[Logwatch] dovecot connections

David Halik dhalik at jla.rutgers.edu
Tue Dec 22 11:37:13 MST 2009


I fixed the issue. It looks like the connections were hitting on the 
wrong if statement, they're now properly counted and munged. Here's the 
patch for the cvs:

--- /rci/u2/user/dovecot.bak    2009-12-22 12:56:28.383267000 -0500
+++ /etc/logwatch/scripts/services/dovecot    2009-12-22 
13:13:36.949055000 -0500
@@ -166,8 +166,6 @@
            (($Reason) = ($ThisLine =~ /IMAP.+: Disconnected: (.+) 
bytes=/)) or
            (($Reason) = ($ThisLine =~ /IMAP.+: Disconnected: (.+)/)) ) {
        $Disconnected{$Reason}++;
-   } elsif ($ThisLine =~ /(IMAP|POP3).+: (Connection closed.*)/) {
-      $Disconnected{$2}++;
     } elsif (($Reason) = ($ThisLine =~ /IMAP.+: Connection closed 
bytes=/))  {
          $ConnectionCl{"no reason"}++;
     } elsif ( (($Reason) = ($ThisLine =~ /IMAP.+: Connection closed: 
(.*) bytes=/)) or
@@ -175,6 +173,8 @@
        $ConnectionCl{$Reason}++;
     } elsif ($ThisLine =~ /POP3.+: Connection closed top=.* retr=.* 
del=.* size=.*/) {
        $ConnectionCl{"no reason"}++;
+   } elsif ($ThisLine =~ /(IMAP|POP3).+: (Connection closed.*)/) {
+      $Disconnected{$2}++;
     } elsif (($Error) = ($ThisLine =~ /child \d* \(login\) returned 
error (.*)/)) {
     # dovecot: child 23747 (login) returned error 89
        $ChildErr{$Error}++;



On 12/21/2009 03:24 PM, David Halik wrote:
>
> Hi,
>
> Has anyone successfully filtered out the connection closed dovecot 
> messages from logwatch?
>
> Or more specifically, would it be possible to have the messages not be 
> displayed by logwatch unless there is a high detail level set?
>
> With dovecot 1.2.9 and the latest dovecot service script from the 
> logwatch cvs I see hundreds of these even at the default detail level 
> of 0:
>
>  Dovecot disconnects:
>     Connection closed bytes=100/1488: 1 Time(s)
>     Connection closed bytes=100/4141: 1 Time(s)
>     Connection closed bytes=100/705: 1 Time(s)
>     Connection closed bytes=100/737: 2 Time(s)
>     Connection closed bytes=100/750: 1 Time(s)
>     Connection closed bytes=100/843: 1 Time(s)
>     Connection closed bytes=100/863: 1 Time(s)
>
> I don't think they're really that useful or interesting to see unless 
> you want a high detail level, so it would probably be better to have 
> them not displayed. Currently I have 4000 users, so the logwatch 
> output isn't very helpful with all of these.
>
> The full message looks like this:
>
> Dec 20 10:25:52 gehenna11 dovecot: IMAP(user1): Connection closed 
> bytes=623/14067
> Dec 20 10:26:17 gehenna11 dovecot: POP3(user2): Connection closed 
> top=0/0, retr=0/0, del=0/89, size=12334536
>
> Any help would be appreciated, I've been trying to modify a rule to 
> fix this but haven't been very successful.
>
> Thanks.
>


-- 
================================
David Halik
System Administrator
OIT-CSS Rutgers University
dhalik at jla.rutgers.edu
================================



More information about the Logwatch mailing list