[Logwatch] POP3 and IMAP logs have gotten really long

Mike Tremaine mgt at stellarcore.net
Sat May 3 07:28:56 MST 2008


Mike Brandonisio wrote:
> Hi,
> 
> I'm sorry for reposting this. I was having some trouble with my email  
> and I wanted to make sure the list saw this post. I have tries to rpm  
> -e [logwatch] then rpm -i [logwatch] but I still see these long  
> repetitive entries in the log summary. See below. I'm not sure where  
> to start looking for the problem. See below for details.
> 
> ****************************************
> 
> I've been using logwatch for a few years now. Recently Logwatch  
> summaries have gotten really long with repetitive data. Previously  
> Logwatch would display POP3 and IMAP info like this:
> 
>        User user at example.com - 133 Times, 387112 Bytes
>           Host XXX.XXX.XXX.XXX - 133 Times, 387112 Bytes
>        User user2 at example.com - 118 Times, 243139 Bytes
>           Host XXX.XXX.XXX.XXX - 118 Times, 243139 Bytes
> 
> A few weeks ago it has been displaying a host entry for each  
> connection for a POP3 user. So if a user had made 118 connections  
> logwatch is now displaying:
> 
>        User user2 at example.com - 118 Times, 243139 Bytes
>           Host XXX.XXX.XXX.XXX - 1 Times, x Bytes
>           Host XXX.XXX.XXX.XXX - 1 Times, x Bytes
> 		|
> 		|
> 		|		|
> 		|
> 		\/
>           Host XXX.XXX.XXX.XXX - 1 Times, x Bytes
>           Host XXX.XXX.XXX.XXX - 1 Times, x Bytes
> 
> Where the arrow is all 118 connections from the same IP. Also under  
> " [POP3] Successful Logins:" logwatch is displaying the connecting IP  
> for the user with a port number like this:
> 
>   [POP3] Successful Logins:
>     User user2 at example.com:
>       From ::ffff: XXX.XXX.XXX.XXX], port=[1280: 2 Time(s)
>       From ::ffff: XXX.XXX.XXX.XXX], port=[1320: 1 Time(s)
>       From ::ffff: XXX.XXX.XXX.XXX], port=[1863: 1 Time(s)
> 		|
> 		|
> 		|		|
> 		|
> 		\/
>       From ::ffff: XXX.XXX.XXX.XXX], port=[58309: 1 Time(s)
>       From ::ffff: XXX.XXX.XXX.XXX], port=[60023: 1 Time(s)
>     Total 312 Time(s)
> 
> This makes for extremely long logwatch logs. Not much of a summary.  
> Any ideas on what is going here? I'm running CENTOS Enterprise 4.6  
> i686 and Logwatch 7.3.1 (09/15/06).
> 
> 

Here is my advice.

1) Upgrade to 7.3.6 release you can get the RPM from the logwatch.org 
site or you can pull one from the Fedora 8 or Centos 5 updates.

2) Post a log snip for an entry that is getting messed up. Tell me what 
Imap/Pop server you are using I'm guessing Dovecot if you are running 
Centos 4.6... You should have version 1.6 of the dovecot filter there 
are some important patches at 1.4 and 1.5

# Revision 1.4  2006/08/13 22:02:31  bjorn
# IPv4 addresses displayed in native format, and don't display user totals
# if user connects from only one IP address; changes by Patrick Vande Walle.

My guess is that is the problem.

-Mike

To test it all alone run as root this command

"logwatch --service dovecot --detail 10 --print"

-Mike


More information about the Logwatch mailing list