Use different log files
Paul Kudla (SCOM.CA Internet Services Inc.)
paul at scom.ca
Mon May 16 12:02:34 UTC 2022
Robert's answer is a valid approach pending the size of your server
networks etc.
on another note (because i run multiple servers etc)
I run a common syslog file across all servers which is what you appear
to have now.
from there i like everything in one syslog because i am usually looking
for something relative to a user which can occur anywhere. (imap, smtp,
pop3, ssl etc)
that being said i wrote bash scripts that do stuff like
cat /var/log/syslog.log | grep $1
this allows everything from ALL servers going into one file for
simplicity and then it gets seperated out when you go looking for something.
note that syslog can be programmed to divert to other servers in syslog.conf
## cat /etc/syslog.conf
*.* /var/log/all.log
*.* @10.228.0.6
10.228.0.6 is my central internal syslog capture server and all of my
servers, routers, devices etc point to that and i go from there.
if you are having auth issues etc between dovecot & postfix this will
show you everything related to a user, ip address etc.
Again its just a suggestion ... Logging is always relative to network
setup more then anything else and situations vary easily.
I expanded this concept eventually into a database driven logger system
in django, it is probably overkill for you but i am running 20+ servers
and at the end of the day it was just easier to centralize it.
so
ssh 10.220.0.6 -q -tt /usr/home/syslog/log $1 $2 $3 $4 $5 $6 $7 $8 $9
or more spoecifically
log -t paul at hiscomputer.ca (-t was for today's date)
would give me all activity for my accounts
------------------------------------------------
mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976186) [14475]
Header info data: 'hiscomputer.ca at em1.dereksloan.ca',
['paul at hiscomputer.ca'] ((While
Handling File :
/usr/home/postfix/tmp/936692CC6F0))
mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976190) [14475]
rSPF set : Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-
ip=167.89.21.76;
helo=o24.email.nationbuilder.com; envelope-from=bounces+14632821-e4fc-
paul=hiscomputer.ca at em1.dereksloan.ca; receiver=paul at hiscomputer.ca \n
((While Handling File :
/usr/home/postfix/tmp/936692CC6F0))
mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976198) [14475]
Checking for Spam SPF Conditions in rSPF : Received-SPF: Pass (sender
SPF authorized)
identity=mailfrom;
client-ip=167.89.21.76; helo=o24.email.nationbuilder.com; envelope-
from=bounces+14632821-e4fc-paul=hiscomputer.ca at em1.dereksloan.ca;
receiver=paul at hiscomputer.ca \n ((While
Handling File :
/usr/home/postfix/tmp/936692CC6F0))
mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976200) [14475]
processing TO: paul at hiscomputer.ca ((While Handling File :
/usr/home/postfix/tmp/936692CC6F0))
mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976201) [14475]
Checking if user paul at hiscomputer.ca has a mailbox ((While Handling File :
/usr/home/postfix/tmp/936692CC6F0))
mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976202) [14475]
SELECT * FROM email_users WHERE source = $$paul at hiscomputer.ca$$ ((While
Handling File
:
/usr/home/postfix/tmp/936692CC6F0))
mail19 05-16 07:03:28 {MailScanner} [11525] (996976259) Delivery
of nonspam: message 936692CC6F0.AF475 from bounces+14632821-e4fc-
paul=hiscomputer.ca at em1.dereksloan.ca to paul at hiscomputer.ca with
subject WHO take over!
mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976373) [14487]
Header info data: 'hiscomputer.ca at em1.dereksloan.ca',
['paul at hiscomputer.ca'] ((While
Handling File :
/usr/home/postfix/tmp/75A082CC6FE))
mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976377) [14487]
rSPF set : Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-
ip=167.89.21.76;
helo=o24.email.nationbuilder.com; envelope-from=bounces+14632821-e4fc-
paul=hiscomputer.ca at em1.dereksloan.ca; receiver=paul at hiscomputer.ca \n
((While Handling File :
/usr/home/postfix/tmp/75A082CC6FE))
mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976385) [14487]
Checking for Spam SPF Conditions in rSPF : Received-SPF: Pass (sender
SPF authorized)
identity=mailfrom;
client-ip=167.89.21.76; helo=o24.email.nationbuilder.com; envelope-
from=bounces+14632821-e4fc-paul=hiscomputer.ca at em1.dereksloan.ca;
receiver=paul at hiscomputer.ca \n ((While
Handling File :
/usr/home/postfix/tmp/75A082CC6FE))
mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976387) [14487]
processing TO: paul at hiscomputer.ca ((While Handling File :
/usr/home/postfix/tmp/75A082CC6FE))
mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976388) [14487]
Checking if user paul at hiscomputer.ca has a mailbox ((While Handling File :
/usr/home/postfix/tmp/75A082CC6FE))
mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976389) [14487]
SELECT * FROM email_users WHERE source = $$paul at hiscomputer.ca$$ ((While
Handling File
:
/usr/home/postfix/tmp/75A082CC6FE))
mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976395) [14487]
Executing tmda : /usr/home/tmda/tmda/bin/rfilter -c paul at hiscomputer.ca -Z
paul at hiscomputer.ca
-Y "hiscomputer.ca at em1.dereksloan.ca" -X
/usr/home/postfix/tmp/75A082CC6FE.txt ((While
Handling File :
/usr/home/postfix/tmp/75A082CC6FE))
mail19 05-16 07:03:42 {tmda} [14489] (996976399) To:
paul at hiscomputer.ca
mail19 05-16 07:03:42 {tmda} [14489] (996976404) Actn: OK
(from-file
/usr/home/tmda/users/paul at hiscomputer.ca/.tmda/lists/whitelist ok)(16751)
mail19 05-16 07:03:42 {dovecot} [14512] (996976422)
lda(paul at hiscomputer.ca)<14512><Tj6hHo4vgmKwOAAA0dxyZQ>: sieve:
msgid=<62822f72a3ff3_3d1d125af5c60648 at asgworker-qmb3-26.nbuild.prd.useast1.3dna.io.mail>:
stored mail into
mailbox 'INBOX'
mail19 05-16 07:03:42 {postfix.local} [14511] (996976423) May 16
07:03:42 mail19 postfix/pipe[14511]: 5C7222CC701: to=<paul at hiscomputer.ca>,
relay=dovecot,
delay=0.22, delays=0.05/0.02/0/0.14, dsn=2.0.0, status=sent (delivered
via dovecot service)
mail19 05-16 07:23:15 {dovecot} [88258] (996998697)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15310
mail19 05-16 07:23:26 {dovecot} [88258] (996998740)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15312
mail19 05-16 07:23:34 {dovecot} [88258] (996998862)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15316
mail19 05-16 07:25:03 {dovecot} [88258] (997001016)
imap(paul at hiscomputer.ca)<15316><9yYOQR/fkOOsYYYY>: Disconnected: Logged
out in=178 out=4599
deleted=0
expunged=0 trashed=0 hdr_count=1 hdr_bytes=3112 body_count=0 body_bytes=0
mail19 05-16 07:25:03 {dovecot} [88258] (997001017)
imap(paul at hiscomputer.ca)<15312><HtunQB/fj+OsYYYY>: Disconnected: Logged
out in=256 out=188246
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=186678
mail19 05-16 07:25:04 {dovecot} [88258] (997001025)
imap(paul at hiscomputer.ca)<15310><n2f5Px/fieOsYYYY>: Disconnected: Logged
out in=925 out=7369
deleted=0
expunged=0 trashed=0 hdr_count=1 hdr_bytes=388 body_count=0 body_bytes=0
mail19 05-16 07:38:00 {dovecot} [88258] (997013528)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15769
mail19 05-16 07:38:00 {dovecot} [88258] (997013529)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15770
mail19 05-16 07:38:01 {dovecot} [88258] (997013536)
imap(paul at hiscomputer.ca)<15769><NNzNdB/foeOsYYYY>: Disconnected: Logged
out in=194 out=20374
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=17324
mail19 05-16 07:38:01 {dovecot} [88258] (997013537)
imap(paul at hiscomputer.ca)<15770><6+LNdB/foOOsYYYY>: Disconnected: Logged
out in=167 out=783
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
mail19 05-16 07:38:02 {dovecot} [88258] (997013540)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15772
mail19 05-16 07:38:15 {dovecot} [88258] (997013610)
imap(paul at hiscomputer.ca)<15772><NoLpdB/fpOOsYYYY>: Disconnected: Logged
out in=166 out=12321
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=11147
mail18 05-16 07:41:51 {dovecot} [51288] (997017656)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.231.82,
lip=65.39.148.18,
mpid=68491
mail18 05-16 07:41:57 {dovecot} [51288] (997017684)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.231.82,
lip=65.39.148.18,
mpid=68496
mail18 05-16 07:41:57 {dovecot} [51288] (997017685)
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN,
rip=172.97.231.82,
lip=65.39.148.18,
mpid=68497
peer1 05-16 07:49:25 {su} [36623] (997022563) HISTORY:
PID=36623 UID=0 log -t paul at hiscomputer.ca
Displayed 350 Records
------------------------------------------------------------------------
for example.
Happy Monday !!!
Thanks - paul
Paul Kudla
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
On 5/16/2022 5:58 AM, Cristiano Deana wrote:
>
> Hi,
>
> I have a mailserver with dovecot logging to syslog (by default, to
> /var/log/maillog) and my MTA (postfix) is doing the same.
> I use dovecot's services imap/pop3, auth and lmtp and now logs files are
> hard to read because I havve all together MTA and these services.
>
> Is it possibile to have different log with different services?
>
> Example:
> auth logging: /var/log/mail.auth
> delivery: /var/log/mail.delivery and so on
>
> Thank you
>
More information about the dovecot
mailing list