Ubuntu
logwatch package

unmatched entries for dovecot login

Bug #1058760 reported by toby cabot
66
This bug affects 13 people
Affects Status Importance Assigned to Milestone
logwatch (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Hi,

I've been getting a bunch of entries like this in my logwatch emails:
    hostname dovecot: imap-login: Login: user=<user>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=1014,
secured: 1 Time(s)

On a typical day I might get hundreds of such entries and my server is only a small family server.

It looks as if the problem is in /usr/share/logwatch/scripts/services/dovecot. It seems to get confused by the hostname coming after the datestamp and before the service name. If I tweak the $ThisLine regex to match the hostname things work better, but still not quite right. I also had to add another login regex to match the ones in my log. I'll include a patch that works for me.

Revision history for this message
toby cabot (caboteria) wrote :
Revision history for this message
toby cabot (caboteria) wrote :

Note that the patch might not work for all protocols. I have no way to test with POP so I didn't change those rules.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "patch to fix logwatch's dovecot rules" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Thomas Hood (jdthood) wrote :

Same problem. Patch fixes it for me.

Changed in logwatch (Ubuntu):
status: New → Confirmed
Revision history for this message
Nathaniel W. Turner (nturner) wrote :

I ran into this awhile back before finding this bug, and resolved the problem with the attached changes. I'm serving pop3 and managesieve in addition to imap, so this patch covers and is tested for those cases too.

Revision history for this message
Steffen Sindzinski (stesind) wrote :

patch #1 worked for me as well

Revision history for this message
Nicola (nicola) wrote :

patch #works for me

Revision history for this message
devn null (djemsmortimer) wrote :

I'm on ubuntu 12.04 and having the same problem. Can someone please tell me how to apply that patch?

Revision history for this message
Thomas Heidrich (gnuheidix) wrote :

The patch works for me either. Thanks a lot :-)

I personally consider this bug fairly important because it renders logwatch partly unusable if dovecot is installed and frequently used. Please ship it. :-)

Revision history for this message
Andrew Schwartzmeyer (andschwa) wrote :

Just chiming in, the patch worked for me as well on Ubuntu 12.04.4 with Logwatch 7.4.0 and Dovecot 2.0.19. Thanks!

Revision history for this message
Maarten Rijke (infie) wrote :

Just a heads-up, the patch does not work with hostnames that contain a dash.
I had to change

[a-z][a-z0-9]

to:

[a-z][a-z0-9\-]

to make the patch work. Besides that, thanks for the patch!

Revision history for this message
Nish Aravamudan (nacc) wrote :

Has any issue been filed with the upstream logwatch?

Revision history for this message
Nish Aravamudan (nacc) wrote :

Thank you everyone for filing bug reports for this issue. Now that 12.04 has gone EOL without a resolution for this, is it possible to re-test with 14.04 or 16.04 (or ideally 17.10 daily) to see if it still occurs? This helps us track where it is occurring and decide if it has been fixed upstream.

In my analysis, I believe the patch (or its equivalent) in c#1 has been merged upstream. The patch from c#5 also appears partially applied upstream, but not necessarily the hostname bit.

Changed in logwatch (Ubuntu):
status: Confirmed → Incomplete
Nish Aravamudan (nacc)
tags: added: needs-upstream-report
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for logwatch (Ubuntu) because there has been no activity for 60 days.]

Changed in logwatch (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.