- On 2003.01.08, in 1042022871.28651.93.camel@hurina,
- "Timo Sirainen" tss@iki.fi wrote:
Any suggestions how user login/logouts should look like in log files? I was thinking:
(connected to imaps port) Login: username [IP 1.2.3.4, imaps, compressed] Logout: username [IP 1.2.3.4, imaps, compressed] [1000/100000 bytes (50%), 00:00:12]
I like things that are easy to parse with shell and awk scripts. E.g.:
Login: username 1.2.3.4:1025 5.6.7.8:143 imaps,compressed Logout: username 1.2.3.4:1025 5.6.7.8:143 imaps,compressed in:1000 out:1000000 [whatever SSL summary data is available]
I like seeing both the source and destination sockaddrs. (Why not run two instances on different interfaces?) In fact, I like seeing both hostname and ip address, and an indicator if a reverse map doesn't match, but that's probably just me.
In this example, flags occupy one space-delimited field, and are separated by commas. It's useful for performance analysis to tally bytes transferred; this is what "in:" and "out:" are for. It would also be nice for perf. anal. to know how much I/O to storage (disk) was performed by the imap process, but I don't imagine those figures are presently available anyway.
That's just an illustration; it doesn't matter to me whether it's like that particularly. I just want to show what I mean by ease of parsing -- whitespace-separated fields, well-known field values, related flags and such compounded within fields. The whole line structure should be well-known and not require perl or sscanf()s or such; scripts should be able to extract a lot of data from these quickly.
(We're watching dovecot for possible use on a system that supports about 300,000 logins per day, and we want to be able to produce stats on that.)
I think the only configuration needed would be if to log login, logout or both.
That's generous. :) I'd always want both, and can't imagine not wanting both, but I suppose some might prefer less.
I actually wouldn't mind seeing more optional logs -- for example, logout-like summaries for folder accesses (when users change folders). This can help in balancing storage devices when folders can reside on multiple devices.
In an ideal world, everything would be loggable, but not everything would be logged.
-- -D. dgc@uchicago.edu NSIT University of Chicago We're the colon in ://