* On 2003.01.08, in <1042022871.28651.93.camel at hurina>,
* "Timo Sirainen" <tss at iki.fi> wrote:> Any suggestions how user login/logouts should look like in log files? I
> was thinking:
>
> (connected to imaps port)
> Login: username [IP 1.2.3.4, imaps, compressed]
> Logout: username [IP 1.2.3.4, imaps, compressed] [1000/100000 bytes (50%),
00:00:12]
I like things that are easy to parse with shell and awk scripts. E.g.:
Login: username 1.2.3.4:1025 5.6.7.8:143 imaps,compressed
Logout: username 1.2.3.4:1025 5.6.7.8:143 imaps,compressed in:1000 out:1000000
[whatever SSL summary data is available]
I like seeing both the source and destination sockaddrs. (Why not run
two instances on different interfaces?) In fact, I like seeing both
hostname and ip address, and an indicator if a reverse map doesn't
match, but that's probably just me.
In this example, flags occupy one space-delimited field, and are
separated by commas. It's useful for performance analysis to tally
bytes transferred; this is what "in:" and "out:" are for. It
would also
be nice for perf. anal. to know how much I/O to storage (disk) was
performed by the imap process, but I don't imagine those figures are
presently available anyway.
That's just an illustration; it doesn't matter to me whether it's
like
that particularly. I just want to show what I mean by ease of parsing
-- whitespace-separated fields, well-known field values, related flags
and such compounded within fields. The whole line structure should be
well-known and not require perl or sscanf()s or such; scripts should be
able to extract a lot of data from these quickly.
(We're watching dovecot for possible use on a system that supports about
300,000 logins per day, and we want to be able to produce stats on
that.)
> I think the only configuration needed would be if to log login, logout
> or both.
That's generous. :) I'd always want both, and can't imagine not
wanting
both, but I suppose some might prefer less.
I actually wouldn't mind seeing more optional logs -- for example,
logout-like summaries for folder accesses (when users change folders).
This can help in balancing storage devices when folders can reside on
multiple devices.
In an ideal world, everything would be loggable, but not everything
would be logged.
--
-D. dgc at uchicago.edu NSIT University of Chicago
We're the colon in ://