Disable logging for localhost

[Shawn Heisey]

On 10/21/2018 8:23 AM, André Rodier wrote:
> I am using Zabbix to monitor my Dovecot server, and my logs are filled 
> with lines like this:
>
>> Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no 
>> auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, 
>> secured, session=<bWd0nr14SuF/AAAB>
>> Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no 
>> auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, 
>> secured, session=<MlAGob147Jd/AAAB>
>
> How can I disable logging these actions from 127.0.0.1? 

Presumably you are concerned not so much with having these lines in the 
logfile, as you are with your monitoring software seeing them and 
generating alarms because they are reported to syslog as errors.  If I'm 
wrong about that, then the rest of this message probably won't apply.

Monitoring software that reports errors in logfiles should have the 
ability to specify messages to ignore.  Often this is done with regex.  
Since you mentioned Zabbix, I'm betting it's that software that 
generates the reports you would like to stop. It looks like it does have 
the ability to use a regex to filter logs.

https://www.zabbix.com/documentation/4.0/manual/config/items/itemtypes/log_items

This regex ought to do the trick and not filter out other error messages 
(like login failures) that occur on localhost.  Hopefully it gets 
preserved on one line, not mangled by my mail client:

dovecot.*(imap|pop3)-login: Aborted .*rip=127\.0\.0\.\d+, 
lip=127\.0\.0\.\d+,

The "\d+" notation generally only works if the software is using PCRE - 
Perl Compatible Regular Expressions.  It does look like Zabbix is using 
PCRE, so if it's Zabbix we're talking about, that regex should be OK.  
Possible replacements for \d+ if it doesn't work:

[0-9]+
[0-9]*

Thanks,
Shawn