David Lee wrote:
We do some routine logfile (syslog) gathering and analysis. I've been looking at extending this to parse the syslog output of dovecot. Hmmm... ... For instance: processing, at least with a reasonably hierarchical structure to the
- All lines, including the "deliver", to begin "dovecot:";
- The "IMAP(uuuu): Disconnected" to become "imap: disconnected user=<uuuu>"; ... Overall this would make it more consistently amenable to perl-like pattern
messages. Perhaps something like:
dovecot: subprogram: event, key1=value1, key2=value2 ...
where: "subprogram" is "{imap,pop,deliver,...}"; "event" is "{login,disconnected, ...}; and one of the "key=value" will usually be "user=<uuuu>".
Or perhaps similar to postfix, like dovecot/deliver[pid]:
That would really make post-processing of logging information (whether offline, or 'live' via piped syslog) considerably easier.
I strongly agree. I've written some nice graphing (rrdtool) scripts and they would have been much simpler with a standard syslog format. Though really, it's not that big of a deal.