logwatch reporting

Birta Levente blevi.linux at gmail.com
Fri Nov 21 17:27:46 UTC 2014


On 21/11/2014 16:31, Robert Moskowitz wrote:
>
> On 11/21/2014 09:01 AM, Birta Levente wrote:
>> On 21/11/2014 15:48, Robert Moskowitz wrote:
>>>
>>> On 11/21/2014 04:13 AM, Tamsy wrote:
>>>> Robert Moskowitz wrote on 20.11.2014 20:41:
>>>>> I just launched a new mailserver that is using dovecot.  My 
>>>>> previous mailserver used courier-mail.  I am expecting better 
>>>>> things with this new server, but I was use to some login 
>>>>> information in logwatch that I am not seeing now. For example I 
>>>>> would get:
>>>>>
>>>>>
>>>>>
>>>>>  [IMAPd] Logout stats:
>>>>>  ====================
>>>>>                                     User | Logouts | Downloaded | 
>>>>> Mbox Size
>>>>>  --------------------------------------- | ------- | ---------- | 
>>>>> ----------
>>>>>                    user1 at htt-consult.com  |      55 | 219571 
>>>>> |          0
>>>>>                    user2 at htt-consult.com  |     285 | 221681 
>>>>> |          0
>>>>>               user3 at labs.htt-consult.com  |      32 | 15183 
>>>>> |          0
>>>>>  --------------------------------------------------------------------------- 
>>>>>
>>>>>                                                372 | 456435 
>>>>> |          0
>>>>>
>>>>>
>>>>>
>>>>>  **Unmatched Entries**
>>>>>     Disconnected, ip=[::ffff:107.150.52.84], time=1, starttls=1: 2 
>>>>> Time(s)
>>>>>
>>>>>  ---------------------- IMAP End -------------------------
>>>>>
>>>>>
>>>>> --------------------- POP-3 Begin ------------------------
>>>>>
>>>>>
>>>>>  [POP3] Logout stats (in MB):
>>>>>  ============================
>>>>>                                     User | Logouts | Downloaded | 
>>>>> Mbox Size
>>>>>  --------------------------------------- | ------- | ---------- | 
>>>>> ----------
>>>>>                    user1 at htt-consult.com  |      78 | 5.96 
>>>>> |          0
>>>>>                    user2 at communaljob.com  |     215 | 9.24 
>>>>> |          0
>>>>>                    user3 at htt-consult.com  |       1 | 7.47 
>>>>> |          0
>>>>>                    user4 at htt-consult.com  |       1 | 2.34 
>>>>> |          0
>>>>>                    user5 at htt-consult.com  |     301 | 31.08 
>>>>> |          0
>>>>>               user6 at labs.htt-consult.com  |     201 | 4.98 
>>>>> |          0
>>>>>  --------------------------------------------------------------------------- 
>>>>>
>>>>>                                                797 | 61.06 |       
>>>>> 0.00
>>>>>
>>>>>
>>>>>
>>>>>  **Unmatched Entries**
>>>>>     Disconnected, ip=[::ffff:107.150.52.84]: 2 Time(s)
>>>>>     Disconnected, ip=[::ffff:12.159.43.147]: 50 Time(s)
>>>>>     Disconnected, ip=[::ffff:172.245.45.20]: 61 Time(s)
>>>>>     LOGIN FAILED, user=Alfredo, ip=[::ffff:172.245.45.20]: 1 Time(s)
>>>>>     LOGIN FAILED, user=Antonio, ip=[::ffff:172.245.45.20]: 2 Time(s)
>>>>>     LOGIN FAILED, user=postmaster, ip=[::ffff:172.245.45.20]: 7 
>>>>> Time(s)
>>>>> ....
>>>>>     LOGIN FAILED, user=webmaster, ip=[::ffff:172.245.45.20]: 7 
>>>>> Time(s)
>>>>>     LOGIN FAILED, user=www, ip=[::ffff:172.245.45.20]: 4 Time(s)
>>>>>     Maximum connection limit reached for ::ffff:172.245.45.20: 509 
>>>>> Time(s)
>>>>>
>>>>>  ---------------------- POP-3 End -------------------------
>>>>>
>>>>>
>>>>> Whereas dovecot is only reporting:
>>>>>
>>>>> --------------------- Dovecot Begin ------------------------
>>>>>
>>>>>
>>>>>
>>>>>  Dovecot disconnects:
>>>>>     Inactivity: 1 Time(s)
>>>>>     Logged out: 379 Time(s)
>>>>>     no auth attempts: 5 Time(s)
>>>>>     no reason: 1 Time(s)
>>>>>     tried to use disabled plaintext auth: 1 Time(s)
>>>>>
>>>>>  **Unmatched Entries**
>>>>>     dovecot: dict: mysql: Connected to localhost (postfix): 351 
>>>>> Time(s)
>>>>>
>>>>>  ---------------------- Dovecot End -------------------------
>>>>>
>>>>>
>>>>> How can I get more detailed user activity reporting to logwatch?
>>>>>
>>>>> And why is connection to mysql under Unmatched Entries?
>>>>
>>>>
>>>>
>>>> What version of Logwatch is installed on the server and on which 
>>>> distro?
>>>> We are using Logwatch here too and the summary for Dovecot is very 
>>>> detailed; even more detailed compared to what you got with 
>>>> courier-mail.
>>>>
>>> I am running Redsleeve 6 which is a port of Centos 6 to ARM. Its 
>>> logwatch is:
>>>
>>> logwatch-7.3.6-52.el6.noarch
>>>
>>> Oh, and dovecot is:
>>>
>>> dovecot-2.0.9-7.el6.armv5tel
>>
>
> Thanks for this pointer but...
>
>> There is Detail and *OnlyService parameters in logwatch's 
>> dovecot.conf (in centos by default 
>> /usr/share/logwatch/default.conf/services/dovecot.conf)
>
> No detail parameter in mine which seems rather old:
>
> # $Log: dovecot.conf,v $
> # Revision 1.3  2006/08/13 21:05:03  bjorn
> # Changed OnlyService to include dovecot for compatibility with 
> Dovecot 1.0
> # based on patches by Mark Nienberg; modification by Patrick Vande Walle.
>
>
> *OnlyService = (imap-login|pop3-login|dovecot)
>
> What would I add to that?

OnlyService refer to the log prefix or service name in your maillog.
If you need more detailed report just add to the mentioned config file:
Detail=10 # 10 is the maximum detail

But for me looks like you have no imap or pop logins nor deliveries in 
logfile at all.
Can  you confirm having like this in your maillog?
Oct 28 08:36:34 srv2 dovecot: imap-login: Login: 
user=<xxxxxx at yyyyyy.com>, method=PLAIN, rip=192.168.1.2, 
lip=192.168.1.1, mpid=11188, TLS, TLSv1.2 with cipher 
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

What is your dovecot version?

     Levi






More information about the dovecot mailing list