[Dovecot] proxy: get rid of redundant log-informations
Hi
login_log_format_elements = user=<%u> method=%m rip=%r %k
is it possible to get rid of the "proxy(test@testserver.rhsoft.net): started proxying to 127.0.0.1:143: " part because on a proxy-only server i know that and it is explicitly not listed in "login_log_format_elements"
as well as for the "TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA" it would be enough "TLSv1 DHE-RSA-CAMELLIA256-SHA"
the reason is simple:
- all needed informations are present
- smaller logfiles
- nicer "tail -f" on the syslog without breaks
Aug 14 16:31:46 testserver dovecot: imap-login: proxy(test@testserver.rhsoft.net): started proxying to 127.0.0.1:143: user=<test@testserver.rhsoft.net>, method=CRAM-MD5, rip=91.118.73.99, TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Am 14.08.2013 16:37, schrieb Reindl Harald:
Hi
login_log_format_elements = user=<%u> method=%m rip=%r %k
is it possible to get rid of the "proxy(test@testserver.rhsoft.net): started proxying to 127.0.0.1:143: " part because on a proxy-only server i know that and it is explicitly not listed in "login_log_format_elements"
as well as for the "TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA" it would be enough "TLSv1 DHE-RSA-CAMELLIA256-SHA"
the reason is simple:
- all needed informations are present
- smaller logfiles
- nicer "tail -f" on the syslog without breaks
Aug 14 16:31:46 testserver dovecot: imap-login: proxy(test@testserver.rhsoft.net): started proxying to 127.0.0.1:143: user=<test@testserver.rhsoft.net>, method=CRAM-MD5, rip=91.118.73.99, TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
got it
login_log_format_elements = user=<%u> method=%m rip=%r %k login_log_format = %s
Am 14.08.2013 17:12, schrieb Reindl Harald:
is it possible to get rid of the "proxy(test@testserver.rhsoft.net): started proxying to 127.0.0.1:143: " part because on a proxy-only server i know that and it is explicitly not listed in "login_log_format_elements"
got it
login_log_format_elements = user=<%u> method=%m rip=%r %k login_log_format = %s
which introduces the problem that POP3 is double-logged i guess ":msg, contains, "): disconnecting" ~" in rsyslog.conf no longer takes effect
Aug 14 22:54:37 mail dovecot: pop3-login: user=<user@example.com>, method=PLAIN, rip=80.120.xx.xx Aug 14 22:54:37 mail dovecot: pop3-login: user=<user@example.com>, method=PLAIN, rip=80.120.xx.xx
given that "example.com" has 60 addresses which are checked by a exchange connector every 3 minutes you can calculate the logsize by 2400 loglines per hour which could be 1200 without disconnect log
is there a option or would it not make sense in case "login_log_format = %s" skip the second line in default (non-debug) logging, most are gardly interested in how long a POP3 user took to receive his mails, the more interesting is how often, from which IPs and how much failed logins from where
thanks!
On 14.8.2013, at 17.37, Reindl Harald <h.reindl@thelounge.net> wrote:
login_log_format_elements = user=<%u> method=%m rip=%r %k
is it possible to get rid of the "proxy(test@testserver.rhsoft.net): started proxying to 127.0.0.1:143: " part because on a proxy-only server i know that and it is explicitly not listed in "login_log_format_elements"
Different people want different things logged. I think if I started adding settings to control those from Dovecot configuration it would quickly become a horribly complex mess. An alternative could be to send logging through a more configurable log process. Like perhaps a simple perl log proxy where you can do whatever you want using regexps and such.. This is already possible if someone just writes such a log proxy, although it would be a bit annoying as it would have to implement Dovecot's internal master service protocols. A somewhat easier way would be if Dovecot's log process supported a filtering service, similar to how the mail-filter plugin works for emails. Then you could use whatever scripting language you want to implement the filters and if the filter breaks or is too slow, the log process could just drop it and continue logging without filtering.
The main problem I see with such a generic log filter is that it operates on a full log line string. Maybe for your use case it would be enough, but people have wanted other things as well where such a filter could be helpful, like logging things to SQL database. But there it would be useful to have some kind of key=value pairs of data, like username=foo mailbox=bar without having to parse it from the text, which could be difficult to do 100% correctly. So maybe some day Dovecot's whole logging system could be redesigned to support that as well.
Anyway, all of this is something that I don't see myself having time to implement anytime soon.
Am 21.09.2013 23:37, schrieb Timo Sirainen:
On 14.8.2013, at 17.37, Reindl Harald <h.reindl@thelounge.net> wrote:
login_log_format_elements = user=<%u> method=%m rip=%r %k
is it possible to get rid of the "proxy(test@testserver.rhsoft.net): started proxying to 127.0.0.1:143: " part because on a proxy-only server i know that and it is explicitly not listed in "login_log_format_elements"
Different people want different things logged. I think if I started adding settings to control those from Dovecot configuration it would quickly become a horribly complex mess
not really, take a look again at both
login_log_format_elements = user=<%u> %r %m %c login_log_format = %$: %s
if fact i would only need "login_log_format = %s" but in case of failed logins and dictionary attacks with unknown users "%u" is empty - if %u would *always* contain the used loginname, wether if it was successful or not i would have any needed information without the duplication
Am 22.09.2013 00:07, schrieb Reindl Harald:
Am 21.09.2013 23:37, schrieb Timo Sirainen:
On 14.8.2013, at 17.37, Reindl Harald <h.reindl@thelounge.net> wrote:
login_log_format_elements = user=<%u> method=%m rip=%r %k
is it possible to get rid of the "proxy(test@testserver.rhsoft.net): started proxying to 127.0.0.1:143: " part because on a proxy-only server i know that and it is explicitly not listed in "login_log_format_elements"
Different people want different things logged. I think if I started adding settings to control those from Dovecot configuration it would quickly become a horribly complex mess
not really, take a look again at both
login_log_format_elements = user=<%u> %r %m %c login_log_format = %$: %s
if fact i would only need "login_log_format = %s" but in case of failed logins and dictionary attacks with unknown users "%u" is empty - if %u would *always* contain the used loginname, wether if it was successful or not i would have any needed information without the duplication
errta - the problem maybe was in cased of failed logins you see no difference without %$ comapred to a succesfull login
login_log_format_elements = status=%status <%u> %r %m %c login_log_format = %s
would perfectly solve this while %status or whatever placeholder would be failed / success
Am 22.09.2013 00:18, schrieb Reindl Harald:
Am 22.09.2013 00:07, schrieb Reindl Harald:
Am 21.09.2013 23:37, schrieb Timo Sirainen:
Different people want different things logged. I think if I started adding settings to control those from Dovecot configuration it would quickly become a horribly complex mess
if fact i would only need "login_log_format = %s" but in case of failed logins and dictionary attacks with unknown users "%u" is empty - if %u would *always* contain the used loginname, wether if it was successful or not i would have any needed information without the duplication
errta - the problem maybe was in cased of failed logins you see no difference without %$ comapred to a succesfull login
login_log_format_elements = status=%status <%u> %r %m %c login_log_format = %s
would perfectly solve this while %status or whatever placeholder would be failed / success
sorry for the spam and not put it in one reply
login_log_format_elements = %status <%u> %r %m %c %cipher login_log_format = %s
Sep 21 18:39:47 localhost dovecot: imap-login: OK, <rhsoft@test.rh>, 192.168.2.2, CRAM-MD5, DHE-RSA-CAMELLIA256-SHA
"TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA" for %k leads to linebreaks in "tail -f" which makes it hard to follow while the proposd above contains any needed information and fits on a 27" screen in a single line, in case of unencrypted %cipher would be simply supressed
cat maillog | grep imap | grep "OK, " cat maillog | grep imap | grep "failed, "
cat maillog | grep pop3 | grep "OK, " cat maillog | grep pop3 | grep "failed, "
On 22.9.2013, at 1.29, Reindl Harald <h.reindl@thelounge.net> wrote:
if fact i would only need "login_log_format = %s" but in case of failed logins and dictionary attacks with unknown users "%u" is empty - if %u would *always* contain the used loginname, wether if it was successful or not i would have any needed information without the duplication
%u always has username as long as client sent it.
errta - the problem maybe was in cased of failed logins you see no difference without %$ comapred to a succesfull login
login_log_format_elements = status=%status <%u> %r %m %c login_log_format = %s
would perfectly solve this while %status or whatever placeholder would be failed / success
sorry for the spam and not put it in one reply
login_log_format_elements = %status <%u> %r %m %c %cipher login_log_format = %s
Sep 21 18:39:47 localhost dovecot: imap-login: OK, <rhsoft@test.rh>, 192.168.2.2, CRAM-MD5, DHE-RSA-CAMELLIA256-SHA
"TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA" for %k leads to linebreaks in "tail -f" which makes it hard to follow while the proposd above contains any needed information and fits on a 27" screen in a single line, in case of unencrypted %cipher would be simply supressed
cat maillog | grep imap | grep "OK, " cat maillog | grep imap | grep "failed, "
cat maillog | grep pop3 | grep "OK, " cat maillog | grep pop3 | grep "failed, "
%$ is the status, so you're asking for another status variable. Something like in the attached patch, where you can replace %$ with %{login_status}?
Am 22.09.2013 02:20, schrieb Timo Sirainen:
On 22.9.2013, at 1.29, Reindl Harald <h.reindl@thelounge.net> wrote:
login_log_format_elements = %status <%u> %r %m %c %cipher login_log_format = %s
Sep 21 18:39:47 localhost dovecot: imap-login: OK, <rhsoft@test.rh>, 192.168.2.2, CRAM-MD5, DHE-RSA-CAMELLIA256-SHA
"TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA" for %k leads to linebreaks in "tail -f" which makes it hard to follow while the proposd above contains any needed information and fits on a 27" screen in a single line, in case of unencrypted %cipher would be simply supressed
cat maillog | grep imap | grep "OK, " cat maillog | grep imap | grep "failed, "
cat maillog | grep pop3 | grep "OK, " cat maillog | grep pop3 | grep "failed, "
%$ is the status, so you're asking for another status variable. Something like in the attached patch, where you can replace %$ with %{login_status}?
*exactly* that's it - many thanks!
%{login_status} -> ab[2].value = client->login_success ? "OK" : "Failed"; in case of deeper debugging one can always set "%$" temporary
when we can get rid of "TLSv1 with cipher" and only have the cipher the log would become really tiny and easy to follow without too much linebreaking - not to forget the logsize in case of a lot of POP3 users every few minutes
Hi
Am 22.09.2013 03:13, schrieb Reindl Harald:
Am 22.09.2013 02:20, schrieb Timo Sirainen:
%$ is the status, so you're asking for another status variable. Something like in the attached patch, where you can replace %$ with %{login_status}?
*exactly* that's it - many thanks!
%{login_status} -> ab[2].value = client->login_success ? "OK" : "Failed"; in case of deeper debugging one can always set "%$" temporary
when we can get rid of "TLSv1 with cipher" and only have the cipher the log would become really tiny and easy to follow without too much linebreaking - not to forget the logsize in case of a lot of POP3 users every few minutes
nearly perfect
2.2.6 with the patch:
Sep 25 12:22:26 testserver dovecot: pop3-login: OK: pop3@testserver.rhsoft.net, 91.118.73.100, DIGEST-MD5, TLSv1 with cipher RC4-SHA (128/128 bits) Sep 25 12:22:26 testserver dovecot: pop3-login: OK: pop3@testserver.rhsoft.net, 91.118.73.100, DIGEST-MD5, TLSv1 with cipher RC4-SHA (128/128 bits)
my dream:
Sep 25 12:22:26 testserver dovecot: pop3-login: OK: pop3@testserver.rhsoft.net, 91.118.73.100, DIGEST-MD5, RC4-SHA (128/128 bits) Sep 25 12:22:26 testserver dovecot: pop3-login: OK (disconnecting): pop3@testserver.rhsoft.net, 91.118.73.100, DIGEST-MD5, RC4-SHA (128/128 bits)
would allow rsyslog to skip the disconnect lines in case of OK and shorten the cipher output
:msg, contains, "OK (disconnecting)" ~
participants (2)
-
Reindl Harald
-
Timo Sirainen