[Dovecot] logfile consistency

David Lee t.d.lee at durham.ac.uk
Tue Apr 3 20:27:35 EEST 2007

We do some routine logfile (syslog) gathering and analysis.  I've been
looking at extending this to parse the syslog output of dovecot.  Hmmm...

Ignoring the leading 'date hostname' prefix, some sample lines are:

   dovecot: imap-login: Login: user=<uuuuuu>, method=PLAIN, rip=dd.dd.dd.dd, lip=dd.dd.dd.dd
   dovecot: IMAP(uuuuuu): Disconnected: Logged out
   dovecot: IMAP(uuuuuu): Disconnected in IDLE
   dovecot: imap-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd
   dovecot: pop3-login: Login: user=<uuuuuu>, method=PLAIN, rip=dd.dd.dd.dd1, lip=dd.dd.dd.dd
   dovecot: POP3(uuuuuu): Disconnected: Logged out top=0/0, retr=0/0, del=0/8, size=194970
   dovecot: pop3-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd
   deliver(uuuuuu): msgid=<014089712.74355909944644 at thhebat.net>: saved mail to INBOX

I've obfuscated some of the local detail:
   uuuuuuu represents a username/identifier;
   dd.dd.dd.dd represents an IP address.

Would it be possible, please, to consider improving the consistency of the
logging information?

For instance:
1. All lines, including the "deliver", to begin "dovecot:";
2. The "IMAP(uuuu): Disconnected" to become "imap: disconnected user=<uuuu>";

Overall this would make it more consistently amenable to perl-like pattern
processing, at least with a reasonably hierarchical structure to the
messages.  Perhaps something like:

  dovecot: subprogram: event, key1=value1, key2=value2 ...

   "subprogram" is "{imap,pop,deliver,...}";
   "event" is "{login,disconnected, ...};
   and one of the "key=value" will usually be "user=<uuuu>".

That would really make post-processing of logging information (whether
offline, or 'live' via piped syslog) considerably easier.



