Aggregating auth/proxy events
28 Oct
2024
28 Oct
'24
11:27 p.m.
Hi, I'm working on aggregating event logs and trying to correlate all related events using session IDs. However, I’m struggling with some events as they're missing the session ID.
- proxy_session_* events lack a session ID field, making it difficult to pair them with auth_request_* events.
- when using dovecot as sasl for postfix with a unix listener, both auth_request_* and auth_passdb_request_* events are missing the session ID too.
Example of the fields object for auth_request_finished when using smtp. It's missing multiple common fields, but session ID is, imho, the most important one. https://doc.dovecot.org/2.3/admin_manual/list_of_events/#id1
categories: [ "auth", "service:auth" ]
"fields": {
"translated_user": "alex",
"mechanism": "LOGIN",
"real_remote_ip": "X.X.X.X",
"user": "alex",
"transport": "insecure",
"local_ip": "X.X.X.X",
"remote_ip": "X.X.X.X",
"real_local_ip": "X.X.X.X",
"policy_result": "ok",
"service": "smtp",
"duration": 96764,
"original_user": "alex"
},
Would it be possible to add session ID fields to these logs? Alternatively, is there another method to correlate all the session related logs?
Thanks, Matus
Dovecot v. 2.3.21
54
Age (days ago)
54
Last active (days ago)
0 comments
1 participants
participants (1)
-
matus.vlcek@gmail.com