I'm using logcheck for log reporting on Debian Etch, and am currently getting a lot of log entries from Syslog falling through the standard logcheck regex filters. I'm running Dovecot 1.0beta8. The filters follow:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (imap|pop3)-login: Login: [.[:alnum:]@-]+ \[(::ffff:)?[:0-9a-f.]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3)-login: Disconnected \[(::ffff:)?[:0-9a-f.]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3)\([^[:space:]]+\): File isn't in mbox format: [^[:space:]]+$ # dovecot 1.0 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Login: user=<[.[:alnum:]@-]+>, method=(PLAIN|plain|LOGIN|login|(CRAM|cram|DIGEST|digest)-(MD5|md5)), rip=(::ffff:)?[:.[:digit:]]+, lip=(::ffff:)?[:0-9a-f.]+(, TLS)?$
The type of entry coming through is:
Jun 5 09:05:57 myhostname dovecot: IMAP(myusername): Disconnected for inactivity Jun 5 09:07:05 myhostname dovecot: IMAP(myusername): Disconnected: Logged out Jun 5 09:07:05 myhostname dovecot: IMAP(myusername): Disconnected: Logged out
The first alnum pattern doesn't match given a host name, but the messages given by Dovecot do not appear to be catered for in the logcheck files.
I wondered whether anyone on the dovecot list was also using logcheck and had fixed the regex patterns?
rik