About / News Features Download Documentation Installation Admin guide Configuration License Support Contact ScreenShots Help support SendmailAnalyzer!	SendmailAnalyzer Usage There's two way to use SendmailAnalyzer. If you don't need real time you can run it each night so that maillog will be parsed and reports generated once a day. Note that if you have a huge MTA load this not a good solution. The other way is to run it in daemon mode, in this way it can parse huge maillog (million line per day) preserving system resources. To know all possible command line arguments, run 'sendmailanalyzer --help' Important: if you experience high memory usage with SendmailAnalyzer use the -w (--write-delay) command line option to reduce the time where in memory data are flushed to disk. Default is 60 secondes, this is good in most configuration but in huge servers you may set it as low as 5 secondes. You must test it to find a compromise between speed and memory usage. Standalone To run SendmailAnalyzer in standalone mode you have to setup a cron entry each night as follow assuming log and configuration files in default place (/var/log/maillog and /usr/local/sendmailanalyzer/sendmailanalyzer.conf): /usr/local/sendmailanalyzer/sendmailanalyzer -i -b -f This will run the program in interactive mode (-i), parse full maillog seeking after the last run ending position (-f) and exiting at end of maillog parsing (-b). Daemon mode To run SendmailAnalyzer as a daemon, use the start/stop/restart script given with the distribution (in start_script/ directory). The following script is for Slackware but can be used with any other distribution: /etc/rc.d/rc.sendmailanalyzer start or if you use RedHat or Fedora: chkconfig sendmailanalyzer on service sendmailanalyzer start It will start as 'sendmailanalyzer -f' that tell him to start in daemon mode (default), parse full maillog seeking after the last run ending position (-f) and to open a pipe to a tail command on /var/log/maillog. It will never end until you kill it. Important: If you have syslog rotate enable (I hope so :-) you will have to restart SendmailAnalyzer after each log rotation to always tail the good file descriptor. Edit /etc/logrotate.d/syslog and add the following after syslog restart: /etc/rc.d/rc.sendmailanalyzer restart > /dev/null 2>&1 \|\| true or on Redhat or Fedora /etc/init.d/sendmailanalyzer restart > /dev/null 2>&1 \|\| true this must be in the postrotate section. Stopping SendmailAnalyzer Just kill it with SIGTERM signal it will flush current collected object to disk and free open files. Use 'kill -15 `cat /var/run/sendmailanalyzer.pid`' for that or use the starter script. This will kill the current sendmailanalyzer process and the pipe to the tail command. Caching SendmailAnalyzer collect maillog entries to write datas to flat files, when you run the CGI script sa_report.cgi it had to read each data files for the given period to compute statistics and output HTML reports. This can be enought for day views but when you jump to month view it cost a lot in CPU and memory usage unless you have a home MTA. To speed up things and free system resources you have to run the script sa_cache each night by cron to create cache files. After that viewing day, month or year views take just one second. The script sa_cache must be run by cron as follow: /usr/local/sendmailanalyzer/sa_cache >/dev/null 2>&1 If you have set per domain report sa_cache will create cache files for each domains. These cache files are name cache.pm for the MTA global statistics and cache.pmYOURDOMAIM.DOM for each domain report. Since version 4.0 sa_report.cgi will warm you to avoid out of memory when your entering a month view without caching. Huge MTA activity On MTA server with very huge activity you can experience out of memory or wait a very long time before seeing anything in day view. In this case you must run by cron job the perl script sa_cache with the -a (--actual-day-only) option to build cache files for the current day. Statistics will not be shown in realtime but only at the time of the last "sa_cache -a" run. You can run it each five minute for example as follow: /5 * * * /usr/local/sendmailanalyzer/sa_cache -a It will only parse data stored in the current day so five minutes intervals may be enougth for most case. Database SendmailAnalyzer store data into flat file database. Datas are store in a time hiearchical directory structure ending at daily level. This structure is composed as follow : 'mailhost'/year/month/day/ In each day repository you can find the following data files. senders.dat: senders informations. recipient.dat: recipients informations. spam.dat: spams informations. virus.dat: viruses informations. rejected.dat: rejected mail informations. dsn.dat: Delivery Status Notification report syserr.dat: SYSERR MTA informations. other.dat: other message grabbed into the log file. auth.dat: SMTP auth message grabbed into the log file. miltername.dat: message related to a milter, antivir or antispam. postgrey.dat: postgrey informations. The format of each file is explain in the SendmailAnalyzer code source. Archiving When sa_cache is run and following the value of the FREE_SPACE configuration option it will try to archive data older than the current month. If FREE_SPACE is set to 'delete' sa_cache will simply remove the data file from disk. If you set it to 'archive', sa_cache will build a gzipped tarball for all daily data file into the corresponding month directory and the remove date file from disk. If you set it to 'none', data file are kept. If you're primary concerned in disk space saving set it to 'delete'. If you want to preserve data for a year or more you can safely set it to 'archive'. For your information one of my server has 100,000 inbound message a day and a year of 'archive' storage take around 1Gb and a 'delete' storage around 250Mb. One advantage of the 'archive' method is that you can replay the cached stats (for example after an upgrade to fix a sa_cache bug or a major release). In this case, you just have to delete any cache file and extract all tarball as follow : find /path/to/SendmailReport/ -name "cache.pm" \| xargs -i rm -f {} find /path/to/SendmailReport/ -name "history.tar.gz" \| xargs -i \ tar xzf {} --directory / and then rerun sa_cache again. Important:* running sa_cache in one pass on en entire year could cost a lot of resources and takes very long time. In this case add a second argument to the command line giving the year/month to proceed, for example: sa_cache -s 'mailhost' -d "2008/06" repeat this command for each month.

About / News
Features
Download
Documentation

Help support
SendmailAnalyzer!

SendmailAnalyzer Usage

There's two way to use SendmailAnalyzer. If you don't need real time you can run it each night so that maillog will be parsed and reports generated once a day. Note that if you have a huge MTA load this not a good solution.

The other way is to run it in daemon mode, in this way it can parse huge maillog (million line per day) preserving system resources.

To know all possible command line arguments, run 'sendmailanalyzer --help'

Important: if you experience high memory usage with SendmailAnalyzer use the -w (--write-delay) command line option to reduce the time where in memory data are flushed to disk. Default is 60 secondes, this is good in most configuration but in huge servers you may set it as low as 5 secondes. You must test it to find a compromise between speed and memory usage.

Standalone

To run SendmailAnalyzer in standalone mode you have to setup a cron entry each night as follow assuming log and configuration files in default place (/var/log/maillog and /usr/local/sendmailanalyzer/sendmailanalyzer.conf):

	/usr/local/sendmailanalyzer/sendmailanalyzer -i -b -f

This will run the program in interactive mode (-i), parse full maillog seeking after the last run ending position (-f) and exiting at end of maillog parsing (-b).

Daemon mode

To run SendmailAnalyzer as a daemon, use the start/stop/restart script given with the distribution (in start_script/ directory). The following script is for Slackware but can be used with any other distribution:

        /etc/rc.d/rc.sendmailanalyzer start

or if you use RedHat or Fedora:

        chkconfig sendmailanalyzer on
        service sendmailanalyzer start

It will start as 'sendmailanalyzer -f' that tell him to start in daemon mode (default), parse full maillog seeking after the last run ending position (-f) and to open a pipe to a tail command on /var/log/maillog. It will never end until you kill it.

Important: If you have syslog rotate enable (I hope so :-) you will have to restart SendmailAnalyzer after each log rotation to always tail the good file descriptor.

Edit /etc/logrotate.d/syslog and add the following after syslog restart:

        /etc/rc.d/rc.sendmailanalyzer restart > /dev/null 2>&1 || true

or on Redhat or Fedora

        /etc/init.d/sendmailanalyzer restart > /dev/null 2>&1 || true

this must be in the postrotate section.

Stopping SendmailAnalyzer

Just kill it with SIGTERM signal it will flush current collected object to disk and free open files. Use 'kill -15 `cat /var/run/sendmailanalyzer.pid`' for that or use the starter script. This will kill the current sendmailanalyzer process and the pipe to the tail command.

Caching

SendmailAnalyzer collect maillog entries to write datas to flat files, when you run the CGI script sa_report.cgi it had to read each data files for the given period to compute statistics and output HTML reports. This can be enought for day views but when you jump to month view it cost a lot in CPU and memory usage unless you have a home MTA.

To speed up things and free system resources you have to run the script sa_cache each night by cron to create cache files. After that viewing day, month or year views take just one second.

The script sa_cache must be run by cron as follow:

	/usr/local/sendmailanalyzer/sa_cache >/dev/null 2>&1

If you have set per domain report sa_cache will create cache files for each domains. These cache files are name cache.pm for the MTA global statistics and cache.pmYOURDOMAIM.DOM for each domain report.

Since version 4.0 sa_report.cgi will warm you to avoid out of memory when your entering a month view without caching.

Huge MTA activity

On MTA server with very huge activity you can experience out of memory or wait a very long time before seeing anything in day view. In this case you must run by cron job the perl script sa_cache with the -a (--actual-day-only) option to build cache files for the current day. Statistics will not be shown in realtime but only at the time of the last "sa_cache -a" run. You can run it each five minute for example as follow:

    */5 * * * * /usr/local/sendmailanalyzer/sa_cache -a

It will only parse data stored in the current day so five minutes intervals may be enougth for most case.

Database

SendmailAnalyzer store data into flat file database. Datas are store in a time hiearchical directory structure ending at daily level. This structure is composed as follow : 'mailhost'/year/month/day/ In each day repository you can find the following data files.

	senders.dat: senders informations.
	recipient.dat: recipients informations.
	spam.dat: spams informations.
	virus.dat: viruses informations.
	rejected.dat: rejected mail informations.
	dsn.dat: Delivery Status Notification report
	syserr.dat: SYSERR MTA informations.
	other.dat: other message grabbed into the log file.
	auth.dat: SMTP auth message grabbed into the log file.
	miltername.dat: message related to a milter, antivir or antispam.
	postgrey.dat: postgrey informations.

The format of each file is explain in the SendmailAnalyzer code source.

Archiving

When sa_cache is run and following the value of the FREE_SPACE configuration option it will try to archive data older than the current month. If FREE_SPACE is set to 'delete' sa_cache will simply remove the data file from disk. If you set it to 'archive', sa_cache will build a gzipped tarball for all daily data file into the corresponding month directory and the remove date file from disk.

If you set it to 'none', data file are kept.

If you're primary concerned in disk space saving set it to 'delete'. If you want to preserve data for a year or more you can safely set it to 'archive'. For your information one of my server has 100,000 inbound message a day and a year of 'archive' storage take around 1Gb and a 'delete' storage around 250Mb.

One advantage of the 'archive' method is that you can replay the cached stats (for example after an upgrade to fix a sa_cache bug or a major release). In this case, you just have to delete any cache file and extract all tarball as follow :

	find /path/to/SendmailReport/ -name "cache.pm*" | xargs -i rm -f {}
	find /path/to/SendmailReport/ -name "history.tar.gz" | xargs -i \
		tar xzf {} --directory /

and then rerun sa_cache again.

Important: running sa_cache in one pass on en entire year could cost a lot of resources and takes very long time. In this case add a second argument to the command line giving the year/month to proceed, for example:

	sa_cache -s 'mailhost' -d "2008/06"

repeat this command for each month.