#20 logwatch dovecot report loads of unmatched entries

[Noel]

our dovecot report is full of unmatched entries,
wondering if you had rules update to catch these?

If it helps - login_log_format_elements = user=<%u> method=%m rip=%r %c %k
%r . remote_ip
%c , secured , “TLS” with established SSL/TLS connections
%k , ssl_security , TLS session security string.
%m , mechanism , Authentication (SASL) Mechanisms e.g. PLAIN

from https://doc.dovecot.org/configuration_manual/config_file/config_variables/#variables-global

extract showing different cases :

Unmatched Entries
imap-login: Info: Login failed: Plaintext authentication disabled: user=<>, rip=201.185.40.243: 2 Time(s)

imap-login: Info: Login: user=xxxxx@xxxxx.net, method=PLAIN, rip=1.128.107.107, TLS, TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits): 22 Time(s)

pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=185.142.236.36, TLS, TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits): 2 Time(s)

pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 0 secs): user=<>, rip=192.241.205.227: 2 Time(s)

pop3-login: Info: Login: user=mxxxxxxxxx@xxxxxxxxxxxx.net, method=PLAIN, rip=120.22.170.94, TLS, TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits): 192 Time(s

Hope you can help, thanks
-n

[Bjorn]

To Noel: I think some of the mismatches is because of the custom login_log_format_elements, as you indicated. If you or someone feels like writing a parser of custom log fields, there is an example in the http script, using the $logformat, $parse_string, and $parse_field variables.

The subsequent reply with the postfix errors from another user have been deleted, as the question was re-posted to the discussion email.

[Bjorn]

Ticket moved from /p/logwatch/support-requests/5/

[Bjorn]

Moved to Feature Request. As previously mentioned, the code is not set up to handle custom log formats.