Hello Everyone, I am using Zabbix to monitor my Dovecot server, and my logs are filled with lines like this:> Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no auth > attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, > session=<bWd0nr14SuF/AAAB> > Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no auth > attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, > session=<MlAGob147Jd/AAAB>How can I disable logging these actions from 127.0.0.1? Thanks, Andr? -- https://github.com/progmaticltd/homebox
On 21.10.18 16:23, Andr? Rodier wrote:> How can I disable logging these actions from 127.0.0.1?What you posted looks like syslog output. Add a filter to your syslog configuration to drop or redirect these messages. This is not a Dovecot issue per se. -Ralph
On 10/21/2018 8:23 AM, Andr? Rodier wrote:> I am using Zabbix to monitor my Dovecot server, and my logs are filled > with lines like this: > >> Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no >> auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, >> secured, session=<bWd0nr14SuF/AAAB> >> Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no >> auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, >> secured, session=<MlAGob147Jd/AAAB> > > How can I disable logging these actions from 127.0.0.1?Presumably you are concerned not so much with having these lines in the logfile, as you are with your monitoring software seeing them and generating alarms because they are reported to syslog as errors.? If I'm wrong about that, then the rest of this message probably won't apply. Monitoring software that reports errors in logfiles should have the ability to specify messages to ignore.? Often this is done with regex.? Since you mentioned Zabbix, I'm betting it's that software that generates the reports you would like to stop. It looks like it does have the ability to use a regex to filter logs. https://www.zabbix.com/documentation/4.0/manual/config/items/itemtypes/log_items This regex ought to do the trick and not filter out other error messages (like login failures) that occur on localhost.? Hopefully it gets preserved on one line, not mangled by my mail client: dovecot.*(imap|pop3)-login: Aborted .*rip=127\.0\.0\.\d+, lip=127\.0\.0\.\d+, The "\d+" notation generally only works if the software is using PCRE - Perl Compatible Regular Expressions.? It does look like Zabbix is using PCRE, so if it's Zabbix we're talking about, that regex should be OK.? Possible replacements for \d+ if it doesn't work: [0-9]+ [0-9]* Thanks, Shawn
On 22 Oct 2018, at 05:16, Shawn Heisey <elyograg at elyograg.org> wrote:> 127\.0\.0\.That regex alone is probably sufficient. -- In the velvet darkness of the blackest night Burning bright There's a guiding star
On 2018-10-22 12:16, Shawn Heisey wrote:> On 10/21/2018 8:23 AM, Andr? Rodier wrote: >> I am using Zabbix to monitor my Dovecot server, and my logs are filled >> with lines like this: >> >>> Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no >>> auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, >>> secured, session=<bWd0nr14SuF/AAAB> >>> Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no >>> auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, >>> secured, session=<MlAGob147Jd/AAAB> >> >> How can I disable logging these actions from 127.0.0.1? > > Presumably you are concerned not so much with having these lines in > the logfile, as you are with your monitoring software seeing them and > generating alarms because they are reported to syslog as errors.? If > I'm wrong about that, then the rest of this message probably won't > apply. > > Monitoring software that reports errors in logfiles should have the > ability to specify messages to ignore.? Often this is done with > regex.? Since you mentioned Zabbix, I'm betting it's that software > that generates the reports you would like to stop. It looks like it > does have the ability to use a regex to filter logs. > > https://www.zabbix.com/documentation/4.0/manual/config/items/itemtypes/log_items > > This regex ought to do the trick and not filter out other error > messages (like login failures) that occur on localhost.? Hopefully it > gets preserved on one line, not mangled by my mail client: > > dovecot.*(imap|pop3)-login: Aborted .*rip=127\.0\.0\.\d+, > lip=127\.0\.0\.\d+, > > The "\d+" notation generally only works if the software is using PCRE > - Perl Compatible Regular Expressions.? It does look like Zabbix is > using PCRE, so if it's Zabbix we're talking about, that regex should > be OK.? Possible replacements for \d+ if it doesn't work: > > [0-9]+ > [0-9]* > > Thanks, > ShawnThese lines are in the mail.log. I am not talking about Zabbix. Zabbix generate a connection every second, on both Postfix and Dovecot. I want these two services to not log connections when they are coming from 127.0.0.1, if possible. Both journalctl (Systemd) and log files are spammed with these lines, and I would like to avoid dovecot logging them. I should have made this clearer. Kind regards, Andr? -- https://github.com/progmaticltd/homebox