From f9749079ec310cdd56691c9e5a782b1e6903735c Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 19:56:02 +0200 Subject: [PATCH 01/16] logcheck: Ignore rsyslogd restart messages. --- etc/logcheck/ignore.d.server/000-local-rsyslog | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/logcheck/ignore.d.server/000-local-rsyslog diff --git a/etc/logcheck/ignore.d.server/000-local-rsyslog b/etc/logcheck/ignore.d.server/000-local-rsyslog new file mode 100644 index 0000000..2963890 --- /dev/null +++ b/etc/logcheck/ignore.d.server/000-local-rsyslog @@ -0,0 +1 @@ +rsyslogd: [origin software="rsyslogd" swVersion="[0-9.]*" x-pid="[0-9]*" x-info="http://www.rsyslog.com"] restart$ -- 2.30.2 From db776a0e0febcb2176d0e6c4bc7e43b099ad1856 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 19:56:22 +0200 Subject: [PATCH 02/16] logcheck: Ignore succesful dovecot deliveries. --- etc/logcheck/ignore.d.server/000-local-dovecot | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/logcheck/ignore.d.server/000-local-dovecot diff --git a/etc/logcheck/ignore.d.server/000-local-dovecot b/etc/logcheck/ignore.d.server/000-local-dovecot new file mode 100644 index 0000000..dc5745b --- /dev/null +++ b/etc/logcheck/ignore.d.server/000-local-dovecot @@ -0,0 +1 @@ +dovecot: deliver([-a-z]*): sieve: msgid=<[^>]*>: stored mail into mailbox '[^']*'$ -- 2.30.2 From c559863b1f4be7c85cb093084c821b5e8c0c2293 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 20:02:32 +0200 Subject: [PATCH 03/16] logcheck: Ignore rsyslog MARK lines. --- etc/logcheck/ignore.d.server/000-local-rsyslog | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/logcheck/ignore.d.server/000-local-rsyslog b/etc/logcheck/ignore.d.server/000-local-rsyslog index 2963890..5ff4c8b 100644 --- a/etc/logcheck/ignore.d.server/000-local-rsyslog +++ b/etc/logcheck/ignore.d.server/000-local-rsyslog @@ -1 +1,2 @@ rsyslogd: [origin software="rsyslogd" swVersion="[0-9.]*" x-pid="[0-9]*" x-info="http://www.rsyslog.com"] restart$ +rsyslogd: -- MARK --$ -- 2.30.2 From d587d45fb5fcee68eb761a94751176f8e8fec6e7 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 20:56:16 +0200 Subject: [PATCH 04/16] logcheck: Fix dovecot deliver pattern. --- etc/logcheck/ignore.d.server/000-local-dovecot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/logcheck/ignore.d.server/000-local-dovecot b/etc/logcheck/ignore.d.server/000-local-dovecot index dc5745b..18ddef2 100644 --- a/etc/logcheck/ignore.d.server/000-local-dovecot +++ b/etc/logcheck/ignore.d.server/000-local-dovecot @@ -1 +1 @@ -dovecot: deliver([-a-z]*): sieve: msgid=<[^>]*>: stored mail into mailbox '[^']*'$ +dovecot: deliver\([-a-z]*\): sieve: msgid=<[^>]*>: stored mail into mailbox '[^']*'$ -- 2.30.2 From 2eb6211999af551ce72f177ff229acbf0ee08127 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 6 May 2009 08:26:59 +0200 Subject: [PATCH 05/16] logcheck: Extend dovecot deliver regex a bit. Previously, messages with an "unspecified" message id would not be matched, since there are no brackets around unspecified ids. --- etc/logcheck/ignore.d.server/000-local-dovecot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/logcheck/ignore.d.server/000-local-dovecot b/etc/logcheck/ignore.d.server/000-local-dovecot index 18ddef2..991c293 100644 --- a/etc/logcheck/ignore.d.server/000-local-dovecot +++ b/etc/logcheck/ignore.d.server/000-local-dovecot @@ -1 +1 @@ -dovecot: deliver\([-a-z]*\): sieve: msgid=<[^>]*>: stored mail into mailbox '[^']*'$ +dovecot: deliver\([-a-z]*\): sieve: msgid=[^:]*: stored mail into mailbox '[^']*'$ -- 2.30.2 From 0aa0fe222efe2de40ad6e2dbcfeda0dde1f78e16 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 7 May 2009 09:32:32 +0200 Subject: [PATCH 06/16] rsyslog: Use %fromhost% instead of %hostname%. Using hostname did not always work, since that use the hostname specified in the message itself (In particular some kernel messages without a hostname were seen). using %fromhost% always uses the hostname of the host the message was received from. This might break in NAT and forwarding situations, but those do not apply here. --- etc/logcheck/ignore.d.server/000-local-vuurmuur | 1 + etc/rsyslog.conf | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 etc/logcheck/ignore.d.server/000-local-vuurmuur diff --git a/etc/logcheck/ignore.d.server/000-local-vuurmuur b/etc/logcheck/ignore.d.server/000-local-vuurmuur new file mode 100644 index 0000000..c8e2b61 --- /dev/null +++ b/etc/logcheck/ignore.d.server/000-local-vuurmuur @@ -0,0 +1 @@ +vrmr: DROP.* diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index b1f88e2..df51b37 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -54,9 +54,9 @@ $IncludeConfig /etc/rsyslog.d/*.conf ######################## # Log lines received from other servers (as well as our own logs) centrally. -$template FacilityLog,"/data/log/rsyslog/%hostname%/facilities/%syslogfacility-text%.log" -$template SeverityLog,"/data/log/rsyslog/%hostname%/severities/%syslogseverity-text%.log" -$template AppLog,"/data/log/rsyslog/%hostname%/apps/%app-name%.log" +$template FacilityLog,"/data/log/rsyslog/%fromhost%/facilities/%syslogfacility-text%.log" +$template SeverityLog,"/data/log/rsyslog/%fromhost%/severities/%syslogseverity-text%.log" +$template AppLog,"/data/log/rsyslog/%fromhost%/apps/%app-name%.log" # Use a verbose logging format $template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" -- 2.30.2 From ffa31485e70ab33d6d12123ff6618936f043e8d3 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sat, 9 May 2009 13:01:05 +0200 Subject: [PATCH 07/16] logcheck: Ignore "no connection!" messages from slapd. --- etc/logcheck/ignore.d.server/000-local-slapd | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/logcheck/ignore.d.server/000-local-slapd diff --git a/etc/logcheck/ignore.d.server/000-local-slapd b/etc/logcheck/ignore.d.server/000-local-slapd new file mode 100644 index 0000000..f43bc09 --- /dev/null +++ b/etc/logcheck/ignore.d.server/000-local-slapd @@ -0,0 +1 @@ +slapd\[[0-9]+\]: connection_read(31): no connection!$ -- 2.30.2 From 88c925c975aa3189eccd43d4532c569f6d11c265 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sat, 9 May 2009 21:46:09 +0200 Subject: [PATCH 08/16] logcheck: Fix regex. --- etc/logcheck/ignore.d.server/000-local-slapd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/logcheck/ignore.d.server/000-local-slapd b/etc/logcheck/ignore.d.server/000-local-slapd index f43bc09..632d9d1 100644 --- a/etc/logcheck/ignore.d.server/000-local-slapd +++ b/etc/logcheck/ignore.d.server/000-local-slapd @@ -1 +1 @@ -slapd\[[0-9]+\]: connection_read(31): no connection!$ +slapd\[[0-9]+\]: connection_read\(31\): no connection!$ -- 2.30.2 From 8c08b74f7df059d62123763ba192f2bdec3e883b Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 8 Jun 2009 09:23:10 +0200 Subject: [PATCH 09/16] logcheck: Make slapd rule more general. --- etc/logcheck/ignore.d.server/000-local-slapd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/logcheck/ignore.d.server/000-local-slapd b/etc/logcheck/ignore.d.server/000-local-slapd index 632d9d1..b0e44f7 100644 --- a/etc/logcheck/ignore.d.server/000-local-slapd +++ b/etc/logcheck/ignore.d.server/000-local-slapd @@ -1 +1 @@ -slapd\[[0-9]+\]: connection_read\(31\): no connection!$ +slapd\[[0-9]+\]: connection_read\([0-9]*\): no connection!$ -- 2.30.2 From 969007cd3b8ef7a04b77b881e784cd8bdba93ae2 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Jul 2009 15:05:39 +0200 Subject: [PATCH 10/16] logcheck: Add ignore patterns for dovecot. --- etc/logcheck/ignore.d.server/000-local-dovecot | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/logcheck/ignore.d.server/000-local-dovecot b/etc/logcheck/ignore.d.server/000-local-dovecot index 991c293..ddb605a 100644 --- a/etc/logcheck/ignore.d.server/000-local-dovecot +++ b/etc/logcheck/ignore.d.server/000-local-dovecot @@ -1 +1,9 @@ dovecot: deliver\([-a-z]*\): sieve: msgid=[^:]*: stored mail into mailbox '[^']*'$ +dovecot-auth: pam_unix\(dovecot:session\): session opened for user [-a-z]* by \(uid=0\)$ +dovecot-auth: pam_unix\(dovecot:session\): session opened for user [-a-z]*$ +dovecot-auth: pam_unix\(dovecot:session\): session closed for user [-a-z]*$ +dovecot: IMAP\([-a-z]*\): Connection closed bytes=[0-9/]*$ +dovecot: IMAP\([-a-z]*\): Connection closed: Connection reset by peer bytes=[0-9/]*$ +dovecot: IMAP\([-a-z]*\): Disconnected: Logged out bytes=[0-9/]*$ +dovecot: IMAP\([-a-z]*\): Disconnected in IDLE bytes=[0-9/]*$ +dovecot: IMAP\([-a-z]*\): Disconnected for inactivity bytes=[0-9/]*$ -- 2.30.2 From 22ab3c00bc749a23f4199483867abd4dda380532 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Jul 2009 15:05:51 +0200 Subject: [PATCH 11/16] logcheck: Add ignore patterns for rsyslog. --- etc/logcheck/ignore.d.server/000-local-rsyslog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/logcheck/ignore.d.server/000-local-rsyslog b/etc/logcheck/ignore.d.server/000-local-rsyslog index 5ff4c8b..bacb936 100644 --- a/etc/logcheck/ignore.d.server/000-local-rsyslog +++ b/etc/logcheck/ignore.d.server/000-local-rsyslog @@ -1,2 +1,4 @@ rsyslogd: [origin software="rsyslogd" swVersion="[0-9.]*" x-pid="[0-9]*" x-info="http://www.rsyslog.com"] restart$ rsyslogd: -- MARK --$ +kernel: Kernel logging \(proc\) stopped. +kernel: imklog [0-9.]*, log source = /proc/kmsg started. -- 2.30.2 From 9926f878ab0e1a32ae167da47c9bd80105378ea1 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 10 Sep 2009 12:55:39 +0200 Subject: [PATCH 12/16] rsyslog: Put host-specific logs in separate dir. --- etc/rsyslog.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index df51b37..54022c1 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -54,17 +54,17 @@ $IncludeConfig /etc/rsyslog.d/*.conf ######################## # Log lines received from other servers (as well as our own logs) centrally. -$template FacilityLog,"/data/log/rsyslog/%fromhost%/facilities/%syslogfacility-text%.log" -$template SeverityLog,"/data/log/rsyslog/%fromhost%/severities/%syslogseverity-text%.log" -$template AppLog,"/data/log/rsyslog/%fromhost%/apps/%app-name%.log" +$template HostFacilityLog,"/data/log/rsyslog/hosts/%fromhost%/facilities/%syslogfacility-text%.log" +$template HostSeverityLog,"/data/log/rsyslog/hosts/%fromhost%/severities/%syslogseverity-text%.log" +$template HostAppLog,"/data/log/rsyslog/hosts/%fromhost%/apps/%app-name%.log" # Use a verbose logging format $template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" # Log by facility, severity and appname -*.* ?FacilityLog;LogFormat -*.* ?SeverityLog;LogFormat -*.* ?AppLog;LogFormat +*.* ?HostFacilityLog;LogFormat +*.* ?HostSeverityLog;LogFormat +*.* ?HostAppLog;LogFormat # Log all entries in a single file, which is meant to be parsed by logcheck # (hence the traditional format). *.* -/data/log/rsyslog/all.log;RSYSLOG_TraditionalFileFormat -- 2.30.2 From 32508c616759adb9c0eba12c51494ca87d313ed0 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 10 Sep 2009 13:02:58 +0200 Subject: [PATCH 13/16] logrotate: Update path to logfiles. The path has changed in the previous commit to include a "hosts" component. --- etc/logrotate.d/rsyslog-central | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/logrotate.d/rsyslog-central b/etc/logrotate.d/rsyslog-central index 4da5cde..d6884bb 100644 --- a/etc/logrotate.d/rsyslog-central +++ b/etc/logrotate.d/rsyslog-central @@ -1,7 +1,7 @@ # This file describes the rotation of the centralized log files in /data, from # all vservers. -/data/log/rsyslog/*/*/*.log +/data/log/rsyslog/hosts/*/*/*.log { # Never throw away logfiles for now rotate 999999 -- 2.30.2 From 94063426f36b90b391ed37c28a83980ae22a14c9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:26:53 +0200 Subject: [PATCH 14/16] oidentd: Add default configuration. --- etc/default/oidentd | 17 +++++++++++++++++ etc/oidentd.conf | 22 ++++++++++++++++++++++ etc/oidentd_masq.conf | 11 +++++++++++ 3 files changed, 50 insertions(+) create mode 100644 etc/default/oidentd create mode 100644 etc/oidentd.conf create mode 100644 etc/oidentd_masq.conf diff --git a/etc/default/oidentd b/etc/default/oidentd new file mode 100644 index 0000000..14bec1e --- /dev/null +++ b/etc/default/oidentd @@ -0,0 +1,17 @@ +# options to use when starting oidentd as daemon: +# -m lookup masquaraded connections in /etc/oidentd_masq.users +# -f forward requests for masquaraded connections to real host +# -q don't log connections to oidentd +# see oidentd(8) for detailed list +OIDENT_OPTIONS="-mf" + +# user / group +OIDENT_USER=oident +OIDENT_GROUP=oident + +# Allow the default router to act as an oidentd proxy? (yes/no) +# this is needed behind a masquarading router that runs oidentd -f +# if your identd proxy is not the default router, you have to +# manually specify it via -P +OIDENT_BEHIND_PROXY=yes + diff --git a/etc/oidentd.conf b/etc/oidentd.conf new file mode 100644 index 0000000..03b28d8 --- /dev/null +++ b/etc/oidentd.conf @@ -0,0 +1,22 @@ +# Configuration for oidentd +# see oidentd.conf(5) +# +default { + default { + deny spoof + deny spoof_all + deny spoof_privport + allow random + allow random_numeric + allow numeric + deny hide + } +} + +# you may want to hide root connections +#user "root" { +# default { +# force reply "UNKNOWN" +# } +#} + diff --git a/etc/oidentd_masq.conf b/etc/oidentd_masq.conf new file mode 100644 index 0000000..8fb03f1 --- /dev/null +++ b/etc/oidentd_masq.conf @@ -0,0 +1,11 @@ +# oident masquarded connections configuration + +# use this file if your host is masquarading connections for several +# hosts and you want to return a reply based on the hostname of +# the originating machine +# by default, such requests are forwarded to the real host. +# you can disable forwarding by removing "-f" from OIDENT_OPTIONS +# in /etc/default/oidentd + +# add hosts in the following format, see oidentd_masq.conf(5) for details: +# [/mask] -- 2.30.2 From a799b50b1d46b49b57ce3212c2fcf60317e7a6f9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:29:31 +0200 Subject: [PATCH 15/16] oidentd: Allow the vserver host to forward connections. --- etc/default/oidentd | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/etc/default/oidentd b/etc/default/oidentd index 14bec1e..f807bd5 100644 --- a/etc/default/oidentd +++ b/etc/default/oidentd @@ -2,16 +2,19 @@ # -m lookup masquaraded connections in /etc/oidentd_masq.users # -f forward requests for masquaraded connections to real host # -q don't log connections to oidentd +# -P allow forwarded connectsions from this host. We use our own +# hostname here, since connections will be forwarded from oidentd +# on the vserver host. Those connections will appear to originate +# from our own (and only) IP address. # see oidentd(8) for detailed list -OIDENT_OPTIONS="-mf" +OIDENT_OPTIONS="-mf -P `hostname`" # user / group OIDENT_USER=oident OIDENT_GROUP=oident # Allow the default router to act as an oidentd proxy? (yes/no) -# this is needed behind a masquarading router that runs oidentd -f -# if your identd proxy is not the default router, you have to -# manually specify it via -P -OIDENT_BEHIND_PROXY=yes +# Since the vserver stuff messes up this autodetection, we pass in -P +# above instead. +OIDENT_BEHIND_PROXY=no -- 2.30.2 From fd2836ef60fcd0bb7fafae8fa824e286b21d0ff6 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 31 May 2012 22:32:39 +0200 Subject: [PATCH 16/16] logcheck: Add some more dovecot ignore patterns. --- etc/localtime | Bin 36 -> 2917 bytes etc/logcheck/ignore.d.server/000-local-dovecot | 6 +++++- 2 files changed, 5 insertions(+), 1 deletion(-) mode change 120000 => 100644 etc/localtime diff --git a/etc/localtime b/etc/localtime deleted file mode 120000 index 0639c90..0000000 --- a/etc/localtime +++ /dev/null @@ -1 +0,0 @@ -/usr/share/zoneinfo/Europe/Amsterdam \ No newline at end of file diff --git a/etc/localtime b/etc/localtime new file mode 100644 index 0000000000000000000000000000000000000000..30ca3243a5abc6f8a427edfd64a92b9e066d0198 GIT binary patch literal 2917 zcmc)LdrVe!9LMp4LLeUS3&usoTSRz4L{UN_@rKW4sm0gV7%&9e2zxQEXT(0?_=f^p(!!!P2jQ7VgVOCy$ z>pxe3`GlLR#@xJjTxrK%UD^0$_NsGx?A2xa?T;#=>@~|n?X{ZZtSh=@uP=ynHe{Z+ z%QAeNjR|#jdDKLwBKn}SY0_n9v+o9HbJGNS%az4WW%MPx^7ssA>(6<1RmEs$Tf+*c z`t9D%_U&Dq9R*L?A1@nc*JSjvcg|hx?25DP-JZSno_0<4-r>d0-e1nxwc&G|+Ot=k zy4xG=`aKQKzVm0D{U2642kLX2gT>37Llq~TLl<(g4`Zr{R~kX@@V?YRALxYp1$;iKwiS&a2i) z7e}S*f;XgFexY>Fo+b~adL(jaiaZ>XAW;#~@`xQS(LTu+J#3$CufN>wlz|N~Bp?|R?G?&PrPNh2N z;#3*@dyx*QPnO5N&eEaflQpq+h(5j~Nr$bB(BXNJnzU%JJTcNolXE-Ch^Q-?lH4pK zeLm4qk>ALurtf5Q>w_}7;eC>}kONR57j(zrB9hW~{ z$3L2{p43tLOjx>R#`M(8n{k>IGE%a>3fAXt^pFX=e$|PM{*t{mNOEef%A}I(GP$%t zrc7>>sSAJ9=ZEc--MemiwWXVn?sFV~sPg*xlRe0|}fM_=4DQS*<@ zk(b^{)Y;|Z<>i@OwP49WnKO2%6y}A=+B6ej`uhAbEm>NkmRGCR_jn%g_A#f8ub+Et|F-w*SXOYEm-%P( zF15VxeD|)l{LCi@yzIZ8fno(&Rzx?ikUO6(pYu!~@3E57JXU%NxA`X7yd?8tSzhKc z55E4n%r~C97bDR85I5IObMxNi4|BB&9-EKU!_^c7sR&XMq$WsFkg6bMLF$4O2B{2E z8l*NzaggdD<#9FjK?;Oa$kmhxsS#2nq)JGckUAlSLMnxn3aJ%RETmdUxsZCfnt~w} zb2TMHYK9aIsTxu?q;5#zkjlB5(jm1&iicDWDIZclq<}~TkrE;`M2d)15h){5NB+1J z($!QFDJ4=%q?kxGk#ZvSL<)*j6e%fEQ&&?|q^d|+k-8##T%@{4d6D`e z1x6~2lo+WoQe;0tZ`mvocY4NcGW8-4d L`o&@2c>g~E-dmAr literal 0 HcmV?d00001 diff --git a/etc/logcheck/ignore.d.server/000-local-dovecot b/etc/logcheck/ignore.d.server/000-local-dovecot index ddb605a..0c6615a 100644 --- a/etc/logcheck/ignore.d.server/000-local-dovecot +++ b/etc/logcheck/ignore.d.server/000-local-dovecot @@ -1,4 +1,5 @@ -dovecot: deliver\([-a-z]*\): sieve: msgid=[^:]*: stored mail into mailbox '[^']*'$ +dovecot: deliver\([-a-z]*\): sieve: msgid=.*: stored mail into mailbox '[^']*'$ +dovecot: deliver\([-a-z]*\): msgid=[^:]*: saved mail to .*$ dovecot-auth: pam_unix\(dovecot:session\): session opened for user [-a-z]* by \(uid=0\)$ dovecot-auth: pam_unix\(dovecot:session\): session opened for user [-a-z]*$ dovecot-auth: pam_unix\(dovecot:session\): session closed for user [-a-z]*$ @@ -7,3 +8,6 @@ dovecot: IMAP\([-a-z]*\): Connection closed: Connection reset by peer bytes=[0-9 dovecot: IMAP\([-a-z]*\): Disconnected: Logged out bytes=[0-9/]*$ dovecot: IMAP\([-a-z]*\): Disconnected in IDLE bytes=[0-9/]*$ dovecot: IMAP\([-a-z]*\): Disconnected for inactivity bytes=[0-9/]*$ +dovecot: imap-login: Disconnected (no auth attempts): rip=[0-9.]*, lip=[0-9.]*, TLS$ +dovecot: imap-login: Disconnected \(no auth attempts\): rip=[0-9.]*, lip=[0-9.]*, TLS: Disconnected$ +dovecot: imap-login: Disconnected \(no auth attempts\): rip=[0-9.]*, lip=[0-9.]*, TLS handshaking: Disconnected$ -- 2.30.2