Logwatch: How to fix Dovecot Unmatched Entries (CentOS / RHEL 6)

UPDATE: Thanks jagro.nl and Julian Stokes I was alerted to the fact that the current HEAD version of the script no longer works. You can use my old version instead.

You may have noticed the extra useless notices by Dovecot in your Logwatch (you do check your logwatch every day right?)
These kinds of messages can be found under the Dovecot logs:

**Unmatched Entries**
dovecot: imap(useraccount): Connection closed bytes=16/338: 1 Time(s)
dovecot: imap(useraccount): Connection closed bytes=17/340: 7 Time(s)
dovecot: imap(useraccount): Connection closed bytes=18/342: 3 Time(s)

And depending on your activity you could be getting this kind of message a few hundred times per day on more busy setups.
A quick Google check reveals the following bug reports for Redhat: Bug 666376 and Bug 669161

This was fixed in Rawhide, but apparently hasn’t made it to Redhat proper yet.

Let’s fix this in the cleanest possible way.
Logwatch stores the script originals in /usr/share/logwatch/scripts/services/* and these are bundled in the RPM that is installed by yum.
Changing these scripts wouldn’t help much as these are overwritten by updates.

Logwatch also maintains a folder in /etc under /etc/logwatch/scripts/services/ where you can place your own scripts (they will replace the scripts in /usr/share; according to the manpage)

Just download the latest from the repository and name it dovecot
http://logwatch.svn.sourceforge.net/viewvc/logwatch/scripts/services/

You should use this version for now and save it  as dovecot http://barry.coffeesprout.com/dovecot

With the dovecot script downloaded to /etc/logwatch/scripts/services/dovecot your report should now look a lot cleaner.

Run logwatch and you should see something like:

Dovecot IMAP and POP3 Successful Logins: 316
Dovecot disconnects: 286

I hope this has been somewhat helpful to you

10 thoughts on “Logwatch: How to fix Dovecot Unmatched Entries (CentOS / RHEL 6)”

  1. I thought this was it, but unfortunately I now have the same lengthy logs, but with different unmatched entries.
    Sep 21 00:03:08 salusa dovecot: imap-login: Login: user=, method=PLAIN, rip=*.*.*.*, lip=192.168.10.15, mpid=7214, TLS: 1 Time(s)
    Sep 21 00:04:47 salusa dovecot: imap-login: Login: user=, method=PLAIN, rip=*.*.*.*, lip=192.168.10.15, mpid=7219, TLS: 1 Time(s)
    Sep 21 00:04:47 salusa dovecot: imap-login: Login: user=, method=PLAIN, rip=*.*.*.*, lip=192.168.10.15, mpid=7221, TLS: 1 Time(s)

    Do you have a fix for this as well?

  2. Tried this but am having the same problem as Jagro.nl below. Something must have changed re Dovecot and its logging. My dovecot version reports itself as 2.09

    1. Interesting. When looking at the latest head it looks like they have added an additional clause for the login:

      elsif ( ( ($User, $Host) = ( $ThisLine =~ /^imap-login: Login: (.*?) [(.*)]/ ) ) or
      ( ($User, $Host) = ( $ThisLine =~ /^imap-login: Info: Login: user=.*rip=(.*), lip=/ ) ) ) {

      The one I downloaded only contains:

      elsif ( ($User, $Host) = ( $ThisLine =~ /^imap-login: Login: (.*?) [(.*)]/ ) ) {

      Check out the latest version: http://sourceforge.net/p/logwatch/code/HEAD/tree/scripts/services/dovecot

          1. Thanks for that – did exactly what it should do and outputted

            Dovecot IMAP and POP3 Successful Logins: 1264
            Dovecot disconnects: 1261

          2. Thanks for checking. I’m going to update the blog post with your findings. Will probably see if I can raise a ticket with the project about this

Leave a Reply