Use different log files
Hi,
I have a mailserver with dovecot logging to syslog (by default, to /var/log/maillog) and my MTA (postfix) is doing the same. I use dovecot's services imap/pop3, auth and lmtp and now logs files are hard to read because I havve all together MTA and these services.
Is it possibile to have different log with different services?
Example: auth logging: /var/log/mail.auth delivery: /var/log/mail.delivery and so on
Thank you
--
############################### # Cristiano Deana # # # # Senior Network Engineer # # Digital Response Team # # CittaStudi S.p.a. # # off. +39 015 855 1172 # # cell +39 328 310 6392 # ###############################
Am 16.05.2022 um 11:58 schrieb Cristiano Deana:
Hi,
I have a mailserver with dovecot logging to syslog (by default, to /var/log/maillog) and my MTA (postfix) is doing the same. I use dovecot's services imap/pop3, auth and lmtp and now logs files are hard to read because I havve all together MTA and these services.
Is it possibile to have different log with different services?
Example: auth logging: /var/log/mail.auth delivery: /var/log/mail.delivery and so on
Thank you
https://blog.sys4.de/xymon-dovecot-count-imap-pop3-logins-graph-central-rsys...
use filter in syslog i.e
/etc/rsyslog.d/50-default.conf
...
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
...
# dovecot
:programname, isequal, "dovecot" /var/log/dovecot.log
#pop3
:msg, contains, "pop3" /var/log/dovecot-pop3.log
#imap
:msg, contains, "imap" /var/log/dovecot-imap.log
...
and dont forget to configure logrotate too
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Robert's answer is a valid approach pending the size of your server networks etc.
on another note (because i run multiple servers etc)
I run a common syslog file across all servers which is what you appear to have now.
from there i like everything in one syslog because i am usually looking for something relative to a user which can occur anywhere. (imap, smtp, pop3, ssl etc)
that being said i wrote bash scripts that do stuff like
cat /var/log/syslog.log | grep $1
this allows everything from ALL servers going into one file for simplicity and then it gets seperated out when you go looking for something.
note that syslog can be programmed to divert to other servers in syslog.conf
## cat /etc/syslog.conf *.* /var/log/all.log *.* @10.228.0.6
10.228.0.6 is my central internal syslog capture server and all of my servers, routers, devices etc point to that and i go from there.
if you are having auth issues etc between dovecot & postfix this will show you everything related to a user, ip address etc.
Again its just a suggestion ... Logging is always relative to network setup more then anything else and situations vary easily.
I expanded this concept eventually into a database driven logger system in django, it is probably overkill for you but i am running 20+ servers and at the end of the day it was just easier to centralize it.
so
ssh 10.220.0.6 -q -tt /usr/home/syslog/log $1 $2 $3 $4 $5 $6 $7 $8 $9
or more spoecifically
log -t paul@hiscomputer.ca (-t was for today's date)
would give me all activity for my accounts
mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976186) [14475] Header info data: 'hiscomputer.ca@em1.dereksloan.ca', ['paul@hiscomputer.ca'] ((While Handling File : /usr/home/postfix/tmp/936692CC6F0)) mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976190) [14475] rSPF set : Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client- ip=167.89.21.76; helo=o24.email.nationbuilder.com; envelope-from=bounces+14632821-e4fc-
paul=hiscomputer.ca@em1.dereksloan.ca; receiver=paul@hiscomputer.ca \n ((While Handling File :
/usr/home/postfix/tmp/936692CC6F0)) mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976198) [14475] Checking for Spam SPF Conditions in rSPF : Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=167.89.21.76; helo=o24.email.nationbuilder.com; envelope-
from=bounces+14632821-e4fc-paul=hiscomputer.ca@em1.dereksloan.ca; receiver=paul@hiscomputer.ca \n ((While Handling File : /usr/home/postfix/tmp/936692CC6F0)) mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976200) [14475] processing TO: paul@hiscomputer.ca ((While Handling File :
/usr/home/postfix/tmp/936692CC6F0)) mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976201) [14475] Checking if user paul@hiscomputer.ca has a mailbox ((While Handling File :
/usr/home/postfix/tmp/936692CC6F0)) mail19 05-16 07:03:26 {smtphandler.py} [14475] (996976202) [14475] SELECT * FROM email_users WHERE source = $$paul@hiscomputer.ca$$ ((While Handling File : /usr/home/postfix/tmp/936692CC6F0)) mail19 05-16 07:03:28 {MailScanner} [11525] (996976259) Delivery of nonspam: message 936692CC6F0.AF475 from bounces+14632821-e4fc-
paul=hiscomputer.ca@em1.dereksloan.ca to paul@hiscomputer.ca with subject WHO take over! mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976373) [14487] Header info data: 'hiscomputer.ca@em1.dereksloan.ca', ['paul@hiscomputer.ca'] ((While Handling File : /usr/home/postfix/tmp/75A082CC6FE)) mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976377) [14487] rSPF set : Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client- ip=167.89.21.76; helo=o24.email.nationbuilder.com; envelope-from=bounces+14632821-e4fc-
paul=hiscomputer.ca@em1.dereksloan.ca; receiver=paul@hiscomputer.ca \n ((While Handling File :
/usr/home/postfix/tmp/75A082CC6FE)) mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976385) [14487] Checking for Spam SPF Conditions in rSPF : Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=167.89.21.76; helo=o24.email.nationbuilder.com; envelope-
from=bounces+14632821-e4fc-paul=hiscomputer.ca@em1.dereksloan.ca; receiver=paul@hiscomputer.ca \n ((While Handling File : /usr/home/postfix/tmp/75A082CC6FE)) mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976387) [14487] processing TO: paul@hiscomputer.ca ((While Handling File :
/usr/home/postfix/tmp/75A082CC6FE)) mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976388) [14487] Checking if user paul@hiscomputer.ca has a mailbox ((While Handling File :
/usr/home/postfix/tmp/75A082CC6FE)) mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976389) [14487] SELECT * FROM email_users WHERE source = $$paul@hiscomputer.ca$$ ((While Handling File : /usr/home/postfix/tmp/75A082CC6FE)) mail19 05-16 07:03:42 {smtphandler.py} [14487] (996976395) [14487] Executing tmda : /usr/home/tmda/tmda/bin/rfilter -c paul@hiscomputer.ca -Z paul@hiscomputer.ca -Y "hiscomputer.ca@em1.dereksloan.ca" -X /usr/home/postfix/tmp/75A082CC6FE.txt ((While Handling File : /usr/home/postfix/tmp/75A082CC6FE)) mail19 05-16 07:03:42 {tmda} [14489] (996976399) To: paul@hiscomputer.ca mail19 05-16 07:03:42 {tmda} [14489] (996976404) Actn: OK (from-file /usr/home/tmda/users/paul@hiscomputer.ca/.tmda/lists/whitelist ok)(16751) mail19 05-16 07:03:42 {dovecot} [14512] (996976422) lda(paul@hiscomputer.ca)<14512><Tj6hHo4vgmKwOAAA0dxyZQ>: sieve:
msgid=62822f72a3ff3_3d1d125af5c60648@asgworker-qmb3-26.nbuild.prd.useast1.3dna.io.mail:
stored mail into
mailbox 'INBOX'
mail19 05-16 07:03:42 {postfix.local} [14511] (996976423) May 16
07:03:42 mail19 postfix/pipe[14511]: 5C7222CC701: to=paul@hiscomputer.ca,
relay=dovecot,
delay=0.22, delays=0.05/0.02/0/0.14, dsn=2.0.0, status=sent (delivered
via dovecot service)
mail19 05-16 07:23:15 {dovecot} [88258] (996998697)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15310
mail19 05-16 07:23:26 {dovecot} [88258] (996998740)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15312
mail19 05-16 07:23:34 {dovecot} [88258] (996998862)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15316
mail19 05-16 07:25:03 {dovecot} [88258] (997001016)
imap(paul@hiscomputer.ca)<15316><9yYOQR/fkOOsYYYY>: Disconnected: Logged
out in=178 out=4599
deleted=0
expunged=0 trashed=0 hdr_count=1 hdr_bytes=3112 body_count=0 body_bytes=0
mail19 05-16 07:25:03 {dovecot} [88258] (997001017)
imap(paul@hiscomputer.ca)<15312>: Disconnected: Logged
out in=256 out=188246
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=186678
mail19 05-16 07:25:04 {dovecot} [88258] (997001025)
imap(paul@hiscomputer.ca)<15310>: Disconnected: Logged
out in=925 out=7369
deleted=0
expunged=0 trashed=0 hdr_count=1 hdr_bytes=388 body_count=0 body_bytes=0
mail19 05-16 07:38:00 {dovecot} [88258] (997013528)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15769
mail19 05-16 07:38:00 {dovecot} [88258] (997013529)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15770
mail19 05-16 07:38:01 {dovecot} [88258] (997013536)
imap(paul@hiscomputer.ca)<15769>: Disconnected: Logged
out in=194 out=20374
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=17324
mail19 05-16 07:38:01 {dovecot} [88258] (997013537)
imap(paul@hiscomputer.ca)<15770><6+LNdB/foOOsYYYY>: Disconnected: Logged
out in=167 out=783
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
mail19 05-16 07:38:02 {dovecot} [88258] (997013540)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.134.24,
lip=65.39.148.19,
mpid=15772
mail19 05-16 07:38:15 {dovecot} [88258] (997013610)
imap(paul@hiscomputer.ca)<15772>: Disconnected: Logged
out in=166 out=12321
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=11147
mail18 05-16 07:41:51 {dovecot} [51288] (997017656)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.231.82,
lip=65.39.148.18,
mpid=68491
mail18 05-16 07:41:57 {dovecot} [51288] (997017684)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.231.82,
lip=65.39.148.18,
mpid=68496
mail18 05-16 07:41:57 {dovecot} [51288] (997017685)
imap-login: Login: user=paul@hiscomputer.ca, method=PLAIN,
rip=172.97.231.82,
lip=65.39.148.18,
mpid=68497
peer1 05-16 07:49:25 {su} [36623] (997022563) HISTORY:
PID=36623 UID=0 log -t paul@hiscomputer.ca
Displayed 350 Records
for example.
Happy Monday !!! Thanks - paul
Paul Kudla
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266
On 5/16/2022 5:58 AM, Cristiano Deana wrote:
Hi,
I have a mailserver with dovecot logging to syslog (by default, to /var/log/maillog) and my MTA (postfix) is doing the same. I use dovecot's services imap/pop3, auth and lmtp and now logs files are hard to read because I havve all together MTA and these services.
Is it possibile to have different log with different services?
Example: auth logging: /var/log/mail.auth delivery: /var/log/mail.delivery and so on
Thank you
participants (3)
-
Cristiano Deana
-
Paul Kudla (SCOM.CA Internet Services Inc.)
-
Robert Schetterer