On 10/21/2018 8:23 AM, André Rodier wrote:
I am using Zabbix to monitor my Dovecot server, and my logs are filled
with lines like this:
Oct 21 15:04:46 osaka dovecot[1256]: pop3-login: Aborted login (no
auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1,
secured, session=<bWd0nr14SuF/AAAB>
Oct 21 15:05:29 osaka dovecot[1256]: imap-login: Aborted login (no
auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1,
secured, session=<MlAGob147Jd/AAAB>
How can I disable logging these actions from 127.0.0.1?
Presumably you are concerned not so much with having these lines in the
logfile, as you are with your monitoring software seeing them and
generating alarms because they are reported to syslog as errors. If I'm
wrong about that, then the rest of this message probably won't apply.
Monitoring software that reports errors in logfiles should have the
ability to specify messages to ignore. Often this is done with regex.
Since you mentioned Zabbix, I'm betting it's that software that
generates the reports you would like to stop. It looks like it does have
the ability to use a regex to filter logs.
https://www.zabbix.com/documentation/4.0/manual/config/items/itemtypes/log_items
This regex ought to do the trick and not filter out other error messages
(like login failures) that occur on localhost. Hopefully it gets
preserved on one line, not mangled by my mail client:
dovecot.*(imap|pop3)-login: Aborted .*rip=127\.0\.0\.\d+,
lip=127\.0\.0\.\d+,
The "\d+" notation generally only works if the software is using PCRE -
Perl Compatible Regular Expressions. It does look like Zabbix is using
PCRE, so if it's Zabbix we're talking about, that regex should be OK.
Possible replacements for \d+ if it doesn't work:
[0-9]+
[0-9]*
Thanks,
Shawn
