logwatch reporting
Robert Moskowitz
rgm at htt-consult.com
Fri Nov 21 17:53:11 UTC 2014
On 11/21/2014 12:27 PM, Birta Levente wrote:
>
> On 21/11/2014 16:31, Robert Moskowitz wrote:
>>
>> On 11/21/2014 09:01 AM, Birta Levente wrote:
>>> On 21/11/2014 15:48, Robert Moskowitz wrote:
>>>>
>>>> On 11/21/2014 04:13 AM, Tamsy wrote:
>>>>> Robert Moskowitz wrote on 20.11.2014 20:41:
>>>>>> I just launched a new mailserver that is using dovecot. My
>>>>>> previous mailserver used courier-mail. I am expecting better
>>>>>> things with this new server, but I was use to some login
>>>>>> information in logwatch that I am not seeing now. For example I
>>>>>> would get:
>>>>>>
>>>>>>
>>>>>>
>>>>>> [IMAPd] Logout stats:
>>>>>> ====================
>>>>>> User | Logouts | Downloaded |
>>>>>> Mbox Size
>>>>>> --------------------------------------- | ------- | ---------- |
>>>>>> ----------
>>>>>> user1 at htt-consult.com | 55 | 219571
>>>>>> | 0
>>>>>> user2 at htt-consult.com | 285 | 221681
>>>>>> | 0
>>>>>> user3 at labs.htt-consult.com | 32 | 15183
>>>>>> | 0
>>>>>> ---------------------------------------------------------------------------
>>>>>>
>>>>>> 372 | 456435
>>>>>> | 0
>>>>>>
>>>>>>
>>>>>>
>>>>>> **Unmatched Entries**
>>>>>> Disconnected, ip=[::ffff:107.150.52.84], time=1, starttls=1:
>>>>>> 2 Time(s)
>>>>>>
>>>>>> ---------------------- IMAP End -------------------------
>>>>>>
>>>>>>
>>>>>> --------------------- POP-3 Begin ------------------------
>>>>>>
>>>>>>
>>>>>> [POP3] Logout stats (in MB):
>>>>>> ============================
>>>>>> User | Logouts | Downloaded |
>>>>>> Mbox Size
>>>>>> --------------------------------------- | ------- | ---------- |
>>>>>> ----------
>>>>>> user1 at htt-consult.com | 78 | 5.96
>>>>>> | 0
>>>>>> user2 at communaljob.com | 215 | 9.24
>>>>>> | 0
>>>>>> user3 at htt-consult.com | 1 | 7.47
>>>>>> | 0
>>>>>> user4 at htt-consult.com | 1 | 2.34
>>>>>> | 0
>>>>>> user5 at htt-consult.com | 301 | 31.08
>>>>>> | 0
>>>>>> user6 at labs.htt-consult.com | 201 | 4.98
>>>>>> | 0
>>>>>> ---------------------------------------------------------------------------
>>>>>>
>>>>>> 797 | 61.06
>>>>>> | 0.00
>>>>>>
>>>>>>
>>>>>>
>>>>>> **Unmatched Entries**
>>>>>> Disconnected, ip=[::ffff:107.150.52.84]: 2 Time(s)
>>>>>> Disconnected, ip=[::ffff:12.159.43.147]: 50 Time(s)
>>>>>> Disconnected, ip=[::ffff:172.245.45.20]: 61 Time(s)
>>>>>> LOGIN FAILED, user=Alfredo, ip=[::ffff:172.245.45.20]: 1 Time(s)
>>>>>> LOGIN FAILED, user=Antonio, ip=[::ffff:172.245.45.20]: 2 Time(s)
>>>>>> LOGIN FAILED, user=postmaster, ip=[::ffff:172.245.45.20]: 7
>>>>>> Time(s)
>>>>>> ....
>>>>>> LOGIN FAILED, user=webmaster, ip=[::ffff:172.245.45.20]: 7
>>>>>> Time(s)
>>>>>> LOGIN FAILED, user=www, ip=[::ffff:172.245.45.20]: 4 Time(s)
>>>>>> Maximum connection limit reached for ::ffff:172.245.45.20:
>>>>>> 509 Time(s)
>>>>>>
>>>>>> ---------------------- POP-3 End -------------------------
>>>>>>
>>>>>>
>>>>>> Whereas dovecot is only reporting:
>>>>>>
>>>>>> --------------------- Dovecot Begin ------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> Dovecot disconnects:
>>>>>> Inactivity: 1 Time(s)
>>>>>> Logged out: 379 Time(s)
>>>>>> no auth attempts: 5 Time(s)
>>>>>> no reason: 1 Time(s)
>>>>>> tried to use disabled plaintext auth: 1 Time(s)
>>>>>>
>>>>>> **Unmatched Entries**
>>>>>> dovecot: dict: mysql: Connected to localhost (postfix): 351
>>>>>> Time(s)
>>>>>>
>>>>>> ---------------------- Dovecot End -------------------------
>>>>>>
>>>>>>
>>>>>> How can I get more detailed user activity reporting to logwatch?
>>>>>>
>>>>>> And why is connection to mysql under Unmatched Entries?
>>>>>
>>>>>
>>>>>
>>>>> What version of Logwatch is installed on the server and on which
>>>>> distro?
>>>>> We are using Logwatch here too and the summary for Dovecot is very
>>>>> detailed; even more detailed compared to what you got with
>>>>> courier-mail.
>>>>>
>>>> I am running Redsleeve 6 which is a port of Centos 6 to ARM. Its
>>>> logwatch is:
>>>>
>>>> logwatch-7.3.6-52.el6.noarch
>>>>
>>>> Oh, and dovecot is:
>>>>
>>>> dovecot-2.0.9-7.el6.armv5tel
>>>
>>
>> Thanks for this pointer but...
>>
>>> There is Detail and *OnlyService parameters in logwatch's
>>> dovecot.conf (in centos by default
>>> /usr/share/logwatch/default.conf/services/dovecot.conf)
>>
>> No detail parameter in mine which seems rather old:
>>
>> # $Log: dovecot.conf,v $
>> # Revision 1.3 2006/08/13 21:05:03 bjorn
>> # Changed OnlyService to include dovecot for compatibility with
>> Dovecot 1.0
>> # based on patches by Mark Nienberg; modification by Patrick Vande
>> Walle.
>>
>>
>> *OnlyService = (imap-login|pop3-login|dovecot)
>>
>> What would I add to that?
>
> OnlyService refer to the log prefix or service name in your maillog.
> If you need more detailed report just add to the mentioned config file:
> Detail=10 # 10 is the maximum detail
Will make this change shortly.
>
> But for me looks like you have no imap or pop logins nor deliveries in
> logfile at all.
> Can you confirm having like this in your maillog?
> Oct 28 08:36:34 srv2 dovecot: imap-login: Login:
> user=<xxxxxx at yyyyyy.com>, method=PLAIN, rip=192.168.1.2,
> lip=192.168.1.1, mpid=11188, TLS, TLSv1.2 with cipher
> ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Oh, they are there e.g.:
Nov 21 12:44:24 z9m9z dovecot: pop3-login: Login:
user=<rgm at labs.htt-consult.com>, method=PLAIN, rip=208.83.67.157,
lip=208.83.67.180, mpid=23260, TLS
Nov 21 12:45:20 z9m9z dovecot: pop3-login: Login:
user=<rgm at htt-consult.com>, method=PLAIN, rip=208.83.67.157,
lip=208.83.67.180, mpid=23277, TLS
Nov 21 11:35:22 z9m9z dovecot: imap-login: Login:
user=<rgm-ietf at htt-consult.com>, method=PLAIN, rip=208.83.67.157,
lip=208.83.67.180, mpid=22322, TLS
Nov 21 11:37:29 z9m9z dovecot: imap-login: Login:
user=<rgm-ietf at htt-consult.com>, method=PLAIN, rip=208.83.67.157,
lip=208.83.67.180, mpid=22365, TLS
rgm-ietf is the first I have switched to imap, and I did make one small
error that I will have to correct.
>
> What is your dovecot version?
dovecot-2.0.9-7.el6.armv5tel
More information about the dovecot
mailing list