Monit and Dovecot and SSHD logs.
How to get rid of millions of meaningless Monit entries in Dovecot and SSHD logs?
/var/log/dovecot/dovecot.log:
Sep 07 11:44:44 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.1.2, lip=192.168.1.2, TLS, session=<Omf7xmPLWMXAqAFs>
/var/log/auth.log:
Sep 7 11:42:34 debian sshd[28955]: Connection closed by 127.0.0.1 port 33568 [preauth]
Comments (2)
-
-
I think the same as mentioned by Lutz also applies to your dovecot logs. Monit simply connects to the service, so dovecot registers that.
You could however clean up the log files using sed for example:
sed -i '/, rip=192\.168\.1\.2, lip=192\.168\.1\.2,/d' /var/log/dovecot/dovecot.log sed -i '/Connection closed by 127\.0\.0\.1 port/d' /var/log/auth.log
Where:
-i
means inline, so it changes the file in-place'<regex>'
is the regular expression to match/d
means to remove the lines matching the regex
Keep in mind that this will delete all lines that belong to local connections. So if you use a local application to check mails with dovecot, these lines will also get deleted - you could enhance the regex if needed. Same applies to loopback connections on ssh, but those should most likely not happen.
Another thing: My examples do work on GNU sed, but not on BSD/MacOS sed. See this SO thread for hints if you use BSD/MacOS.
- Log in to comment
Hello,
to your sshd log comment,
this is working as designed. The message is being generated by the sshd because a process opened a connection but never authenticated.
You get some more messages if you authenticate (via login/logout or public key).
With regards,
Lutz
Appendage:
With protocol default you will see
if failed port 22 timeout 10 seconds for 3 cycles then alert
sshd[19005]: Did not receive identification string from 127.0.0.1
With protocol ssh you will see
if failed port 22 protocol ssh timeout 10 seconds for 3 cycles then alert
sshd[19089]: Connection closed by 127.0.0.1 [preauth]