I'm using logcheck for log reporting on Debian Etch, and am currently
getting a lot of log entries from Syslog falling through the standard
logcheck regex filters. I'm running Dovecot 1.0beta8. The filters
follow:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (imap|pop3)-login: Login:
[.[:alnum:]@-]+ \[(::ffff:)?[:0-9a-f.]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3)-login:
Disconnected \[(::ffff:)?[:0-9a-f.]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot:
)?(imap|pop3)\([^[:space:]]+\): File isn't in mbox format:
[^[:space:]]+$
# dovecot 1.0
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Login:
user=<[.[:alnum:]@-]+>,
method=(PLAIN|plain|LOGIN|login|(CRAM|cram|DIGEST|digest)-(MD5|md5)),
rip=(::ffff:)?[:.[:digit:]]+, lip=(::ffff:)?[:0-9a-f.]+(, TLS)?$
The type of entry coming through is:
Jun 5 09:05:57 myhostname dovecot: IMAP(myusername): Disconnected for
inactivity
Jun 5 09:07:05 myhostname dovecot: IMAP(myusername): Disconnected: Logged out
Jun 5 09:07:05 myhostname dovecot: IMAP(myusername): Disconnected: Logged out
The first alnum pattern doesn't match given a host name, but the
messages given by Dovecot do not appear to be catered for in the
logcheck files.
I wondered whether anyone on the dovecot list was also using logcheck
and had fixed the regex patterns?
--
rik