Use different log files

Paul Kudla (SCOM.CA Internet Services Inc.) paul at scom.ca
Mon May 16 12:02:34 UTC 2022


Robert's answer is a valid approach pending the size of your server 
networks etc.

on another note (because i run multiple servers etc)

I run a common syslog file across all servers which is what you appear 
to have now.

from there i like everything in one syslog because i am usually looking 
for something relative to a user which can occur anywhere. (imap, smtp, 
pop3, ssl etc)

that being said i wrote bash scripts that do stuff like

cat /var/log/syslog.log | grep $1

this allows everything from ALL servers going into one file for 
simplicity and then it gets seperated out when you go looking for something.

note that syslog can be programmed to divert to other servers in syslog.conf

## cat /etc/syslog.conf
*.* /var/log/all.log
*.* @10.228.0.6

10.228.0.6 is my central internal syslog capture server and all of my 
servers, routers, devices etc point to that and i go from there.

if you are having auth issues etc between dovecot & postfix this will 
show you everything related to a user, ip address etc.

Again its just a suggestion ... Logging is always relative to network 
setup more then anything else and situations vary easily.

I expanded this concept eventually into a database driven logger system 
in django, it is probably overkill for you but i am running 20+ servers 
and at the end of the day it was just easier to centralize it.

so

ssh 10.220.0.6 -q -tt /usr/home/syslog/log $1 $2 $3 $4 $5 $6 $7 $8 $9

or more spoecifically

log -t paul at hiscomputer.ca (-t was for today's date)

would give me all activity for my accounts


------------------------------------------------
mail19      05-16 07:03:26 {smtphandler.py} [14475] (996976186) [14475] 
Header info data: 'hiscomputer.ca at em1.dereksloan.ca', 
['paul at hiscomputer.ca'] ((While
                                                     Handling File : 
/usr/home/postfix/tmp/936692CC6F0))
mail19      05-16 07:03:26 {smtphandler.py} [14475] (996976190) [14475] 
rSPF set : Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
client-
                                                     ip=167.89.21.76; 
helo=o24.email.nationbuilder.com; envelope-from=bounces+14632821-e4fc-
 
paul=hiscomputer.ca at em1.dereksloan.ca; receiver=paul at hiscomputer.ca \n 
((While Handling File :
 
/usr/home/postfix/tmp/936692CC6F0))
mail19      05-16 07:03:26 {smtphandler.py} [14475] (996976198) [14475] 
Checking for Spam SPF Conditions in rSPF : Received-SPF: Pass (sender 
SPF authorized)
                                                     identity=mailfrom; 
client-ip=167.89.21.76; helo=o24.email.nationbuilder.com; envelope-
 
from=bounces+14632821-e4fc-paul=hiscomputer.ca at em1.dereksloan.ca; 
receiver=paul at hiscomputer.ca \n ((While
                                                     Handling File : 
/usr/home/postfix/tmp/936692CC6F0))
mail19      05-16 07:03:26 {smtphandler.py} [14475] (996976200) [14475] 
processing TO: paul at hiscomputer.ca ((While Handling File :
 
/usr/home/postfix/tmp/936692CC6F0))
mail19      05-16 07:03:26 {smtphandler.py} [14475] (996976201) [14475] 
Checking if user paul at hiscomputer.ca has a mailbox ((While Handling File :
 
/usr/home/postfix/tmp/936692CC6F0))
mail19      05-16 07:03:26 {smtphandler.py} [14475] (996976202) [14475] 
SELECT * FROM email_users WHERE source = $$paul at hiscomputer.ca$$ ((While 
Handling File
                                                     : 
/usr/home/postfix/tmp/936692CC6F0))
mail19      05-16 07:03:28 {MailScanner}    [11525] (996976259) Delivery 
of nonspam: message 936692CC6F0.AF475 from bounces+14632821-e4fc-
 
paul=hiscomputer.ca at em1.dereksloan.ca to paul at hiscomputer.ca with 
subject WHO take over!
mail19      05-16 07:03:42 {smtphandler.py} [14487] (996976373) [14487] 
Header info data: 'hiscomputer.ca at em1.dereksloan.ca', 
['paul at hiscomputer.ca'] ((While
                                                     Handling File : 
/usr/home/postfix/tmp/75A082CC6FE))
mail19      05-16 07:03:42 {smtphandler.py} [14487] (996976377) [14487] 
rSPF set : Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
client-
                                                     ip=167.89.21.76; 
helo=o24.email.nationbuilder.com; envelope-from=bounces+14632821-e4fc-
 
paul=hiscomputer.ca at em1.dereksloan.ca; receiver=paul at hiscomputer.ca \n 
((While Handling File :
 
/usr/home/postfix/tmp/75A082CC6FE))
mail19      05-16 07:03:42 {smtphandler.py} [14487] (996976385) [14487] 
Checking for Spam SPF Conditions in rSPF : Received-SPF: Pass (sender 
SPF authorized)
                                                     identity=mailfrom; 
client-ip=167.89.21.76; helo=o24.email.nationbuilder.com; envelope-
 
from=bounces+14632821-e4fc-paul=hiscomputer.ca at em1.dereksloan.ca; 
receiver=paul at hiscomputer.ca \n ((While
                                                     Handling File : 
/usr/home/postfix/tmp/75A082CC6FE))
mail19      05-16 07:03:42 {smtphandler.py} [14487] (996976387) [14487] 
processing TO: paul at hiscomputer.ca ((While Handling File :
 
/usr/home/postfix/tmp/75A082CC6FE))
mail19      05-16 07:03:42 {smtphandler.py} [14487] (996976388) [14487] 
Checking if user paul at hiscomputer.ca has a mailbox ((While Handling File :
 
/usr/home/postfix/tmp/75A082CC6FE))
mail19      05-16 07:03:42 {smtphandler.py} [14487] (996976389) [14487] 
SELECT * FROM email_users WHERE source = $$paul at hiscomputer.ca$$ ((While 
Handling File
                                                     : 
/usr/home/postfix/tmp/75A082CC6FE))
mail19      05-16 07:03:42 {smtphandler.py} [14487] (996976395) [14487] 
Executing tmda : /usr/home/tmda/tmda/bin/rfilter -c paul at hiscomputer.ca -Z
                                                     paul at hiscomputer.ca 
-Y "hiscomputer.ca at em1.dereksloan.ca" -X 
/usr/home/postfix/tmp/75A082CC6FE.txt ((While
                                                     Handling File : 
/usr/home/postfix/tmp/75A082CC6FE))
mail19      05-16 07:03:42 {tmda}           [14489] (996976399)   To: 
paul at hiscomputer.ca
mail19      05-16 07:03:42 {tmda}           [14489] (996976404) Actn: OK 
(from-file 
/usr/home/tmda/users/paul at hiscomputer.ca/.tmda/lists/whitelist ok)(16751)
mail19      05-16 07:03:42 {dovecot}        [14512] (996976422) 
lda(paul at hiscomputer.ca)<14512><Tj6hHo4vgmKwOAAA0dxyZQ>: sieve:
 
msgid=<62822f72a3ff3_3d1d125af5c60648 at asgworker-qmb3-26.nbuild.prd.useast1.3dna.io.mail>: 
stored mail into
                                                     mailbox 'INBOX'
mail19      05-16 07:03:42 {postfix.local}  [14511] (996976423) May 16 
07:03:42 mail19 postfix/pipe[14511]: 5C7222CC701: to=<paul at hiscomputer.ca>,
                                                     relay=dovecot, 
delay=0.22, delays=0.05/0.02/0/0.14, dsn=2.0.0, status=sent (delivered 
via dovecot service)
mail19      05-16 07:23:15 {dovecot}        [88258] (996998697) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.134.24,
                                                     lip=65.39.148.19, 
mpid=15310
mail19      05-16 07:23:26 {dovecot}        [88258] (996998740) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.134.24,
                                                     lip=65.39.148.19, 
mpid=15312
mail19      05-16 07:23:34 {dovecot}        [88258] (996998862) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.134.24,
                                                     lip=65.39.148.19, 
mpid=15316
mail19      05-16 07:25:03 {dovecot}        [88258] (997001016) 
imap(paul at hiscomputer.ca)<15316><9yYOQR/fkOOsYYYY>: Disconnected: Logged 
out in=178 out=4599
                                                     deleted=0 
expunged=0 trashed=0 hdr_count=1 hdr_bytes=3112 body_count=0 body_bytes=0
mail19      05-16 07:25:03 {dovecot}        [88258] (997001017) 
imap(paul at hiscomputer.ca)<15312><HtunQB/fj+OsYYYY>: Disconnected: Logged 
out in=256 out=188246
                                                     deleted=0 
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=186678
mail19      05-16 07:25:04 {dovecot}        [88258] (997001025) 
imap(paul at hiscomputer.ca)<15310><n2f5Px/fieOsYYYY>: Disconnected: Logged 
out in=925 out=7369
                                                     deleted=0 
expunged=0 trashed=0 hdr_count=1 hdr_bytes=388 body_count=0 body_bytes=0
mail19      05-16 07:38:00 {dovecot}        [88258] (997013528) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.134.24,
                                                     lip=65.39.148.19, 
mpid=15769
mail19      05-16 07:38:00 {dovecot}        [88258] (997013529) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.134.24,
                                                     lip=65.39.148.19, 
mpid=15770
mail19      05-16 07:38:01 {dovecot}        [88258] (997013536) 
imap(paul at hiscomputer.ca)<15769><NNzNdB/foeOsYYYY>: Disconnected: Logged 
out in=194 out=20374
                                                     deleted=0 
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=17324
mail19      05-16 07:38:01 {dovecot}        [88258] (997013537) 
imap(paul at hiscomputer.ca)<15770><6+LNdB/foOOsYYYY>: Disconnected: Logged 
out in=167 out=783
                                                     deleted=0 
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
mail19      05-16 07:38:02 {dovecot}        [88258] (997013540) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.134.24,
                                                     lip=65.39.148.19, 
mpid=15772
mail19      05-16 07:38:15 {dovecot}        [88258] (997013610) 
imap(paul at hiscomputer.ca)<15772><NoLpdB/fpOOsYYYY>: Disconnected: Logged 
out in=166 out=12321
                                                     deleted=0 
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=11147
mail18      05-16 07:41:51 {dovecot}        [51288] (997017656) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.231.82,
                                                     lip=65.39.148.18, 
mpid=68491
mail18      05-16 07:41:57 {dovecot}        [51288] (997017684) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.231.82,
                                                     lip=65.39.148.18, 
mpid=68496
mail18      05-16 07:41:57 {dovecot}        [51288] (997017685) 
imap-login: Login: user=<paul at hiscomputer.ca>, method=PLAIN, 
rip=172.97.231.82,
                                                     lip=65.39.148.18, 
mpid=68497
peer1       05-16 07:49:25 {su}             [36623] (997022563) HISTORY: 
PID=36623 UID=0 log -t paul at hiscomputer.ca
Displayed 350 Records
------------------------------------------------------------------------

for example.



Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/16/2022 5:58 AM, Cristiano Deana wrote:
> 
> Hi,
> 
> I have a mailserver with dovecot logging to syslog (by default, to 
> /var/log/maillog) and my MTA (postfix) is doing the same.
> I use dovecot's services imap/pop3, auth and lmtp and now logs files are 
> hard to read because I havve all together MTA and these services.
> 
> Is it possibile to have different log with different services?
> 
> Example:
> auth logging: /var/log/mail.auth
> delivery: /var/log/mail.delivery and so on
> 
> Thank you
> 


More information about the dovecot mailing list