Logging
Logging in mailcow: dockerized consists of multiple stages, but is, after all, much more flexible and easier to integrate into a logging daemon than before.
In Docker the containerized application (PID 1) writes its output to stdout. For real one-application containers this works just fine. Run the command below to learn more:
docker compose logs --help
docker-compose logs --help
Some containers log or stream to multiple destinations.
No container will keep persistent logs in it. Containers are transient items!
In the end, every line of logs will reach the Docker daemon - unfiltered.
The default logging driver is "json".
Filtered logs¶
Some logs are filtered and written to Redis keys but also streamed to a Redis channel.
The Redis channel is used to stream logs with failed authentication attempts to be read by netfilter-mailcow.
The Redis keys are persistent and will keep 10000 lines of logs for the web UI.
This mechanism makes it possible to use whatever Docker logging driver you want to, without losing the ability to read logs from the UI or ban suspicious clients with netfilter-mailcow.
Redis keys will only hold logs from applications and filter out system messages (think of cron etc.).
Logging drivers¶
Via docker-compose.override.yml¶
Here is the good news: Since Docker has some great logging drivers, you can integrate mailcow: dockerized into your existing logging environment with ease.
Create a docker-compose.override.yml
and add, for example, this block to use the "gelf" logging plugin for postfix-mailcow
:
services:
postfix-mailcow: # or any other
logging:
driver: "gelf"
options:
gelf-address: "udp://graylog:12201"
Another example for Syslog:
services:
postfix-mailcow: # or any other
logging:
driver: "syslog"
options:
syslog-address: "udp://127.0.0.1:514"
syslog-facility: "local3"
dovecot-mailcow: # or any other
logging:
driver: "syslog"
options:
syslog-address: "udp://127.0.0.1:514"
syslog-facility: "local3"
rspamd-mailcow: # or any other
logging:
driver: "syslog"
options:
syslog-address: "udp://127.0.0.1:514"
syslog-facility: "local3"
For Rsyslog only:¶
Make sure the following lines aren't commented out in /etc/rsyslog.conf
:
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
To move local3
input to /var/log/mailcow.log
and stop processing, create a file /etc/rsyslog.d/docker.conf
:
local3.* /var/log/mailcow.log
& stop
Restart rsyslog afterwards.
via daemon.json (globally)¶
If you want to change the logging driver globally, edit Dockers daemon configuration file /etc/docker/daemon.json
and restart the Docker service:
{
...
"log-driver": "gelf",
"log-opts": {
"gelf-address": "udp://graylog:12201"
}
...
}
For Syslog:
{
...
"log-driver": "syslog",
"log-opts": {
"syslog-address": "udp://1.2.3.4:514"
}
...
}
Restart the Docker daemon and run the commands below to recreate the containers with the new logging driver:
docker compose down
docker compose up -d
docker-compose down
docker-compose up -d
Log rotation¶
As those logs can get quite big, it is a good idea to use logrotate to compress and delete them after a certain time period.
Create /etc/logrotate.d/mailcow
with the following content:
/var/log/mailcow.log {
rotate 7
daily
compress
delaycompress
missingok
notifempty
create 660 root root
}
With this configuration, logrotate will run daily and keep a maximum of 7 archives.
To rotate the logfile weekly or monthly replace daily
with weekly
or monthly
respectively.
To keep more archives, set the desired number of rotate
.
Afterwards, logrotate can be restarted.