comma-separated list of one or more of the following:

       l      Specifies  the  maximum level to be output for this sub-section,
              with a range from 0 to 10.  if l is 0, no levels will be output,
              effectively  disabling  the sub-section (level 0 data is already
              provided in the Summary report, so level  1  is  considered  the
              first  useful level in the Detailed report).  Higher values will
              produce output up to and including the specified level.

       l.n    Same as above, with the addition that n  limits  this  section's
              level  1  output to the top n items.  The value for n can be any
              integer greater than 1.  (This form of limiting has less utility
              than  the  syntax shown below. It is provided for backwards com-
              patibility; users are encouraged to use the syntax below).

       l:n:t  This triplet specifies level l, top n, and minimum threshold  t.
              Each  of the values are integers, with l being the level limiter
              as described above, n being a top n limiter for the level l, and
              t  being  the  threshold limiter for level l.  When both n and t
              are specified, n has priority, allowing top n lists  (regardless
              of  threshold  value).  If the value of l is omitted, the speci-
              fied values for n and/or t are used for all levels available  in
              the sub-section.  This permits a simple form of wildcarding (eg.
              place minimum threshold limits on all  levels).   However,  spe-
              cific  limiters  always  override  wildcard limiters.  The first
              form of level limiter may be included in levelspec  to  restrict
              output, regardless of how many triplets are present.

       All  three forms of limiters are effective only when postfix-logwatch's
       detail level is 5 or greater (the Detailed  section  is  not  activated
       until detail is at least 5).

       See the EXAMPLES section for usage scenarios.

CONFIGURATION FILE
       Postfix-logwatch  can  read configuration settings from a configuration
       file.  Essentially, any command line option can be placed into  a  con-
       figuration file, and these settings are read upon startup.

       Because  postfix-logwatch can run either standalone or within Logwatch,
       to minimize confusion, postfix-logwatch inherits Logwatch's  configura-
       tion file syntax requirements and conventions.  These are:

       o   White space lines are ignored.

       o   Lines beginning with # are ignored

       o   Settings are of the form:

                   option = value


       o   Spaces or tabs on either side of the = character are ignored.

       o   Any value protected in double quotes will be case-preserved.

       o   All  other  content  is  reduced to lowercase (non-preserving, case
           insensitive).

       o   All postfix-logwatch configuration settings must be  prefixed  with
           "$postfix_" or postfix-logwatch will ignore them.

       o   When  running  under Logwatch, any values not prefixed with "$post-
           fix_" are consumed by Logwatch; it only passes to  postfix-logwatch
           (via environment variable) settings it considers valid.

       o   The  values  True  and Yes are converted to 1, and False and No are
           converted to 0.

       o   Order of settings is not  preserved  within  a  configuration  file
           (since  settings  are passed by Logwatch via environment variables,
           which have no defined order).

       To include a command line option in a configuration  file,  prefix  the
       command line option name with the word "$postfix_".  The following con-
       figuration file setting and command line option are equivalent:

               $postfix_Line_Style = Truncate

               --line_style Truncate

       Level limiters are also prefixed with $postfix_,  but  on  the  command
       line are specified with the --limit option:

               $postfix_Sent = 2

               --limit Sent=2



       The  order  of  command  line options and configuration file processing
       occurs as follows: 1) The default configuration  file  is  read  if  it
       exists  and  no --config_file was specified on a command line.  2) Con-
       figuration files are read and processed in the order found on the  com-
       mand  line.   3)  Command line options override any options already set
       either via command line or from any configuration file.

       Command line options are interpreted when they are seen on the  command
       line,  and  later  options  will  override previously set options.  The
       notable exception is with limiter variables, which are  interpreted  in
       the  order found, but only after all other options have been processed.
       This allows --reject_reply_patterns to determine the  dynamic  list  of
       the various reject limiters.

       See also --reject_reply_patterns.

EXIT STATUS
       The  postfix-logwatch  utility exits with a status code of 0, unless an
       error occurred, in which case a non-zero exit status is returned.

EXAMPLES
   Running Standalone
       Note: postfix-logwatch reads its log data from one or more named  Post-
       fix  log  files, or from STDIN.  For brevity, where required, the exam-
       ples below use the word file  as  the  command  line  argument  meaning
       /path/to/postfix.log.   Obviously you will need to substitute file with
       the appropriate path.

       To run postfix-logwatch in standalone mode, simply run:

           postfix-logwatch file

       A complete list of options and basic usage is available via:

           postfix-logwatch --help

       To print a summary only report of Postfix log data:

           postfix-logwatch --detail 1 file

       To produce a summary report and a one-level detail report for May 25th:

           grep 'May 25' file | postfix-logwatch --detail 5

       To produce only a top 10 list of Sent email domains, the summary report
       and  detailed  reports are first disabled.  Since commands line options
       are read and enabled left-to-right, the Sent section is  re-enabled  to
       level 1 with a level 1 top 10 limiter:

           postfix-logwatch --nosummary --nodetail --limit sent='1 1:10:' file

       The  following command and its sample output shows a more complex level
       limiter example.  The command gives the top 3 Sent email addresses from
       the top 5 domains, in addition, all level 3 items with a hit count of 2
       or less are suppressed (in the Sent sub-section,  this  happens  to  be
       email's  Original  To  address).  Ellipses indicate top N or threshold-
       limited data:

           postfix-logwatch --nosummary --nodetail \
                   --limit sent '1:5: 2:3: 3::2' file

           1762   Sent via SMTP -----------------------------------
            352      example.com
            310         joe
            255            joe.bob@virtdomain.example.com
              7            info@virtdomain.example.com
             21         pooryoda3
             11         hot93uh
                        ...
            244      sample.net
             97         buzz
             26         leroyjones
             14         sally
                        ...
            152      example.net
             40         jim_jameson
             23         sam_sampson
             19         paul_paulson
                        ...
             83      sample.us
             44         root
             39         jenny1
             69      dom3.example.us
             10         kay
              7         ron
              6         mrsmith
                        ...
                     ...

       The next command uses both reject_reply_patterns and level limiters  to
       see  421 RBL rejects, threshold-limiting level 2 output to hits greater
       than 5 (level 2 in the  Reject  RBL  sub-section  is  the  client's  IP
       address  /  hostname  pair).   This makes for a very nice RBL offenders
       list, shown in the sample output (note  the  use  of  the  unambiguous,
       abbreviated command line option reject_reply_pat):

           postfix-logwatch --reject_reply_pat '421 4.. 5.. Warn' \
                   --nosummary --nodetail --limit 421rejectrbl='2 2::5' file

           300   421 Reject RBL ---------------------------------------
           243      zen.spamhaus.org=127.0.0.2
           106         10.0.0.129       129.0.0.example.com
            41         192.168.10.70    hostx10.sample.net
            40         192.168.42.39    hostz42.sample.net
            15         10.1.1.152       dsl-10-1-1-152.example.us
            14         10.10.10.122     mail122.sample.com
             7         192.168.3.44     smalltime-spammer.example.com
                       ...
            48      zen.spamhaus.org=127.0.0.4
            17         10.29.124.92     10-29-124-92.adsl-static.sample.us
                       ...
             8      zen.spamhaus.org=127.0.0.11
                       ...
             1      zen.spamhaus.org=127.0.0.10
                       ...

   Running within Logwatch
       Note:  Logwatch  versions  prior to 7.3.6, unless configured otherwise,
       required the --print option to  print  to  STDOUT  instead  of  sending
       reports  via  email.  Since version 7.3.6, STDOUT is the default output
       destination, and the --print option has been replaced by --output  std-
       out.  Check your configuration to determine where report output will be
       directed, and add the appropriate option to the commands below.

       To print a summary report for today's Postfix log data:

           logwatch --service postfix --range today --detail 1

       To print a report for today's Postfix log data, with one level
       of detail in the Detailed section:

           logwatch --service postfix --range today --detail 5

       To print a report for yesterday, with  two  levels  of  detail  in  the
       Detailed section:

           logwatch --service postfix --range yesterday --detail 6

       To  print  a report from Dec 12th through Dec 14th, with four levels of
       detail in the Detailed section:

           logwatch --service postfix --range \
                   'between 12/12 and 12/14' --detail 8

       To print a report for today, with all levels of detail:

           logwatch --service postfix --range today --detail 10

       Same as above, but leaves long lines uncut:

           logwatch --service postfix --range today --detail 11


ENVIRONMENT
       The postfix-logwatch program uses  the  following  (automatically  set)
       environment variables when running under Logwatch:

       LOGWATCH_DETAIL_LEVEL
              This  is  the  detail  level specified with the Logwatch command
              line argument --detail or the Detail setting in the ...conf/ser-
              vices/postfix.conf configuration file.

       LOGWATCH_DEBUG
              This is the debug level specified with the Logwatch command line
              argument --debug.

       postfix_xxx
              The Logwatch program passes all settings postfix_xxx in the con-
              figuration  file  ...conf/services/postfix.conf  to  the postfix
              filter (which is  actually  named  .../scripts/services/postfix)
              via environment variable.

FILES
   Standalone mode
       /usr/local/bin/postfix-logwatch
              The postfix-logwatch program

       /usr/local/etc/postfix-logwatch.conf
              The postfix-logwatch configuration file in standalone mode

   Logwatch mode
       /etc/logwatch/scripts/services/postfix
              The Logwatch postfix filter

       /etc/logwatch/conf/services/postfix.conf
              The Logwatch postfix filter configuration file

SEE ALSO
       logwatch(8), system log analyzer and reporter

README FILES
       README, an overview of postfix-logwatch
       Changes, the version change list history
       Bugs, a list of the current bugs or other inadequacies
       Makefile, the rudimentary installer
       LICENSE, the usage and redistribution licensing terms

LICENSE
       Covered under the included MIT/X-Consortium License:
       http://www.opensource.org/licenses/mit-license.php

AUTHOR(S)
       Mike Cappella

       The original postfix Logwatch filter was written by Kenneth Porter, and
       has had many contributors over the years.  They are entirely not
       responsible for any errors, problems or failures since the current
       author's hands have touched the source code.



                                                           POSTFIX-LOGWATCH(1)