Background
I gave myself this task because I wanted to write an advanced script that can:
- Extract a ban from fail2ban based on IP address, and then store the date…then…
- Lookup the corresponding entry in
/var/log/mail.log
on an Ubuntu server to report the username (in the case of Dovecot) or otherwise the line from SASL.
The challenge was that the default date logging format on a Virtualmin Postfix server is something like this:
Dec 1 07:26:42 hostname dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=a.b.c.d …
What I instead prefer is this, because it will make my script so much way easier.
2022-12-01 07:26:42 hostname dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=a.b.c.d
The solution was to modify two files.
Disclaimer:
This is advanced sysadmin stuff. If you break your logging you’ll end up in the proverbial dump and struggle to recover. It’s really very close to the end of the world.
/etc/rsyslog.d/postfix.conf
First you want to let the mail.*
event know about it’s new format.
Add these lines below $AddUnitListenSocket
# Log mail messages in a more sensible date format. $template MailLogFormat, "%timestamp:::date-year%-%timestamp:::date-month%-%timestamp:::date-day% %timestamp:::date-hour mail.* -/var/log/mail.log;MailLogFormat
/etc/rsyslog.d/50-default.conf
Once you have added the new format, you can safely disable the old format.
Comment out the following line:
#mail.* -/var/log/mail.log
Next restart rsyslog:
service rsyslog restart