logwatch reporting

Robert Moskowitz rgm at htt-consult.com
Fri Nov 21 14:31:17 UTC 2014 

On 11/21/2014 09:01 AM, Birta Levente wrote:
> On 21/11/2014 15:48, Robert Moskowitz wrote:
>>
>> On 11/21/2014 04:13 AM, Tamsy wrote:
>>> Robert Moskowitz wrote on 20.11.2014 20:41:
>>>> I just launched a new mailserver that is using dovecot.  My 
>>>> previous mailserver used courier-mail.  I am expecting better 
>>>> things with this new server, but I was use to some login 
>>>> information in logwatch that I am not seeing now. For example I 
>>>> would get:
>>>>
>>>>
>>>>
>>>>  [IMAPd] Logout stats:
>>>>  ====================
>>>>                                     User | Logouts | Downloaded | 
>>>> Mbox Size
>>>>  --------------------------------------- | ------- | ---------- | 
>>>> ----------
>>>>                    user1 at htt-consult.com  |      55 | 219571 
>>>> |          0
>>>>                    user2 at htt-consult.com  |     285 | 221681 
>>>> |          0
>>>>               user3 at labs.htt-consult.com  |      32 | 15183 
>>>> |          0
>>>>  --------------------------------------------------------------------------- 
>>>>
>>>>                                                372 | 456435 
>>>> |          0
>>>>
>>>>
>>>>
>>>>  **Unmatched Entries**
>>>>     Disconnected, ip=[::ffff:107.150.52.84], time=1, starttls=1: 2 
>>>> Time(s)
>>>>
>>>>  ---------------------- IMAP End -------------------------
>>>>
>>>>
>>>> --------------------- POP-3 Begin ------------------------
>>>>
>>>>
>>>>  [POP3] Logout stats (in MB):
>>>>  ============================
>>>>                                     User | Logouts | Downloaded | 
>>>> Mbox Size
>>>>  --------------------------------------- | ------- | ---------- | 
>>>> ----------
>>>>                    user1 at htt-consult.com  |      78 | 5.96 
>>>> |          0
>>>>                    user2 at communaljob.com  |     215 | 9.24 
>>>> |          0
>>>>                    user3 at htt-consult.com  |       1 | 7.47 
>>>> |          0
>>>>                    user4 at htt-consult.com  |       1 | 2.34 
>>>> |          0
>>>>                    user5 at htt-consult.com  |     301 | 31.08 
>>>> |          0
>>>>               user6 at labs.htt-consult.com  |     201 | 4.98 
>>>> |          0
>>>>  --------------------------------------------------------------------------- 
>>>>
>>>>                                                797 | 61.06 |       
>>>> 0.00
>>>>
>>>>
>>>>
>>>>  **Unmatched Entries**
>>>>     Disconnected, ip=[::ffff:107.150.52.84]: 2 Time(s)
>>>>     Disconnected, ip=[::ffff:12.159.43.147]: 50 Time(s)
>>>>     Disconnected, ip=[::ffff:172.245.45.20]: 61 Time(s)
>>>>     LOGIN FAILED, user=Alfredo, ip=[::ffff:172.245.45.20]: 1 Time(s)
>>>>     LOGIN FAILED, user=Antonio, ip=[::ffff:172.245.45.20]: 2 Time(s)
>>>>     LOGIN FAILED, user=postmaster, ip=[::ffff:172.245.45.20]: 7 
>>>> Time(s)
>>>> ....
>>>>     LOGIN FAILED, user=webmaster, ip=[::ffff:172.245.45.20]: 7 Time(s)
>>>>     LOGIN FAILED, user=www, ip=[::ffff:172.245.45.20]: 4 Time(s)
>>>>     Maximum connection limit reached for ::ffff:172.245.45.20: 509 
>>>> Time(s)
>>>>
>>>>  ---------------------- POP-3 End -------------------------
>>>>
>>>>
>>>> Whereas dovecot is only reporting:
>>>>
>>>> --------------------- Dovecot Begin ------------------------
>>>>
>>>>
>>>>
>>>>  Dovecot disconnects:
>>>>     Inactivity: 1 Time(s)
>>>>     Logged out: 379 Time(s)
>>>>     no auth attempts: 5 Time(s)
>>>>     no reason: 1 Time(s)
>>>>     tried to use disabled plaintext auth: 1 Time(s)
>>>>
>>>>  **Unmatched Entries**
>>>>     dovecot: dict: mysql: Connected to localhost (postfix): 351 
>>>> Time(s)
>>>>
>>>>  ---------------------- Dovecot End -------------------------
>>>>
>>>>
>>>> How can I get more detailed user activity reporting to logwatch?
>>>>
>>>> And why is connection to mysql under Unmatched Entries?
>>>
>>>
>>>
>>> What version of Logwatch is installed on the server and on which 
>>> distro?
>>> We are using Logwatch here too and the summary for Dovecot is very 
>>> detailed; even more detailed compared to what you got with 
>>> courier-mail.
>>>
>> I am running Redsleeve 6 which is a port of Centos 6 to ARM. Its 
>> logwatch is:
>>
>> logwatch-7.3.6-52.el6.noarch
>>
>> Oh, and dovecot is:
>>
>> dovecot-2.0.9-7.el6.armv5tel
>

Thanks for this pointer but...

> There is Detail and *OnlyService parameters in logwatch's dovecot.conf 
> (in centos by default 
> /usr/share/logwatch/default.conf/services/dovecot.conf)

No detail parameter in mine which seems rather old:

# $Log: dovecot.conf,v $
# Revision 1.3  2006/08/13 21:05:03  bjorn
# Changed OnlyService to include dovecot for compatibility with Dovecot 1.0
# based on patches by Mark Nienberg; modification by Patrick Vande Walle.


*OnlyService = (imap-login|pop3-login|dovecot)

What would I add to that?

> Probably you can override these parameters in 
> /etc/logwatch/conf/services ... but I personally never used this.
> Look at the meaning of these parameters ... maybe this is the problem
>
>
Where do I look for their meaning?  My google searching is coming up empty.

thanks

More information about the dovecot mailing list