split auth from other logging
Is there a way to split the auth logging (logins and failed logins) from the other logging that goes to info_log_path = /var/log/dovecot/dovecot.log ? This log gets a lot of other info as well, most notably the lmtp notifications about every filed mail (with no level stamping, btw). This makes it really hard to find authentication errors quickly and comfortably. It would be nice to be able to split at least the lmtp messages away.
Kai
Hi,
yesterday I had something similar.
I would like to skip the login & logout lines from being logged.
This is something I found, but did not get it working, as I had no time fiddling with the rsyslog config yet:
https://serverfault.com/questions/253418/force-dovecot-not-to-log-connect-di... <https://serverfault.com/questions/253418/force-dovecot-not-to-log-connect-disconnect-messages>
-M
Am 26.09.2018 um 09:21 schrieb Kai Schaetzl <maillists@conactive.com>:
Is there a way to split the auth logging (logins and failed logins) from the other logging that goes to info_log_path = /var/log/dovecot/dovecot.log ? This log gets a lot of other info as well, most notably the lmtp notifications about every filed mail (with no level stamping, btw). This makes it really hard to find authentication errors quickly and comfortably. It would be nice to be able to split at least the lmtp messages away.
Kai
I hoped I don't have to switch to syslog logging. Well, anyway.
I changed 10-logging.conf: syslog_facility = uucp and commented out the other log lines.
rsyslog.d/50-default.conf: uucp.debug -/var/log/dovecot/debug.log uucp.info -/var/log/dovecot/dovecot.log uucp.warn -/var/log/dovecot/warn.log uucp.err -/var/log/dovecot/error.log uucp.crit -/var/log/warn.log
No fancy redirects with rsyslog yet, plain logging by facility and level.
But it logs only to /var/log/syslog. As if dovecot sets another facility. I've used uucp in the past with success (not with rsyslog, but with syslog). AFAIK, uucp still exists as a facility in rsyslog. Shouldn't the above work?
(Yes, I restarted both daemons.)
Kai
# Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err
Am 26.09.2018 um 12:43 schrieb Kai Schaetzl <maillists@conactive.com>:
I hoped I don't have to switch to syslog logging. Well, anyway.
I changed 10-logging.conf: syslog_facility = uucp and commented out the other log lines.
rsyslog.d/50-default.conf: uucp.debug -/var/log/dovecot/debug.log uucp.info -/var/log/dovecot/dovecot.log uucp.warn -/var/log/dovecot/warn.log uucp.err -/var/log/dovecot/error.log uucp.crit -/var/log/warn.log
No fancy redirects with rsyslog yet, plain logging by facility and level.
But it logs only to /var/log/syslog. As if dovecot sets another facility. I've used uucp in the past with success (not with rsyslog, but with syslog). AFAIK, uucp still exists as a facility in rsyslog. Shouldn't the above work?
(Yes, I restarted both daemons.)
Kai
I'm not going to log dovecot to mail, that creates only the same mixup as before, even worse, now postfix and dovecot mixed. I had to stop/start (force-reload would also work) rsyslogd to pick up the changed config. A restart doesn't change the config as with other daemons. Now I can filter lmtp out.
Kai
-- Get your web at Conactive Internet Services: http://www.conactive.com
Kai Schaetzl wrote on Wed, 26 Sep 2018 12:43:28 +0200:
But it logs only to /var/log/syslog
It seems that "service rsyslog restart" doesn't correctly restart rsyslogd. You have to stop and start it. Then it picks up the changed config.
Kai
-- Get your web at Conactive Internet Services: http://www.conactive.com
This works for splitting off lmtp traffic, for instance.
syslog_facility = uucp
rsyslog:
:msg, contains, "lmtp(" -/var/log/dovecot/lmtp.log & stop
uucp.=debug -/var/log/dovecot/debug.log uucp.=info -/var/log/dovecot/dovecot.log uucp.=warn -/var/log/dovecot/warn.log uucp.=err -/var/log/dovecot/error.log uucp.=crit -/var/log/warn.log
plus: auth,authpriv,cron,daemon,mail,uucp,news.none -/var/log/syslog (whatever you don't want to see in syslog)
Kai
I forgot to mention that you have to change owner for the /var/log/dovecot directory before rsyslog can log.
Kai
This is great, thank you!!
-M
Am 26.09.2018 um 15:53 schrieb Kai Schaetzl <maillists@conactive.com>:
This works for splitting off lmtp traffic, for instance.
syslog_facility = uucp
rsyslog:
:msg, contains, "lmtp(" -/var/log/dovecot/lmtp.log & stop
uucp.=debug -/var/log/dovecot/debug.log uucp.=info -/var/log/dovecot/dovecot.log uucp.=warn -/var/log/dovecot/warn.log uucp.=err -/var/log/dovecot/error.log uucp.=crit -/var/log/warn.log
plus: auth,authpriv,cron,daemon,mail,uucp,news.none -/var/log/syslog (whatever you don't want to see in syslog)
Kai
For later versions of 2.3.x, it will eventually be possible to use log filtering to accomplish this entirely within Dovecot. We are not quite there yet though.
michael
On September 26, 2018 at 1:21 AM Kai Schaetzl <maillists@conactive.com> wrote:
Is there a way to split the auth logging (logins and failed logins) from the other logging that goes to info_log_path = /var/log/dovecot/dovecot.log ? This log gets a lot of other info as well, most notably the lmtp notifications about every filed mail (with no level stamping, btw). This makes it really hard to find authentication errors quickly and comfortably. It would be nice to be able to split at least the lmtp messages away.
Kai
participants (4)
-
Admin
-
admin@awib.it
-
Kai Schaetzl
-
Michael Slusarz