Disable logging for localhost
Hello Everyone,
I am using Zabbix to monitor my Dovecot server, and my logs are filled with lines like this:
Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<bWd0nr14SuF/AAAB> Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<MlAGob147Jd/AAAB>
How can I disable logging these actions from 127.0.0.1?
Thanks, André
On 10/21/2018 8:23 AM, André Rodier wrote:
I am using Zabbix to monitor my Dovecot server, and my logs are filled with lines like this:
Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<bWd0nr14SuF/AAAB> Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<MlAGob147Jd/AAAB>
How can I disable logging these actions from 127.0.0.1?
Presumably you are concerned not so much with having these lines in the logfile, as you are with your monitoring software seeing them and generating alarms because they are reported to syslog as errors. If I'm wrong about that, then the rest of this message probably won't apply.
Monitoring software that reports errors in logfiles should have the ability to specify messages to ignore. Often this is done with regex. Since you mentioned Zabbix, I'm betting it's that software that generates the reports you would like to stop. It looks like it does have the ability to use a regex to filter logs.
https://www.zabbix.com/documentation/4.0/manual/config/items/itemtypes/log_i...
This regex ought to do the trick and not filter out other error messages (like login failures) that occur on localhost. Hopefully it gets preserved on one line, not mangled by my mail client:
dovecot.*(imap|pop3)-login: Aborted .*rip=127\.0\.0\.\d+, lip=127\.0\.0\.\d+,
The "\d+" notation generally only works if the software is using PCRE - Perl Compatible Regular Expressions. It does look like Zabbix is using PCRE, so if it's Zabbix we're talking about, that regex should be OK. Possible replacements for \d+ if it doesn't work:
[0-9]+ [0-9]*
Thanks, Shawn
On 2018-10-22 12:16, Shawn Heisey wrote:
On 10/21/2018 8:23 AM, André Rodier wrote:
I am using Zabbix to monitor my Dovecot server, and my logs are filled with lines like this:
Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<bWd0nr14SuF/AAAB> Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<MlAGob147Jd/AAAB>
How can I disable logging these actions from 127.0.0.1?
Presumably you are concerned not so much with having these lines in the logfile, as you are with your monitoring software seeing them and generating alarms because they are reported to syslog as errors. If I'm wrong about that, then the rest of this message probably won't apply.
Monitoring software that reports errors in logfiles should have the ability to specify messages to ignore. Often this is done with regex. Since you mentioned Zabbix, I'm betting it's that software that generates the reports you would like to stop. It looks like it does have the ability to use a regex to filter logs.
https://www.zabbix.com/documentation/4.0/manual/config/items/itemtypes/log_i...
This regex ought to do the trick and not filter out other error messages (like login failures) that occur on localhost. Hopefully it gets preserved on one line, not mangled by my mail client:
dovecot.*(imap|pop3)-login: Aborted .*rip=127\.0\.0\.\d+, lip=127\.0\.0\.\d+,
The "\d+" notation generally only works if the software is using PCRE
- Perl Compatible Regular Expressions. It does look like Zabbix is using PCRE, so if it's Zabbix we're talking about, that regex should be OK. Possible replacements for \d+ if it doesn't work:
[0-9]+ [0-9]*
Thanks, Shawn
These lines are in the mail.log. I am not talking about Zabbix.
Zabbix generate a connection every second, on both Postfix and Dovecot.
I want these two services to not log connections when they are coming from 127.0.0.1, if possible.
Both journalctl (Systemd) and log files are spammed with these lines, and I would like to avoid dovecot logging them.
I should have made this clearer.
Kind regards, André
On 10/24/2018 4:46 AM, André Rodier wrote:
These lines are in the mail.log. I am not talking about Zabbix.
Zabbix generate a connection every second, on both Postfix and Dovecot.
I want these two services to not log connections when they are coming from 127.0.0.1, if possible.
Both journalctl (Systemd) and log files are spammed with these lines, and I would like to avoid dovecot logging them.
I should have made this clearer.
I'm aware that those lines are in mail.log.That's what a typical syslog setup does with them.
I suspect this is an XY problem.
https://home.apache.org/~hossman/#xyproblem
Why do you want to get rid of these log lines?
If Zabbix is connecting to your service ports once a second, that's VERY aggressive, and it sounds very much like overkill. I would expect a check every five minutes ... or maybe once a minute if specifically configured to be aggressive. The monitoring configuration should be adjusted so it's MUCH less frequent.
If we back up and try to figure out why these log lines bother you, I see two likely possibilities. 1) With the service being checked once a second, there's a LOT of log lines. As mentioned above, you should reduce the frequency of the service check. 2) You've got something looking at the logfile and sending you notifications for these lines. If that's the case, then the software should have the ability to filter the log so things that aren't problems will not result in notification.
Thanks, Shawn
participants (4)
-
@lbutlr
-
André Rodier
-
Ralph Seichter
-
Shawn Heisey