On Tue, Aug 25, 2020 at 01:08:06 +0000, Daan van Gorkum wrote:
> Hi Jeff,
>
> Thanks for your reply!
>
> Regarding grouping by remote address, I understand and for now I'll keep a
> close eye. Maybe it's an option to group by /24 for ipv4 and /64 for IPv6?
Hrm, interesting idea. But the answer is: no, there isn't a way. The
simplest way to implement something like this would be to add a new
aggregating function. So one could do something like:
remote_ip:netmask4:24
remote_ip:netmask6:64
To get /24 and /64, respectively.
I'll throw this idea on the ever growing pile of things that can be worked
on :) Obviously, I can't make any promisses about this ever getting done.
> We currently do that based on the logs but the OpenMetrics endpoint seem a
> lot easier.
Aggregating based on a subnet definitely makes sense.
> A slight hijack of the original question: but I tried to log only IP
> addresses (+ result) of failed login attempts but it seems I cannot find a
> metric that would contain that information. Am I looking in the wrong
> direction? The auth_userdb_request_finished and
> auth_passdb_request_finished stats work as intended but they do not
> contain any information about the connecting client.
I haven't played with these events, but at least based on the docs [1],
auth_client_userdb_lookup_finished and auth_client_passdb_lookup_finished
events seem to have the remote_ip field as well as an error string on
failure. Does that give you the info you need?
Jeff.
[1] https://doc.dovecot.org/admin_manual/list_of_events/
