Separating and Sorting Postfix and Dovecot Logs with Rsyslog

by

I encountered a rather constraining issue for sticklers like me; I have my mail server hosting Postfix and Dovecot duo. The logs are respectively distributed in /var/log/mail.log for Postfix and /var/log/mail.log for Dovecot. Problem is, when sending these logs via Rsyslog to the receiving server, I ended up with a concatenation of both files into one. Let’s discover the solution to this problem together!

Diagram representing a transfer of postfix dovecot logs to an rsyslog server

We start by checking Dovecot’s log configuration on the mail server

cat /etc/dovecot/dovecot.conf | grep log_path
log_path = /var/log/dovecot.log

If the result is not log_path = /var/log/dovecot.log, then you will need to modify the dovecot.conf file accordingly.

Now we need to configure Rsyslog, so we edit the configuration file

nano /etc/rsyslog.conf

And we add the following directives

$ModLoad imfile

$InputFileName /var/log/dovecot.log
$InputFileTag dovecot:
$InputFileStateFile dovecot-log
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor

Explanation:

  • $ModLoad imfile
    Loads the imfile module to enable rsyslog to read arbitrary text files.
  • $InputFileName /var/log/dovecot.log
    Specifies the log file to monitor, in this case, /var/log/dovecot.log.
  • $InputFileTag dovecot:
    Sets the tag to be used to identify messages from the log. In this case, the tag is dovecot.
  • $InputFileStateFile dovecot-log
    Sets a state file that will be used to track the position in the log file. This allows rsyslog to resume reading the log file where it left off during the last stop or restart.
  • $InputFileSeverity info
    Sets the severity level for messages from this log file. In this case, the level is info.
  • $InputFileFacility local7
    Sets the syslog logging facility to use. local7 is one of the available custom facility values.
  • $InputRunFileMonitor
    Triggers the monitoring of the specified file.

Then we restart the Rsyslog service

systemctl restart rsyslog.service

Now we need to configure the Rsyslog server so that it can sort all of this

We edit the configuration file

nano /etc/rsyslog.conf

Then we add the following lines in the “Rules” section of the file, making sure to replace “IPDUSERVEURMAIL” with the correct address!

$template DynamicFile,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* -?DynamicFile


if $fromhost-ip=='IPDUSERVEURMAIL' and $programname startswith 'postfix' then /var/log/CT-mail/mail.log
& stop


if $fromhost-ip=='IPDUSERVEURMAIL' and $programname startswith 'dovecot' then /var/log/CT-mail/dovecot.log
& stop

A quick restart of the Rsyslog service and you’re good to go 🙂

systemctl restart rsyslog.service

Leave a Comment