[Dovecot] logfile consistency
We do some routine logfile (syslog) gathering and analysis. I've been looking at extending this to parse the syslog output of dovecot. Hmmm...
Ignoring the leading 'date hostname' prefix, some sample lines are:
dovecot: imap-login: Login: user=<uuuuuu>, method=PLAIN, rip=dd.dd.dd.dd, lip=dd.dd.dd.dd dovecot: IMAP(uuuuuu): Disconnected: Logged out dovecot: IMAP(uuuuuu): Disconnected in IDLE dovecot: imap-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd dovecot: pop3-login: Login: user=<uuuuuu>, method=PLAIN, rip=dd.dd.dd.dd1, lip=dd.dd.dd.dd dovecot: POP3(uuuuuu): Disconnected: Logged out top=0/0, retr=0/0, del=0/8, size=194970 dovecot: pop3-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd deliver(uuuuuu): msgid=014089712.74355909944644@thhebat.net: saved mail to INBOX
I've obfuscated some of the local detail: uuuuuuu represents a username/identifier; dd.dd.dd.dd represents an IP address.
Would it be possible, please, to consider improving the consistency of the logging information?
For instance:
- All lines, including the "deliver", to begin "dovecot:";
- The "IMAP(uuuu): Disconnected" to become "imap: disconnected user=<uuuu>";
Overall this would make it more consistently amenable to perl-like pattern processing, at least with a reasonably hierarchical structure to the messages. Perhaps something like:
dovecot: subprogram: event, key1=value1, key2=value2 ...
where: "subprogram" is "{imap,pop,deliver,...}"; "event" is "{login,disconnected, ...}; and one of the "key=value" will usually be "user=<uuuu>".
That would really make post-processing of logging information (whether offline, or 'live' via piped syslog) considerably easier.
Thanks.
--
: David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. :
David Lee wrote:
We do some routine logfile (syslog) gathering and analysis. I've been looking at extending this to parse the syslog output of dovecot. Hmmm... ... For instance: processing, at least with a reasonably hierarchical structure to the
- All lines, including the "deliver", to begin "dovecot:";
- The "IMAP(uuuu): Disconnected" to become "imap: disconnected user=<uuuu>"; ... Overall this would make it more consistently amenable to perl-like pattern
messages. Perhaps something like:
dovecot: subprogram: event, key1=value1, key2=value2 ...
where: "subprogram" is "{imap,pop,deliver,...}"; "event" is "{login,disconnected, ...}; and one of the "key=value" will usually be "user=<uuuu>".
Or perhaps similar to postfix, like dovecot/deliver[pid]:
That would really make post-processing of logging information (whether offline, or 'live' via piped syslog) considerably easier.
I strongly agree. I've written some nice graphing (rrdtool) scripts and they would have been much simpler with a standard syslog format. Though really, it's not that big of a deal.
On 19:52:38 2007-04-03 David Jonas djonas@vitalwerks.com wrote:
David Lee wrote:
We do some routine logfile (syslog) gathering and analysis. I've been looking at extending this to parse the syslog output of dovecot. Hmmm... ... For instance: pattern processing, at least with a reasonably hierarchical structure
- All lines, including the "deliver", to begin "dovecot:";
- The "IMAP(uuuu): Disconnected" to become "imap: disconnected user=<uuuu>"; ... Overall this would make it more consistently amenable to perl-like
to the messages. Perhaps something like:
dovecot: subprogram: event, key1=value1, key2=value2 ...
where: "subprogram" is "{imap,pop,deliver,...}"; "event" is "{login,disconnected, ...}; and one of the "key=value" will usually be "user=<uuuu>".
I acctually prefer the separate deliver and dovecot setup as it means I can log to separate files... But I guess the above mentioned would still work for me...
participants (4)
-
"Andraž 'ruskie' Levstik"
-
David Jonas
-
David Lee
-
Francisco Reyes