Category Archives: Linux

linux

Compile Owncloud libocsync0 for Debian Wheezy from source

Posted on November 9, 2013.

I was trying to get the Python Owncloud CLI package to work on Wheezy. It requires libocsync0 which is available in unstable but it has many depends that would push the box further into unstable than I would of liked (samba and sftp plugins require unstable versions of samba, ssh, libc6, etc.).

To get libocsync working on wheezy, I did the following:

# Add unstable repository to APT
cat << EOF > /etc/apt/sources.list.d/unstable.list
deb     http://ftp.uk.debian.org/debian/     unstable main contrib non-free
deb-src http://ftp.uk.debian.org/debian/     unstable main contrib non-free
EOF

# Pin unstable low so it isn't default
cat << EOF > /etc/apt/preferences.d/unstable.pref
Package: *
Pin: release a=unstable
Pin-Priority: 400
EOF

# Download source files to /usr/src
cd /usr/src && apt-get update && apt-get source ocsync

# Get build depends 
# (If you note down what packages are installed NEW here, you can manually remove them afterwards)
apt-get build-dep ocsync

# Remove unstable repository
rm -f /etc/apt/sources.list.d/unstable.list /etc/apt/preferences.d/unstable.pref && apt-get update

# Change to the new ocsync source directory, in my case it was
cd /usr/src/ocsync-0.90.4

# run through compile (instructions at http://www.debian.org/doc/manuals/maint-guide/build.en.html )
debian/rules clean
dpkg-source -b ./
debian/rules build
fakeroot debian/rules binary

# .deb files are now in /usr/src
ls -la /usr/src

# install required package
dpkg -i libocsync0_0.90.4-1_amd64.deb

# Add unstable repository to APT

cat << EOF > /etc/apt/sources.list.d/unstable.list

deb http://ftp.uk.debian.org/debian/ unstable main contrib non-free

deb-src http://ftp.uk.debian.org/debian/ unstable main contrib non-free

EOF

# Pin unstable low so it isn't default

cat << EOF > /etc/apt/preferences.d/unstable.pref

Package: *

Pin: release a=unstable

Pin-Priority: 400

EOF

# Download source files to /usr/src

cd /usr/src && apt-get update && apt-get source ocsync

# Get build depends

# (If you note down what packages are installed NEW here, you can manually remove them afterwards)

apt-get build-dep ocsync

# Remove unstable repository

rm -f /etc/apt/sources.list.d/unstable.list /etc/apt/preferences.d/unstable.pref && apt-get update

# Change to the new ocsync source directory, in my case it was

cd /usr/src/ocsync-0.90.4

# run through compile (instructions at http://www.debian.org/doc/manuals/maint-guide/build.en.html )

debian/rules clean

dpkg-source -b ./

debian/rules build

fakeroot debian/rules binary

# .deb files are now in /usr/src

ls -la /usr/src

# install required package

dpkg -i libocsync0_0.90.4-1_amd64.deb

1 Comment

Windows 7 on XEN HVM — Slow Remote Desktop

Posted on October 20, 2013.

Update: The same issue and fix are relevant for Windows Server 2008 R2, Server 2012 and Windows 8. Maybe all versions of Windows using the GPL PV drivers.

I just installed a Windows 7 guest onto a Debian Wheezy Xen dom0. I installed these GPLPV drivers v11.0.372. Using RealVNC to setup the machine was fast and responsive, however once I switched over to RDP the machine was acting like a mule. The RDP session was slowly redrawing the screen as each new application loaded. Internet Explorer’s default MSN page with its ever changing news feed image was causing the session to almost lock up.

The fix is to disable Large Send Offload on the Xen network adapter.

Simple instructions:

Press the Start Orb
Type: “devmgmt.msc” and press enter
In device manager, find Network Adapters
Right click, “Xen Net Device Driver” and choose Properties
Under the advanced tab, click “Large Send Offload” and adjust the Value to “Disabled”
Click Okay (if you did this via RDP, you will lose the connection as the network is reset, just reconnect)

5 Comments

logcheck — various filters

Posted on September 6, 2013.

As mentioned earlier, I have a few of these logcheck filters I have created over the past few years. I use Debian and CentOS so other distros may not perfectly match.

These work in conjunction with the default filters, hence their naming scheme of local_<service>.

Dovecot
login, logout, mysql connections, lda delivery, ssl regen

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:alnum:]\s]+, lip=[.:[:alnum:]\s]+(, mpid=[[:digit:]]+)?(, (TLS( handshake)?|secured))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)(-login)?(\([-_.@[:alnum:]]+\))?: (Connection closed|Disconnected( for inactivity|: (Logged out|Disconnected in IDLE))) bytes=[[:digit:]]+\/[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?((deliver|lda)\([-_.@[:alnum:]]+\)|lda\([-_.@\w]+\)): sieve: msgid=<?[^\(]*>?( \(((added by )?[^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?[[:space:]]*: (stored mail into mailbox '.*'|marked message to be discarded if not explicitly delivered \(discard action\)|(forwarded to|sent vacation response to|discarding vacation response for message implicitly delivered to|not sending vacation response to system address|discarding vacation response to mailinglist recipient|discarded vacation reply to|discarding vacation response to (auto-submitted|precedence=bulk) message from|discarded duplicate (vacation response|forward) to) <[^[:space:]]*>)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \(no auth attempts\): rip=[.[:digit:]]+, lip=[.[:digit:]]+(, (TLS|SSL|secured))?.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: mysql: Connected to [._[:alnum:]-]+ \(postfix\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating )?SSL parameters( regeneration completed)?$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:alnum:]\s]+, lip=[.:[:alnum:]\s]+(, mpid=[[:digit:]]+)?(, (TLS( handshake)?|secured))?$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)(-login)?($[-_.@[:alnum:]]+$)?: (Connection closed|Disconnected( for inactivity|: (Logged out|Disconnected in IDLE))) bytes=[[:digit:]]+\/[[:digit:]]+$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?((deliver|lda)$[-_.@[:alnum:]]+$|lda$[-_.@\w]+$): sieve: msgid=<?[^$]*>?( \(((added by )?[^[:space:]]+|sfid-[_[:xdigit:]]+)$?)?[[:space:]]*: (stored mail into mailbox '.*'|marked message to be discarded if not explicitly delivered $discard action$|(forwarded to|sent vacation response to|discarding vacation response for message implicitly delivered to|not sending vacation response to system address|discarding vacation response to mailinglist recipient|discarded vacation reply to|discarding vacation response to (auto-submitted|precedence=bulk) message from|discarded duplicate (vacation response|forward) to) <[^[:space:]]*>)$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected $no auth attempts$: rip=[.[:digit:]]+, lip=[.[:digit:]]+(, (TLS|SSL|secured))?.*$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: mysql: Connected to [._[:alnum:]-]+ $postfix$$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating )?SSL parameters( regeneration completed)?$

local_dovecot (1.5 KiB, 2,455 hits)

Managesieve (part of Dovecot)
login, logout

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ managesieve-login: Login: user=<[_@\.[:alnum:]-]+>, method=[[:alnum:]]+, rip=[[:digit:]\.]+, lip=[[:digit:]\.]+(, mpid=[[:digit:]\.]+)?(, TLS)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ managesieve\([_@\.[:alnum:]-]+\): Disconnected: Logged out bytes=[[:digit:]]+\/[[:digit:]]+$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ managesieve-login: Login: user=<[_@\.[:alnum:]-]+>, method=[[:alnum:]]+, rip=[[:digit:]\.]+, lip=[[:digit:]\.]+(, mpid=[[:digit:]\.]+)?(, TLS)?$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ managesieve$[_@\.[:alnum:]-]+$: Disconnected: Logged out bytes=[[:digit:]]+\/[[:digit:]]+$

local_managesieve (320 bytes, 2,401 hits)

OpenVPN
login related

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TCP connection established with (\[AF_INET\])?[.[:digit:]]{7,15}:[[:digit:]]{2,5}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: (Local|Expected Remote) Options String: '[., _[:alnum:]-]+'$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TCPv4_SERVER link (local \(bound\)|remote): (\[AF_INET\])?[.[:digit:]]{7,15}:[[:digit:]]{2,5}$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TCP connection established with (\[AF_INET\])?[.[:digit:]]{7,15}:[[:digit:]]{2,5}$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: (Local|Expected Remote) Options String: '[., _[:alnum:]-]+'$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TCPv4_SERVER link (local $bound$|remote): (\[AF_INET\])?[.[:digit:]]{7,15}:[[:digit:]]{2,5}$

local_openvpn (506 bytes, 2,407 hits)

PostFWD
statistic log lines: dnsbl, rules, stats, cache, rate

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfwd\[[[:digit:]]+\]: \[(DNSBL|RULES|STATS|CACHE|RATE)\].*$

1	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfwd\[[[:digit:]]+\]: \[(DNSBL\|RULES\|STATS\|CACHE\|RATE)\].*$

local_postfwd (104 bytes, 2,464 hits)

ProFTPd mod_ban (optional module)
obtained, detached, removed, showing ban list

^\w{3} [ :[:digit:]]{11} mod_ban\/[[:digit:]\.]+\[[[:digit:]]+\]: (obtained|detached|removed) shmid [[:digit:]]+ for BanTable '[/[:alpha:]\.]+'$
^\w{3} [ :[:digit:]]{11} mod_ban\/[[:digit:]\.]+\[[[:digit:]]+\]: showing ban lists$

1 2	^\w{3} [ :[:digit:]]{11} mod_ban\/[[:digit:]\.]+\[[[:digit:]]+\]: (obtained\|detached\|removed) shmid [[:digit:]]+ for BanTable '[/[:alpha:]\.]+'$ ^\w{3} [ :[:digit:]]{11} mod_ban\/[[:digit:]\.]+\[[[:digit:]]+\]: showing ban lists$

local_proftpd-banlog (230 bytes, 2,234 hits)

rSYSlog
start, exit, reload/hup, mark

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: -- MARK --$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cronmark: -- MARK --$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] start$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] exiting on signal [0-9]+.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed(, type 'lightweight'.)?$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog [0-9.]+, log source = /proc/kmsg started.$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging $proc$ stopped.$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: -- MARK --$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cronmark: -- MARK --$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] start$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] exiting on signal [0-9]+.$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed(, type 'lightweight'.)?$

local_rsyslog (954 bytes, 2,391 hits)

OpenSSH
closed user request, closed preauth 127.0.0.1

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [[:digit:]\.]+: [[:digit:]]+: Closed due to user request\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by 127.0.0.1 \[preauth\]$

1 2	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [[:digit:]\.]+: [[:digit:]]+: Closed due to user request\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by 127.0.0.1 \[preauth\]$

local_ssh (255 bytes, 2,415 hits)

swapspace
allocating, retiring, adding (kernel)

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ /usr/sbin/swapspace: Allocating swapfile '[0-9]+'
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ /usr/sbin/swapspace: Retiring swapfile '[0-9]+'
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[0-9\.]+\] Adding [0-9]+k swap on [0-9]+.  Priority:-[0-9]+ extents:[0-9]+ across:[0-9]+k SS

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ /usr/sbin/swapspace: Allocating swapfile '[0-9]+'

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ /usr/sbin/swapspace: Retiring swapfile '[0-9]+'

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[0-9\.]+\] Adding [0-9]+k swap on [0-9]+. Priority:-[0-9]+ extents:[0-9]+ across:[0-9]+k SS

local_swapspace (324 bytes, 2,378 hits)

Xen vs OpenVZ

Posted on July 15, 2013.

Some things I have been able to measure after I changed from OpenVZ to Xen.

BackupPC has 62 hosts reporting “Pool is 348.76GB comprising 2086499 files and 4369 directories” using 6.5mil inodes on XFS on its own separate set of disks.

Load during BackupPC usage on OpenVZ used to send the host into a frenzy of 10+, with the guest at 2-3. Whilst BackupPC was running, all guests felt sluggish.
Load with Xen has the host and all other VMs completely unaffected, and the guest at 3-5.

BackupPC nightly takes 2x the time on Xen than it does on OpenVZ. I have adjusted the nightly to be split up over 2 days instead of all in 1.

All backups are taking ~20% longer with Xen.

Memory usage on the host with OpenVZ used to climb to 12GB+ (out of 16GB total) when BackupPC nightly was running, and then slowly dissipate during the day. The memory usage wasn’t in the cache/buffer section either, it was marked as actually in use. However no application was using all that RAM. The RAM being used was listed as “slab” RAM (tip: run “slabtop”) which is what XFS uses as cache, however the free command sees the RAM as used which is confusing. I think as the host had 14GB+ free most the time, it used as much as it could.

Memory usage on the host whilst using Xen was obviously not affected by the BackupPC guest. BackupPC guest total RAM is only 2GB, so memory usage would climb to 1.5GB, in line with expectations. 1GB+ of this was slab memory.

In general I have noticed most VMs to feel slower with Xen, especially with disk read/writes. However hdparm tests show raw throughput has remained unchanged (~80MB/s). I have noticed though that when another VM is busy, the other guests have no noticeable reduction in performance on Xen. This was my main reason for switching, as BackupPC was bringing all other guests to a near halt on OpenVZ.

I think the reason for the reduction in performance is the fact each guest has to manage its own disk cache whilst during OpenVZ, the majority of data was mounted on the host with plenty of free RAM available for caching. This is a fundamental difference between containers and hypervisors.

I have reduced MySQL guest RAM from 4GB to 1GB. The Zabbix database alone is 14GB, but in all I haven’t noticed any noticeable difference in performance for Zabbix, or its frontend with both the move to Xen and the RAM change. The daily-backup on the SQL server (backup all databases) takes 50% longer to complete (~1min, now ~1m40s).

The small number of timed tests I could compare from one to the other may show a performance loss on Xen, but with this being a true hypervisor system, it was expected. I didn’t expect BackupPC to suffer as much as it did during the nightly, but I believe this to be because it no longer has the freedom of 14GB free RAM to use as cache.

I have also lost the RAM flexibility that comes with OpenVZ, but overall I am happy with the move back to Xen. I moved to OpenVZ as my DVB-T card didn’t function when booting on the Xen kernel, but I plan to replace MythTV with a Sky box in the near future and was getting frustrated with BackupPC on OpenVZ.

5 Comments

logcheck — amavisd-new filter

Posted on July 14, 2013.

Tested using Debian 7 Wheezy. To be added to /etc/logcheck/ignore.d.server/

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|SPAM|SPAMMY),( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked SPAM,( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, [[:digit:]]+ ms$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (BAD-HEADER),.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked BANNED \([.,_ [:alnum:]-]+\),( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( quarantine: [/[:alnum:]-]+,)?( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, [[:digit:]]+ ms$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Passed (CLEAN|SPAM|SPAMMY),( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( $(added by[^)]+|sfid-[_[:xdigit:]]+)$)?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Blocked SPAM,( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( Message-ID: <[^>]+>( $(added by[^)]+|sfid-[_[:xdigit:]]+)$)?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, [[:digit:]]+ ms$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Passed (BAD-HEADER),.*$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: $[-[:digit:]]+$ Blocked BANNED $[.,_ [:alnum:]-]+$,( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( quarantine: [/[:alnum:]-]+,)?( Message-ID: <[^>]+>( $(added by[^)]+|sfid-[_[:xdigit:]]+)$)?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, [[:digit:]]+ ms$

With javascript enabled, the above regex block has a toolbar with a copy-to-clipboard button.

I have quite a few of these custom filters, I’ll post some more at another time.