As an administrator for multiple servers, I run AMaViS - A Mail Virus Scanner with F-Prot Antivirus for Linux Workstations - for home users, to filter viri from my users mail.

Lately I've been getting 30 mails a day with (mainly W32/Netsky.B@mm) notices so I decided I'd write a logparser and put the email notifications off. It reads the amavis.log (be sure to turn syslog off) AND the saved email-part.

Below is the code, it works out of the box with f-prot, but should be fairly easy to change to other scanners. Output is currently like this: 

At 8 Mar 11:51:45 f-prot detected a virus
found in /var/amavis/amavis-11543378/parts/msg-6011-2.pif
Name virus: W32/Netsky.B@mm
Message saved as: /var/virusmails/virus-20040308-115145-6011
to: myadres@mydomain.nl
from: somemoronthatusesoutlook@hisdomain.com
subject: hello
Virus Mailserver: node-c-6dbe.a2000.nl
ipadres server: 62.194.109.190
-----------------------

Small update:

Included clamav as a scanner (thanks juerd).

Further code cleenups might follow when I have the time ;). To add the scanner in Limbic~Region's code rewrite add: 

    if ( $line =~ /FOUND/ ) {
        ($loc, $vir) = ( split( / /, $line ) )[0, 1];
    }

[download]
#!/usr/bin/perl -W
#
# Descr: An amavis logfile/virusmail parser
# when using f-prot for linux, home edition or clamav
# should pretty easy to fix with others
#
# $Id: vircount v 0.02 2003/03/08 1:12:24 teabag Exp $

use strict;

# config
my $logfile  = "/var/amavis/amavis.log";
my $fprotdir = "/var/virusmails";
my $virprog  = "f-prot"; #or clamav
# end config

my ( @logbuffer, @logbuffer2, $loc, $vir, $file, $time, $month, $day, 
+$date, $sserv2, $senderserv, $from, $to, $subject );
my $div = "-----------------------\n";

open( LOGFILE, "<$logfile" )
  || die "Error opening local log file: $!";
@logbuffer = <LOGFILE>;
close(LOGFILE) || die "Error closing local log file: $!";

foreach my $line (@logbuffer) {
    unless ( $line !~ /Infection:/ ) {
        $loc = ( split( / /, $line ) )[0];
        $vir = ( split( / /, $line ) )[3];
    }
    unless ( $line !~ /FOUND/) {
        $loc = ( split( / /, $line ) )[0];
        $vir = ( split( / /, $line ) )[1];
    }
    unless ( $line !~ /quarantined/ ) {
        $file  = ( split( / /, $line ) )[12];
        $time  = ( split( / /, $line ) )[3];
        $month = ( split( / /, $line ) )[0];
        $day   = ( split( / /, $line ) )[2];

        chomp( $time, $file, $loc, $vir, $month, $day );

        $date = "$day $month $time";
        print "At $date $virprog detected a virus\nfound in $loc\n";
        print "Name virus: $vir\nMessage saved as: $fprotdir/$file\n";
        &checkwhosi();
    }

}

    if ($vir eq "") {
        print "no viri received\n";
    exit;
    }


sub checkwhosi {
    open( VIRFILE, "<$fprotdir/$file" )
      || die "Error opening viral log file: $!";
    @logbuffer2 = <VIRFILE>;
    close(VIRFILE) || die "Error closing viral log file: $!";

    foreach my $line2 (@logbuffer2) {
        unless ( $line2 !~ /Received:/ ) {
            $senderserv = ( split( / /, $line2 ) )[2];
            $sserv2     = ( split( / /, $line2 ) )[3];
            $sserv2 =~ s/\[//;
            $sserv2 =~ s/\]//;
            $sserv2 =~ s/\(//;
            chomp( $senderserv, $sserv2 );
        }

        if ( $line2 =~ m/From:/ ) {
            $from = ( split( / /, $line2 ) )[1];
        }

        if ( $line2 =~ m/To:/ ) {
            $to = ( split( / /, $line2 ) )[1];
        }
        if ( $line2 =~ m/Subject:/ ) {
            $subject = ( split( / /, $line2 ) )[1];
        }
    }

            chomp( $from, $to, $subject );
            print "to: $to\nfrom: $from\nsubject: $subject\n";
            print "Virus Mailserver: $senderserv\nipadres server: $sse
+rv2\n";
            print $div;

}

[download]

In reply to amavis logfile/viruspart parser by teabag

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.