SOLVED Dovecot Maillog Output Question

[LennonZA]

Hi guys!

I have been trying to find a decent explanation of the Dovecot Maillog output, specifically for IMAP users.

The command I used is as follows:

cat /var/log/maillog | grep "[email protected]" | grep "imap" | grep "Logged out"

The output line that confuses me is as follows:

dovecot: imap([email protected]): Logged out in=787, out=63023692, bytes=787/63023692

Basically, I need to know exactly what each of the following means:

Logged out in=
out=
bytes=

Any info would be awesome.

 

[rpvw]

This looks confusing, but I shall try and make it a bit simpler:

The IMAP section of the dovecot.conf contains the variables that are used to write to the log:

  # IMAP logout format string:
  #  %i - total number of bytes read from client
  #  %o - total number of bytes sent to client
imap_logout_format = in=%i, out=%o, bytes=%i/%o

The log entry you are seeing has a number of parts:
dovecot:imap - the process is dovecot and the protocol is IMAP
user - the name of the account that is using the protocol
Logged out - the fact that the user has logged out of an IMAP session
in= - the number of bytes of data read from the client
out= - the number of bytes of data sent to the client
bytes= in/out - the number of bytes of data read/sent to the client

Why the number of bytes data is repeated, I have no idea

Hope this helps

 

[LennonZA]

This looks confusing, but I shall try and make it a bit simpler:

The IMAP section of the dovecot.conf contains the variables that are used to write to the log:

  # IMAP logout format string:
  #  %i - total number of bytes read from client
  #  %o - total number of bytes sent to client
imap_logout_format = in=%i, out=%o, bytes=%i/%o

The log entry you are seeing has a number of parts:
dovecot:imap - the process is dovecot and the protocol is IMAP
user - the name of the account that is using the protocol
Logged out - the fact that the user has logged out of an IMAP session
in= - the number of bytes of data read from the client
out= - the number of bytes of data sent to the client
bytes= in/out - the number of bytes of data read/sent to the client

Why the number of bytes data is repeated, I have no idea

Hope this helps

Hi rpvw.

Thanks for replying.

So the out= section indicates what the client has downloaded and the bytes= section is the total amount of data which the client has sent / uploaded to the server as well as what he / she has downloaded?

 

[rpvw]

bytes = is just a repeat of the in= and the out= ..... I have no idea why they decided to repeat the same data in a different format

Look at the variables used: imap_logout_format = in=%i, out=%o, bytes=%i/%o

 

[LennonZA]

bytes = is just a repeat of the in= and the out= ..... I have no idea why they decided to repeat the same data in a d¡different format

Look at the variables used: imap_logout_format = in=%i, out=%o, bytes=%i/%o

Cool.

Thanks very much for explaining this.

 

[cPanelLauren]

@rpvw

Thanks for your answer here, perfect!

 

[Esquio]

Hello
I'm investigating a phishing fraud, so the logs are useful. I remember that dovecot logging had the "retr=0/0,del=0/0" parameter info to know the deleted mails once user makes logout, however on my log it only appears that this post say, I only have the "in=0,out=0" section so I can't know if a message was deleted.

Why the log was changed? How can activate that parameters?