28 Oct
2024
28 Oct
'24
11:27 p.m.
Hi, I'm working on aggregating event logs and trying to correlate all related events using session IDs. However, I’m struggling with some events as they're missing the session ID.
- proxy_session_* events lack a session ID field, making it difficult to pair them with auth_request_* events.
- when using dovecot as sasl for postfix with a unix listener, both auth_request_* and auth_passdb_request_* events are missing the session ID too.
Example of the fields object for auth_request_finished when using smtp. It's missing multiple common fields, but session ID is, imho, the most important one. https://doc.dovecot.org/2.3/admin_manual/list_of_events/#id1
categories: [ "auth", "service:auth" ]
"fields": {
"translated_user": "alex",
"mechanism": "LOGIN",
"real_remote_ip": "X.X.X.X",
"user": "alex",
"transport": "insecure",
"local_ip": "X.X.X.X",
"remote_ip": "X.X.X.X",
"real_local_ip": "X.X.X.X",
"policy_result": "ok",
"service": "smtp",
"duration": 96764,
"original_user": "alex"
},
Would it be possible to add session ID fields to these logs? Alternatively, is there another method to correlate all the session related logs?
Thanks, Matus
Dovecot v. 2.3.21