Should dovecot not be using different severity levels like auth.warn? On
my system everything goes to loglevel info:
My thinking has been:
* Panic: There's a bug that needs fixing
* Fatal: Somewhat stronger error
* Error: Something's broken or misconfigured - admin should fix something
* Warning: Something seems to be at least temporarily broken, like maybe some limit was reached because the system was overloaded. Admin may need to do something or possibly just wait. Either way, these should be looked into.
* Info: Events that admin doesn't necessarily need to look at, except while debugging or for gathering stats or something
* Debug: Only when really debugging
lev_info:Aug 9 16:18:24 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS, session=<UBXJ2K+PYh68zmjw>
lev_info:Aug 9 16:18:29 mail03 dovecot: auth-worker(28656):
pam(krinfo,188.206.104.240,<LOLx2K+PYx68zmjw>): unknown user
These are regular events that happen all the time due to brute force attacks and such. I don't know why you'd want to see them as warnings?