We do some routine logfile (syslog) gathering and analysis. I've been looking at extending this to parse the syslog output of dovecot. Hmmm...
Ignoring the leading 'date hostname' prefix, some sample lines are:
dovecot: imap-login: Login: user=<uuuuuu>, method=PLAIN, rip=dd.dd.dd.dd, lip=dd.dd.dd.dd dovecot: IMAP(uuuuuu): Disconnected: Logged out dovecot: IMAP(uuuuuu): Disconnected in IDLE dovecot: imap-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd dovecot: pop3-login: Login: user=<uuuuuu>, method=PLAIN, rip=dd.dd.dd.dd1, lip=dd.dd.dd.dd dovecot: POP3(uuuuuu): Disconnected: Logged out top=0/0, retr=0/0, del=0/8, size=194970 dovecot: pop3-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd deliver(uuuuuu): msgid=014089712.74355909944644@thhebat.net: saved mail to INBOX
I've obfuscated some of the local detail: uuuuuuu represents a username/identifier; dd.dd.dd.dd represents an IP address.
Would it be possible, please, to consider improving the consistency of the logging information?
For instance:
- All lines, including the "deliver", to begin "dovecot:";
- The "IMAP(uuuu): Disconnected" to become "imap: disconnected user=<uuuu>";
Overall this would make it more consistently amenable to perl-like pattern processing, at least with a reasonably hierarchical structure to the messages. Perhaps something like:
dovecot: subprogram: event, key1=value1, key2=value2 ...
where: "subprogram" is "{imap,pop,deliver,...}"; "event" is "{login,disconnected, ...}; and one of the "key=value" will usually be "user=<uuuu>".
That would really make post-processing of logging information (whether offline, or 'live' via piped syslog) considerably easier.
Thanks.
--
: David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. :