1

Topic: Setup logs

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi.
I want to send all iredmail related logs to syslog and then to an external log server .
So I added to dovecot.conf  "syslog_facility = local5" and to rsyslog.conf "local5.*        -/var/log/dovecot.log".
But now in /var/log messages and in /var/log/dovecot.conf I'm getting logs only for incoming and outgoing messages and nothing about unsuccessful logins for example.
What am I missing here?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Setup logs

You should update /etc/rsyslog.conf (or /etc/rsyslog.d/*.conf) to send all syslog messages to external log server like this:

*.*  @192.168.1.1:5141;RSYSLOG_SyslogProtocol23Format

192.168.1.1 is the IP of remote log server, 5141 is the tcp/udp port.

3 (edited by stocton12 2019-12-02 20:05:22)

Re: Setup logs

I have done that and it's working. The problem is that rsyslog is not getting any messages about failed logins.

If I edit dovecot.conf and set a local log file (log_path = /var/log/local.log) I'm getting everything.

I want to send to syslog messages like the following:
Dec 02 14:02:04 auth: Info: ldap(user@domain.com,127.0.0.1,<OU4XDMV/AAAB>): invalid credentials
Dec 02 14:02:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<user@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<OU4XWDMV/AAAB>

4

Re: Setup logs

stocton12 wrote:

The problem is that rsyslog is not getting any messages about failed logins.

You must make sure the rsyslog setting mentioned in my previous reply is loaded before all other settings under /etc/rsyslog.d/*.conf.

Many config files defined in /etc/rsyslog.d/*.conf have directive "&stop", that means rsyslog will stop here and not pass matched log line to other rsyslog rules. It's better to put that line in /etc/rsyslog.conf before the `include /...` line.

5

Re: Setup logs

That's working ok too. My problem is not the external log server.

Let's say I want to keep all iredmail logs to one file.
In dovecot.conf I add "syslog_facility = local5" & "auth_verbose = yes" to send all logs in syslog
In rsyslog.conf I add "local5.*    -/var/log/iredmail.log" to write the logs to this file.
If i tail the above file I'm only getting info about incoming & outgoing messages and not for failed logins.

6

Re: Setup logs

Did you add the "local5.*    -/var/log/iredmail.log" line after "include /etc/rsyslog.d/" line?
In few /etc/rsyslog.d/*.conf, it has "&stop" line to stop further process.

7

Re: Setup logs

Sorry for not responding for such a long time but some personal issues took priority.

Yes , my rules are after the "include" line but I don't have any conf files in rsyslog.d
I have tried a different syslog facility just for dovecot:
-In dovecot.conf I have "log_path = syslog" and "syslog_facility = local6"
-In rsyslog.cof I have "local6.* -/var/log/local6.log"

but again it's not even creating the local6.log file.

8

Re: Setup logs

- Restart rsyslog service first.
- Try to send some log message with the "logger" command to local6 facility, then check whether rsyslog creates log file.

9

Re: Setup logs

ZhangHuangbin wrote:

You should update /etc/rsyslog.conf (or /etc/rsyslog.d/*.conf) to send all syslog messages to external log server like this:

*.*  @192.168.1.1:5141;RSYSLOG_SyslogProtocol23Format

192.168.1.1 is the IP of remote log server, 5141 is the tcp/udp port.


Hi, I am not familiar with syslog. Want to ask for more details about sending log to a remote server. For example, how to config rsyslog on both side? Which config files of iRedMail need to be modified?

I have iRedMail run in a docker container, and want to persist its logs, with logs for different modules in a different folder.