logwatch reporting

Robert Moskowitz rgm at htt-consult.com
Fri Nov 21 17:53:11 UTC 2014


On 11/21/2014 12:27 PM, Birta Levente wrote:
>
> On 21/11/2014 16:31, Robert Moskowitz wrote:
>>
>> On 11/21/2014 09:01 AM, Birta Levente wrote:
>>> On 21/11/2014 15:48, Robert Moskowitz wrote:
>>>>
>>>> On 11/21/2014 04:13 AM, Tamsy wrote:
>>>>> Robert Moskowitz wrote on 20.11.2014 20:41:
>>>>>> I just launched a new mailserver that is using dovecot.  My 
>>>>>> previous mailserver used courier-mail.  I am expecting better 
>>>>>> things with this new server, but I was use to some login 
>>>>>> information in logwatch that I am not seeing now. For example I 
>>>>>> would get:
>>>>>>
>>>>>>
>>>>>>
>>>>>>  [IMAPd] Logout stats:
>>>>>>  ====================
>>>>>>                                     User | Logouts | Downloaded | 
>>>>>> Mbox Size
>>>>>>  --------------------------------------- | ------- | ---------- | 
>>>>>> ----------
>>>>>>                    user1 at htt-consult.com  |      55 | 219571 
>>>>>> |          0
>>>>>>                    user2 at htt-consult.com  |     285 | 221681 
>>>>>> |          0
>>>>>>               user3 at labs.htt-consult.com  |      32 | 15183 
>>>>>> |          0
>>>>>>  --------------------------------------------------------------------------- 
>>>>>>
>>>>>>                                                372 | 456435 
>>>>>> |          0
>>>>>>
>>>>>>
>>>>>>
>>>>>>  **Unmatched Entries**
>>>>>>     Disconnected, ip=[::ffff:107.150.52.84], time=1, starttls=1: 
>>>>>> 2 Time(s)
>>>>>>
>>>>>>  ---------------------- IMAP End -------------------------
>>>>>>
>>>>>>
>>>>>> --------------------- POP-3 Begin ------------------------
>>>>>>
>>>>>>
>>>>>>  [POP3] Logout stats (in MB):
>>>>>>  ============================
>>>>>>                                     User | Logouts | Downloaded | 
>>>>>> Mbox Size
>>>>>>  --------------------------------------- | ------- | ---------- | 
>>>>>> ----------
>>>>>>                    user1 at htt-consult.com  |      78 | 5.96 
>>>>>> |          0
>>>>>>                    user2 at communaljob.com  |     215 | 9.24 
>>>>>> |          0
>>>>>>                    user3 at htt-consult.com  |       1 | 7.47 
>>>>>> |          0
>>>>>>                    user4 at htt-consult.com  |       1 | 2.34 
>>>>>> |          0
>>>>>>                    user5 at htt-consult.com  |     301 | 31.08 
>>>>>> |          0
>>>>>>               user6 at labs.htt-consult.com  |     201 | 4.98 
>>>>>> |          0
>>>>>>  --------------------------------------------------------------------------- 
>>>>>>
>>>>>>                                                797 | 61.06 
>>>>>> |       0.00
>>>>>>
>>>>>>
>>>>>>
>>>>>>  **Unmatched Entries**
>>>>>>     Disconnected, ip=[::ffff:107.150.52.84]: 2 Time(s)
>>>>>>     Disconnected, ip=[::ffff:12.159.43.147]: 50 Time(s)
>>>>>>     Disconnected, ip=[::ffff:172.245.45.20]: 61 Time(s)
>>>>>>     LOGIN FAILED, user=Alfredo, ip=[::ffff:172.245.45.20]: 1 Time(s)
>>>>>>     LOGIN FAILED, user=Antonio, ip=[::ffff:172.245.45.20]: 2 Time(s)
>>>>>>     LOGIN FAILED, user=postmaster, ip=[::ffff:172.245.45.20]: 7 
>>>>>> Time(s)
>>>>>> ....
>>>>>>     LOGIN FAILED, user=webmaster, ip=[::ffff:172.245.45.20]: 7 
>>>>>> Time(s)
>>>>>>     LOGIN FAILED, user=www, ip=[::ffff:172.245.45.20]: 4 Time(s)
>>>>>>     Maximum connection limit reached for ::ffff:172.245.45.20: 
>>>>>> 509 Time(s)
>>>>>>
>>>>>>  ---------------------- POP-3 End -------------------------
>>>>>>
>>>>>>
>>>>>> Whereas dovecot is only reporting:
>>>>>>
>>>>>> --------------------- Dovecot Begin ------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>  Dovecot disconnects:
>>>>>>     Inactivity: 1 Time(s)
>>>>>>     Logged out: 379 Time(s)
>>>>>>     no auth attempts: 5 Time(s)
>>>>>>     no reason: 1 Time(s)
>>>>>>     tried to use disabled plaintext auth: 1 Time(s)
>>>>>>
>>>>>>  **Unmatched Entries**
>>>>>>     dovecot: dict: mysql: Connected to localhost (postfix): 351 
>>>>>> Time(s)
>>>>>>
>>>>>>  ---------------------- Dovecot End -------------------------
>>>>>>
>>>>>>
>>>>>> How can I get more detailed user activity reporting to logwatch?
>>>>>>
>>>>>> And why is connection to mysql under Unmatched Entries?
>>>>>
>>>>>
>>>>>
>>>>> What version of Logwatch is installed on the server and on which 
>>>>> distro?
>>>>> We are using Logwatch here too and the summary for Dovecot is very 
>>>>> detailed; even more detailed compared to what you got with 
>>>>> courier-mail.
>>>>>
>>>> I am running Redsleeve 6 which is a port of Centos 6 to ARM. Its 
>>>> logwatch is:
>>>>
>>>> logwatch-7.3.6-52.el6.noarch
>>>>
>>>> Oh, and dovecot is:
>>>>
>>>> dovecot-2.0.9-7.el6.armv5tel
>>>
>>
>> Thanks for this pointer but...
>>
>>> There is Detail and *OnlyService parameters in logwatch's 
>>> dovecot.conf (in centos by default 
>>> /usr/share/logwatch/default.conf/services/dovecot.conf)
>>
>> No detail parameter in mine which seems rather old:
>>
>> # $Log: dovecot.conf,v $
>> # Revision 1.3  2006/08/13 21:05:03  bjorn
>> # Changed OnlyService to include dovecot for compatibility with 
>> Dovecot 1.0
>> # based on patches by Mark Nienberg; modification by Patrick Vande 
>> Walle.
>>
>>
>> *OnlyService = (imap-login|pop3-login|dovecot)
>>
>> What would I add to that?
>
> OnlyService refer to the log prefix or service name in your maillog.
> If you need more detailed report just add to the mentioned config file:
> Detail=10 # 10 is the maximum detail

Will make this change shortly.

>
> But for me looks like you have no imap or pop logins nor deliveries in 
> logfile at all.
> Can  you confirm having like this in your maillog?
> Oct 28 08:36:34 srv2 dovecot: imap-login: Login: 
> user=<xxxxxx at yyyyyy.com>, method=PLAIN, rip=192.168.1.2, 
> lip=192.168.1.1, mpid=11188, TLS, TLSv1.2 with cipher 
> ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Oh, they are there e.g.:

Nov 21 12:44:24 z9m9z dovecot: pop3-login: Login: 
user=<rgm at labs.htt-consult.com>, method=PLAIN, rip=208.83.67.157, 
lip=208.83.67.180, mpid=23260, TLS
Nov 21 12:45:20 z9m9z dovecot: pop3-login: Login: 
user=<rgm at htt-consult.com>, method=PLAIN, rip=208.83.67.157, 
lip=208.83.67.180, mpid=23277, TLS
Nov 21 11:35:22 z9m9z dovecot: imap-login: Login: 
user=<rgm-ietf at htt-consult.com>, method=PLAIN, rip=208.83.67.157, 
lip=208.83.67.180, mpid=22322, TLS
Nov 21 11:37:29 z9m9z dovecot: imap-login: Login: 
user=<rgm-ietf at htt-consult.com>, method=PLAIN, rip=208.83.67.157, 
lip=208.83.67.180, mpid=22365, TLS

rgm-ietf is the first I have switched to imap, and I did make one small 
error that I will have to correct.

>
> What is your dovecot version?

dovecot-2.0.9-7.el6.armv5tel




More information about the dovecot mailing list