SIEVELOG.CONF(5) BSD File Formats Manual SIEVELOG.CONF(5)NAMEsievelog.conf — sievelog rules file
SYNOPSISsievelog.confDESCRIPTIONsievelog(1) reads rules from a file in sievelog.conf(5) format. The file
contains guard/action pairs, one per line. Guards are separated from
actions by the literal token ‘->’. Rules may be split between multiple
lines using ‘\’ at the end of the line.
Evaluation Order
A rules file is normally evaluated top-to-bottom. If the -o flag is
passed to sievelog(1), however, the rules are evaluated in order of their
relative frequency.
Guard Format
The general format of a guard is "⟨regex⟩"[i]. The double-quotes sur‐
rounding regex are obligatory. The regular expression is directly fed to
Python's re module. The literal ‘i’ may follow the regular expression to
indicate it is to be treated as case-insensitive. A full description of
the regular expression language is beyond the scope of this manual. See
Python's documentation for re for details.
Action Format
An action is a string telling sievelog where to send a message that
matches the guard pattern. An action can be either a single token, like
‘/dev/null’ or it can be a comma-delimited sequence of actions, like
‘/sievelog/out1, /sievelog/out2’. Commas can not be escaped, so a rule
like ‘/sievelog/out1,55’ will not parse correctly.
Blocks of rules, one per line, can be enclosed within curly brackets and
guarded by a regex. These bodies of these compound rules are not
reordered by the ruleset optimizer.
Available Actions
/absolute/path/name
Append the matched message to the named file. Messages can be
ignored by sending them to /dev/null.
mail subject to from
Stick the matched message in an email with the given subject and
send it with the given to and from addresses.
EXAMPLES
Write all messages containing ‘sudo’ to a file and email them to inter‐
ested parties:
"sudo" ->\
/var/sievelog/sudo,\
mail "omg we're all going to die" sysadmin@example.com\
sievelog@example.com
Use a compound rule to enforce ordering so your can filter out certain
messages from your Cisco ASA before dropping the remainder in
/sievelog/asa:
"ASA" -> {
"ASA-4-10602.*some-if:.*other-if:10.1.1.72/137" -> /dev/null
"ASA-4-10602" -> /sievelog/asa
}
SEE ALSOsievelog(1)
http://code.google.com/p/sievelog/wiki/Syntax
AUTHORS
Jesse Kempf (jessekempf@gmail.com)
BUGS
The mail action's syntax is arguably lame.
BSD 5 August 2010 BSD