logwatch reporting
Birta Levente
blevi.linux at gmail.com
Fri Nov 21 14:01:46 UTC 2014
On 21/11/2014 15:48, Robert Moskowitz wrote:
>
> On 11/21/2014 04:13 AM, Tamsy wrote:
>> Robert Moskowitz wrote on 20.11.2014 20:41:
>>> I just launched a new mailserver that is using dovecot. My previous
>>> mailserver used courier-mail. I am expecting better things with
>>> this new server, but I was use to some login information in logwatch
>>> that I am not seeing now. For example I would get:
>>>
>>>
>>>
>>> [IMAPd] Logout stats:
>>> ====================
>>> User | Logouts | Downloaded |
>>> Mbox Size
>>> --------------------------------------- | ------- | ---------- |
>>> ----------
>>> user1 at htt-consult.com | 55 | 219571
>>> | 0
>>> user2 at htt-consult.com | 285 | 221681
>>> | 0
>>> user3 at labs.htt-consult.com | 32 | 15183
>>> | 0
>>> ---------------------------------------------------------------------------
>>>
>>> 372 | 456435
>>> | 0
>>>
>>>
>>>
>>> **Unmatched Entries**
>>> Disconnected, ip=[::ffff:107.150.52.84], time=1, starttls=1: 2
>>> Time(s)
>>>
>>> ---------------------- IMAP End -------------------------
>>>
>>>
>>> --------------------- POP-3 Begin ------------------------
>>>
>>>
>>> [POP3] Logout stats (in MB):
>>> ============================
>>> User | Logouts | Downloaded |
>>> Mbox Size
>>> --------------------------------------- | ------- | ---------- |
>>> ----------
>>> user1 at htt-consult.com | 78 | 5.96 | 0
>>> user2 at communaljob.com | 215 | 9.24 | 0
>>> user3 at htt-consult.com | 1 | 7.47 | 0
>>> user4 at htt-consult.com | 1 | 2.34 | 0
>>> user5 at htt-consult.com | 301 | 31.08
>>> | 0
>>> user6 at labs.htt-consult.com | 201 | 4.98 | 0
>>> ---------------------------------------------------------------------------
>>>
>>> 797 | 61.06 | 0.00
>>>
>>>
>>>
>>> **Unmatched Entries**
>>> Disconnected, ip=[::ffff:107.150.52.84]: 2 Time(s)
>>> Disconnected, ip=[::ffff:12.159.43.147]: 50 Time(s)
>>> Disconnected, ip=[::ffff:172.245.45.20]: 61 Time(s)
>>> LOGIN FAILED, user=Alfredo, ip=[::ffff:172.245.45.20]: 1 Time(s)
>>> LOGIN FAILED, user=Antonio, ip=[::ffff:172.245.45.20]: 2 Time(s)
>>> LOGIN FAILED, user=postmaster, ip=[::ffff:172.245.45.20]: 7 Time(s)
>>> ....
>>> LOGIN FAILED, user=webmaster, ip=[::ffff:172.245.45.20]: 7 Time(s)
>>> LOGIN FAILED, user=www, ip=[::ffff:172.245.45.20]: 4 Time(s)
>>> Maximum connection limit reached for ::ffff:172.245.45.20: 509
>>> Time(s)
>>>
>>> ---------------------- POP-3 End -------------------------
>>>
>>>
>>> Whereas dovecot is only reporting:
>>>
>>> --------------------- Dovecot Begin ------------------------
>>>
>>>
>>>
>>> Dovecot disconnects:
>>> Inactivity: 1 Time(s)
>>> Logged out: 379 Time(s)
>>> no auth attempts: 5 Time(s)
>>> no reason: 1 Time(s)
>>> tried to use disabled plaintext auth: 1 Time(s)
>>>
>>> **Unmatched Entries**
>>> dovecot: dict: mysql: Connected to localhost (postfix): 351 Time(s)
>>>
>>> ---------------------- Dovecot End -------------------------
>>>
>>>
>>> How can I get more detailed user activity reporting to logwatch?
>>>
>>> And why is connection to mysql under Unmatched Entries?
>>
>>
>>
>> What version of Logwatch is installed on the server and on which distro?
>> We are using Logwatch here too and the summary for Dovecot is very
>> detailed; even more detailed compared to what you got with courier-mail.
>>
> I am running Redsleeve 6 which is a port of Centos 6 to ARM. Its
> logwatch is:
>
> logwatch-7.3.6-52.el6.noarch
>
> Oh, and dovecot is:
>
> dovecot-2.0.9-7.el6.armv5tel
There is Detail and *OnlyService parameters in logwatch's dovecot.conf
(in centos by default
/usr/share/logwatch/default.conf/services/dovecot.conf)
Probably you can override these parameters in
/etc/logwatch/conf/services ... but I personally never used this.
Look at the meaning of these parameters ... maybe this is the problem
--
Levi
More information about the dovecot
mailing list