On 10/21/2018 8:23 AM, André Rodier wrote:
I am using Zabbix to monitor my Dovecot server, and my logs are filled with lines like this:
Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<bWd0nr14SuF/AAAB> Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<MlAGob147Jd/AAAB>
How can I disable logging these actions from 127.0.0.1?
Presumably you are concerned not so much with having these lines in the logfile, as you are with your monitoring software seeing them and generating alarms because they are reported to syslog as errors. If I'm wrong about that, then the rest of this message probably won't apply.
Monitoring software that reports errors in logfiles should have the ability to specify messages to ignore. Often this is done with regex. Since you mentioned Zabbix, I'm betting it's that software that generates the reports you would like to stop. It looks like it does have the ability to use a regex to filter logs.
https://www.zabbix.com/documentation/4.0/manual/config/items/itemtypes/log_i...
This regex ought to do the trick and not filter out other error messages (like login failures) that occur on localhost. Hopefully it gets preserved on one line, not mangled by my mail client:
dovecot.*(imap|pop3)-login: Aborted .*rip=127\.0\.0\.\d+, lip=127\.0\.0\.\d+,
The "\d+" notation generally only works if the software is using PCRE - Perl Compatible Regular Expressions. It does look like Zabbix is using PCRE, so if it's Zabbix we're talking about, that regex should be OK. Possible replacements for \d+ if it doesn't work:
[0-9]+ [0-9]*
Thanks, Shawn