We do some routine logfile (syslog) gathering and analysis. I've been
looking at extending this to parse the syslog output of dovecot. Hmmm...
Ignoring the leading 'date hostname' prefix, some sample lines are:
dovecot: imap-login: Login: user=<uuuuuu>, method=PLAIN,
rip=dd.dd.dd.dd, lip=dd.dd.dd.dd
dovecot: IMAP(uuuuuu): Disconnected: Logged out
dovecot: IMAP(uuuuuu): Disconnected in IDLE
dovecot: imap-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd
dovecot: pop3-login: Login: user=<uuuuuu>, method=PLAIN,
rip=dd.dd.dd.dd1, lip=dd.dd.dd.dd
dovecot: POP3(uuuuuu): Disconnected: Logged out top=0/0, retr=0/0, del=0/8,
size=194970
dovecot: pop3-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd
deliver(uuuuuu): msgid=<014089712.74355909944644 at thhebat.net>: saved
mail to INBOX
I've obfuscated some of the local detail:
uuuuuuu represents a username/identifier;
dd.dd.dd.dd represents an IP address.
Would it be possible, please, to consider improving the consistency of the
logging information?
For instance:
1. All lines, including the "deliver", to begin "dovecot:";
2. The "IMAP(uuuu): Disconnected" to become "imap: disconnected
user=<uuuu>";
Overall this would make it more consistently amenable to perl-like pattern
processing, at least with a reasonably hierarchical structure to the
messages. Perhaps something like:
dovecot: subprogram: event, key1=value1, key2=value2 ...
where:
"subprogram" is "{imap,pop,deliver,...}";
"event" is "{login,disconnected, ...};
and one of the "key=value" will usually be
"user=<uuuu>".
That would really make post-processing of logging information (whether
offline, or 'live' via piped syslog) considerably easier.
Thanks.
--
: David Lee I.T. Service :
: Senior Systems Programmer Computer Centre :
: UNIX Team Leader Durham University :
: South Road :
: http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE :
: Phone: +44 191 334 2752 U.K. :