1

Topic: Setup logs

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi.
I want to send all iredmail related logs to syslog and then to an external log server .
So I added to dovecot.conf  "syslog_facility = local5" and to rsyslog.conf "local5.*        -/var/log/dovecot.log".
But now in /var/log messages and in /var/log/dovecot.conf I'm getting logs only for incoming and outgoing messages and nothing about unsuccessful logins for example.
What am I missing here?

2

Re: Setup logs

You should update /etc/rsyslog.conf (or /etc/rsyslog.d/*.conf) to send all syslog messages to external log server like this:

*.*  @192.168.1.1:5141;RSYSLOG_SyslogProtocol23Format

192.168.1.1 is the IP of remote log server, 5141 is the tcp/udp port.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3 (edited by stocton12 2019-12-02 20:05:22)

Re: Setup logs

I have done that and it's working. The problem is that rsyslog is not getting any messages about failed logins.

If I edit dovecot.conf and set a local log file (log_path = /var/log/local.log) I'm getting everything.

I want to send to syslog messages like the following:
Dec 02 14:02:04 auth: Info: ldap(user@domain.com,127.0.0.1,<OU4XDMV/AAAB>): invalid credentials
Dec 02 14:02:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<user@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<OU4XWDMV/AAAB>

4

Re: Setup logs

stocton12 wrote:

The problem is that rsyslog is not getting any messages about failed logins.

You must make sure the rsyslog setting mentioned in my previous reply is loaded before all other settings under /etc/rsyslog.d/*.conf.

Many config files defined in /etc/rsyslog.d/*.conf have directive "&stop", that means rsyslog will stop here and not pass matched log line to other rsyslog rules. It's better to put that line in /etc/rsyslog.conf before the `include /...` line.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5

Re: Setup logs

That's working ok too. My problem is not the external log server.

Let's say I want to keep all iredmail logs to one file.
In dovecot.conf I add "syslog_facility = local5" & "auth_verbose = yes" to send all logs in syslog
In rsyslog.conf I add "local5.*    -/var/log/iredmail.log" to write the logs to this file.
If i tail the above file I'm only getting info about incoming & outgoing messages and not for failed logins.

6

Re: Setup logs

Did you add the "local5.*    -/var/log/iredmail.log" line after "include /etc/rsyslog.d/" line?
In few /etc/rsyslog.d/*.conf, it has "&stop" line to stop further process.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee