[Logwatch] Dovecot

Tom Metro tmetro+logwatch at gmail.com
Thu Jun 21 10:45:32 MST 2007


Upon installing logwatch, I started seeing:

--------------------- Dovecot Begin ------------------------
  **Unmatched Entries**
     dovecot: auth-worker(default): mysql: Connected to 
/var/run/mysqld/mysqld.sock (mail): 10 Time(s)
---------------------- Dovecot End -------------------------

I'm not sure whether this is more due to the dovecot service filter not 
being designed to filter a Dovecot process using MySQL authentication, 
or that the filter isn't designed for Dovecot's LDA (deliver).

I checked out the latest version of the filter from CVS (1.7) and didn't 
see any changes that would address this, so I patched my local version. 
I can submit a diff against 1.7, but I was surprised not to see a 
section in the filter where it had regular expressions for matching 
lines to be ignored (or at least ignored below some detail level). Are 
there really no other log lines produced by Dovecot that get ignored, or 
is this filtering happening elsewhere?


Speaking of Dovecot's LDA (deliver), I'm wondering if the dovecot 
service filter is even designed to handle messages produced by deliver, 
such as:

Jun 21 06:25:09 lex deliver(root at example.com): 
msgid=<20070621102509.172B226432 at example.com>: saved mail to INBOX

Note that the service name is "deliver". I haven't dug into the workings 
of logwatch enough yet to know how service names extracted from log 
files are matched up with the corresponding service filter configuration 
  files. I did look for a deliver.conf and found none. (I'm guessing it 
is not a literal mapping of service => service.conf, as you can have 
multiple programs using the same service name that produce very 
different log messages.)


Lastly, I have Dovecot's IMAP service logging to a non-syslog log file 
to keep that clutter out of the mail delivery logs, and Dovecot's native 
format is quite different from syslog:

dovecot: 2007-06-20 23:13:24 Info: IMAP(user at example.com): Disconnected: 
Logged out
dovecot: 2007-06-21 11:14:27 Info: auth-worker(default): mysql: 
Connected to /var/run/mysqld/mysqld.sock (mail)
dovecot: 2007-06-21 11:14:27 Info: imap-login: Login: 
user=<user at example.com>, method=plain, rip=192.168.0.200, lip=192.168.0.35

I added this log file to the list of files in the maillog group, but not 
surprisingly it had no effect. (Though, per my other message, it 
probably should trigger an error.) I assume a filter needs to be 
constructed to transform this into syslog compatible format, if I want 
the existing dovecot service filter to be able to process it. Has anyone 
created such a filter?

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/


More information about the Logwatch mailing list