Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mailbox": { "text": "The mailbox name
\n" }, "uid": { "text": "The UID that was expunged from FTS index
\n" } }, "text": "Added: 2.4.0\nEmitted when a message is expunged from a mailbox.
\n" }, "fts_flatcurve_index": { "added": { "fts_flatcurve": false }, "root": "fts-flatcurve", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mailbox": { "text": "The mailbox name
\n" }, "uid": { "text": "The UID that was added to the FTS index
\n" } }, "text": "Added: 2.4.0\nEmitted when a message is indexed.
\n" }, "fts_flatcurve_last_uid": { "added": { "fts_flatcurve": false }, "root": "fts-flatcurve", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mailbox": { "text": "The mailbox name
\n" }, "uid": { "text": "The last UID contained in the FTS index
\n" } }, "text": "Added: 2.4.0\nEmitted when the system queries for the last UID indexed.
\n" }, "fts_flatcurve_optimize": { "added": { "fts_flatcurve": false }, "root": "fts-flatcurve", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mailbox": { "text": "The mailbox name
\n" } }, "text": "Added: 2.4.0\nEmitted when a mailbox is optimized.
\n" }, "fts_flatcurve_query": { "added": { "fts_flatcurve": false }, "root": "fts-flatcurve", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "count": { "text": "The number of messages matched
\n" }, "mailbox": { "text": "The mailbox name
\n" }, "maybe": { "text": "Are the results uncertain? [yes | no]
\n" }, "query": { "text": "The query text sent to Xapian
\n" }, "uids": { "text": "The list of UIDs returned by the query
\n" } }, "text": "Added: 2.4.0\nEmitted when a query is completed.
\n" }, "fts_flatcurve_rescan": { "added": { "fts_flatcurve": false }, "root": "fts-flatcurve", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "expunged": { "text": "The list of UIDs that were expunged during rescan
\n" }, "mailbox": { "text": "The mailbox name
\n" }, "status": { "text": "Status of the rescan [expunge_msgs | missing_msgs | ok]
\n" }, "uids": { "text": "The list of UIDs that triggered a non-ok status response
\n" } }, "text": "Added: 2.4.0\nEmitted when a rescan is completed.
\n" }, "fts_flatcurve_rotate": { "added": { "fts_flatcurve": false }, "root": "fts-flatcurve", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mailbox": { "text": "The mailbox name
\n" } }, "text": "Added: 2.4.0\nEmitted when a mailbox has its underlying Xapian DB rotated.
\n" }, "auth_client_passdb_lookup_started": { "root": "auth-client", "inherit": "auth_client_lookup", "text": "Authentication client starts a passdb lookup.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Full username to lookup.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Authentication client finishes a passdb lookup.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Full username to lookup.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Authentication client starts authentication request.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username, if present.
\n" }, "original_user": { "text": "Original username, if present.
\n" }, "auth_user": { "text": "Auth username, if present.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Authentication client receives a request from server to continue SASL\nauthentication.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username, if present.
\n" }, "original_user": { "text": "Original username, if present.
\n" }, "auth_user": { "text": "Auth username, if present.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Authentication client continues SASL authentication by sending a response\nto server request.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username, if present.
\n" }, "original_user": { "text": "Original username, if present.
\n" }, "auth_user": { "text": "Auth username, if present.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Authentication client receives response from server that authentication is\nfinished, either success or failure.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username, if present.
\n" }, "original_user": { "text": "Original username, if present.
\n" }, "auth_user": { "text": "Auth username, if present.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user_mask": { "text": "User mask to list.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Authentication client starts userdb iteration.
\n" }, "auth_client_userdb_list_finished": { "root": "auth-client", "inherit": "auth_client_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user_mask": { "text": "User mask to list.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Authentication client finishes userdb iteration.
\n" }, "auth_client_userdb_lookup_started": { "root": "auth-client", "inherit": "auth_client_lookup", "text": "Authentication client starts a userdb lookup.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Full username to lookup.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Authentication client finishes a userdb lookup.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Full username to lookup.
\n" }, "error": { "text": "Error string, if error occurred.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Name of service. Examples: imap, pop3, lmtp, ...
Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSSession identifier.
\n" }, "certificate_user": { "text": "Username from certificate.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
TLS SNI.
\n" }, "local_ip": { "text": "Local IP client connected to.
\n" }, "remote_ip": { "text": "Remote IP of client.
\n" }, "local_port": { "text": "Local port client connected to.
\n" }, "remote_port": { "text": "Remote port of client.
\n" }, "real_local_ip": { "text": "Real local IP as seen by the server.
\n" }, "real_remote_ip": { "text": "Real remote IP as seen by the server.
\n" }, "real_local_port": { "text": "Real local port as seen by the server.
\n" }, "real_remote_port": { "text": "Real remote port as seen by the server.
\n" }, "tls_cipher": { "text": "Cipher name used, e.g. TLS_AES_256_GCM_SHA384.
Cipher bits, e.g. 256.
Perfect forward-security mechanism, e.g. KxANY, KxECDHE.
TLS protocol name, e.g. TLSv1.3.
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "Set when error happens.
\n" }, "success": { "text": "yes, when authentication succeeded.
Time of penalty added by policy server.
\n" }, "policy_result": { "text": "ok, delayed, or refused.
Full username. This can change during authentication, for example due to passdb lookups.
\n" }, "original_user": { "text": "Original username exactly as provided by the client.
\n" }, "translated_user": { "text": "Similar to original_user, except after auth_username_translation translations are applied.
When doing a master user login, the user we are logging in as. Otherwise not set.
\n" }, "master_user": { "text": "When doing a master user login, the master username. Otherwise not set.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Service doing the lookup (e.g. imap, pop3, ...).
Session ID.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
Remote IP address of the client connection.
\n" }, "local_ip": { "text": "Local IP address where client connected to.
\n" }, "remote_port": { "text": "Remote port of the client connection.
\n" }, "local_port": { "text": "Local port where the client connected to.
\n" }, "real_remote_ip": { "text": "Same as remote_ip, except if the connection was proxied this is the proxy's IP address.
Same as local_ip, except if the connection was proxied this is the proxy's IP where proxy connected to.
Same as remote_port, except if the connection was proxied this is the proxy connection's port.
Same as local_port, except if the connection was proxied this is the local port where the proxy connected to.
TLS SNI hostname, if given.
\n" }, "transport": { "text": "Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSAuthentication request finished.
\nMost useful for tracking status of authentication/login attempts.
\n" }, "auth_passdb_request_started": { "root": "auth", "inherit": [ "auth_server_common", "auth_server_passdb" ], "text": "Processing has begun for a passdb block.
\nMost useful for debugging authentication flow.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Full username. This can change during authentication, for example due to passdb lookups.
\n" }, "original_user": { "text": "Original username exactly as provided by the client.
\n" }, "translated_user": { "text": "Similar to original_user, except after auth_username_translation translations are applied.
When doing a master user login, the user we are logging in as. Otherwise not set.
\n" }, "master_user": { "text": "When doing a master user login, the master username. Otherwise not set.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Service doing the lookup (e.g. imap, pop3, ...).
Session ID.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
Remote IP address of the client connection.
\n" }, "local_ip": { "text": "Local IP address where client connected to.
\n" }, "remote_port": { "text": "Remote port of the client connection.
\n" }, "local_port": { "text": "Local port where the client connected to.
\n" }, "real_remote_ip": { "text": "Same as remote_ip, except if the connection was proxied this is the proxy's IP address.
Same as local_ip, except if the connection was proxied this is the proxy's IP where proxy connected to.
Same as remote_port, except if the connection was proxied this is the proxy connection's port.
Same as local_port, except if the connection was proxied this is the local port where the proxy connected to.
TLS SNI hostname, if given.
\n" }, "transport": { "text": "Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSpassdb { name }.
\nDriver name.
\npassdb.Internal ID number of the passdb. May be useful to identify the passdb if it has no name.
\n" } } }, "auth_passdb_request_finished": { "root": "auth", "inherit": [ "auth_server_common", "auth_server_passdb" ], "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "result": { "text": "okpassword_mismatchuser_unknownpass_expireduser_disabledscheme_not_availableinternal_failurenextmiss: Was not cachedhit: Found from cacheFull username. This can change during authentication, for example due to passdb lookups.
\n" }, "original_user": { "text": "Original username exactly as provided by the client.
\n" }, "translated_user": { "text": "Similar to original_user, except after auth_username_translation translations are applied.
When doing a master user login, the user we are logging in as. Otherwise not set.
\n" }, "master_user": { "text": "When doing a master user login, the master username. Otherwise not set.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Service doing the lookup (e.g. imap, pop3, ...).
Session ID.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
Remote IP address of the client connection.
\n" }, "local_ip": { "text": "Local IP address where client connected to.
\n" }, "remote_port": { "text": "Remote port of the client connection.
\n" }, "local_port": { "text": "Local port where the client connected to.
\n" }, "real_remote_ip": { "text": "Same as remote_ip, except if the connection was proxied this is the proxy's IP address.
Same as local_ip, except if the connection was proxied this is the proxy's IP where proxy connected to.
Same as remote_port, except if the connection was proxied this is the proxy connection's port.
Same as local_port, except if the connection was proxied this is the local port where the proxy connected to.
TLS SNI hostname, if given.
\n" }, "transport": { "text": "Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSpassdb { name }.
\nDriver name.
\npassdb.Internal ID number of the passdb. May be useful to identify the passdb if it has no name.
\n" } }, "text": "Processing has ended for a passdb block.
\nMost useful for debugging authentication flow.
\n" }, "auth_userdb_request_started": { "root": "auth", "inherit": [ "auth_server_common", "auth_server_userdb" ], "text": "Processing has begun for a userdb block. This event is also sent for userdb\niterations.
\nMost useful for debugging authentication flow.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Full username. This can change during authentication, for example due to passdb lookups.
\n" }, "original_user": { "text": "Original username exactly as provided by the client.
\n" }, "translated_user": { "text": "Similar to original_user, except after auth_username_translation translations are applied.
When doing a master user login, the user we are logging in as. Otherwise not set.
\n" }, "master_user": { "text": "When doing a master user login, the master username. Otherwise not set.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Service doing the lookup (e.g. imap, pop3, ...).
Session ID.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
Remote IP address of the client connection.
\n" }, "local_ip": { "text": "Local IP address where client connected to.
\n" }, "remote_port": { "text": "Remote port of the client connection.
\n" }, "local_port": { "text": "Local port where the client connected to.
\n" }, "real_remote_ip": { "text": "Same as remote_ip, except if the connection was proxied this is the proxy's IP address.
Same as local_ip, except if the connection was proxied this is the proxy's IP where proxy connected to.
Same as remote_port, except if the connection was proxied this is the proxy connection's port.
Same as local_port, except if the connection was proxied this is the local port where the proxy connected to.
TLS SNI hostname, if given.
\n" }, "transport": { "text": "Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSuserdb { name }.
\nDriver name.
\nuserdb.Internal ID number of the userdb. May be useful to identify the userdb if it has no name.
\n" } } }, "auth_userdb_request_finished": { "root": "auth", "inherit": [ "auth_server_common", "auth_server_userdb" ], "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "result": { "text": "okuser_unknowninternal_failuremiss: Was not cachedhit: Found from cacheFull username. This can change during authentication, for example due to passdb lookups.
\n" }, "original_user": { "text": "Original username exactly as provided by the client.
\n" }, "translated_user": { "text": "Similar to original_user, except after auth_username_translation translations are applied.
When doing a master user login, the user we are logging in as. Otherwise not set.
\n" }, "master_user": { "text": "When doing a master user login, the master username. Otherwise not set.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Service doing the lookup (e.g. imap, pop3, ...).
Session ID.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
Remote IP address of the client connection.
\n" }, "local_ip": { "text": "Local IP address where client connected to.
\n" }, "remote_port": { "text": "Remote port of the client connection.
\n" }, "local_port": { "text": "Local port where the client connected to.
\n" }, "real_remote_ip": { "text": "Same as remote_ip, except if the connection was proxied this is the proxy's IP address.
Same as local_ip, except if the connection was proxied this is the proxy's IP where proxy connected to.
Same as remote_port, except if the connection was proxied this is the proxy connection's port.
Same as local_port, except if the connection was proxied this is the local port where the proxy connected to.
TLS SNI hostname, if given.
\n" }, "transport": { "text": "Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSuserdb { name }.
\nDriver name.
\nuserdb.Internal ID number of the userdb. May be useful to identify the userdb if it has no name.
\n" } }, "text": "Processing has ended for a userdb block. This event is also sent for userdb\niterations.
\nMost useful for debugging authentication flow.
\n" }, "auth_policy_request_finished": { "root": "auth", "inherit": "auth_server_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mode": { "text": "Either allow or report.
Value returned from policy server (number).
\n" }, "user": { "text": "Full username. This can change during authentication, for example due to passdb lookups.
\n" }, "original_user": { "text": "Original username exactly as provided by the client.
\n" }, "translated_user": { "text": "Similar to original_user, except after auth_username_translation translations are applied.
When doing a master user login, the user we are logging in as. Otherwise not set.
\n" }, "master_user": { "text": "When doing a master user login, the master username. Otherwise not set.
\n" }, "mechanism": { "text": "Name of used SASL mechanism (e.g. PLAIN).
\n" }, "service": { "text": "Same as protocol
Service doing the lookup (e.g. imap, pop3, ...).
Session ID.
\n" }, "client_id": { "text": "Expands to client ID request as IMAP arglist. Needs imap_id_retain = yes.
Remote IP address of the client connection.
\n" }, "local_ip": { "text": "Local IP address where client connected to.
\n" }, "remote_port": { "text": "Remote port of the client connection.
\n" }, "local_port": { "text": "Local port where the client connected to.
\n" }, "real_remote_ip": { "text": "Same as remote_ip, except if the connection was proxied this is the proxy's IP address.
Same as local_ip, except if the connection was proxied this is the proxy's IP where proxy connected to.
Same as remote_port, except if the connection was proxied this is the proxy connection's port.
Same as local_port, except if the connection was proxied this is the local port where the proxy connected to.
TLS SNI hostname, if given.
\n" }, "transport": { "text": "Transport security indicator. Values:
\ninsecuresecured\nsecured rather than trusted.TLSProcessing has ended for an auth policy request.
\nMost useful for debugging authentication flow.
\n" }, "auth_worker_request_finished": { "root": "auth", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "command": { "text": "Command received by auth worker.
\n" }, "command_id": { "text": "Command ID received by auth worker (integer).
\n" }, "error": { "text": "Error message (if request ended in error).
\n" } }, "text": "An authentication worker request has finished.
\n" }, "auth_master_client_login_started": { "inherit": "auth_master_common", "text": "Authentication master login request started.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "id": { "text": "Login request ID.
\n" }, "local_ip": { "text": "Client connection's local (server) IP.
\n" }, "local_port": { "text": "Client connection's local (server) port.
\n" }, "remote_ip": { "text": "Client connection's remote (client) IP.
\n" }, "remote_port": { "text": "Client connection's remote (client) port.
\n" } } }, "auth_master_client_login_finished": { "inherit": "auth_master_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username of the user.
\n" }, "error": { "text": "Error message if the request failed.
\n" }, "id": { "text": "Login request ID.
\n" }, "local_ip": { "text": "Client connection's local (server) IP.
\n" }, "local_port": { "text": "Client connection's local (server) port.
\n" }, "remote_ip": { "text": "Client connection's remote (client) IP.
\n" }, "remote_port": { "text": "Client connection's remote (client) port.
\n" } }, "text": "Authentication master login request finished.
\n" }, "client_connection_connected": { "inherit": "client_connection_common", "text": "Server accepted an incoming client connection.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "local_ip": { "text": "Local server IP address where TCP client connected to.
\n" }, "remote_ip": { "text": "Remote TCP client's IP address.
\n" }, "remote_port": { "text": "Remote TCP client's source port.
\n" }, "remote_pid": { "text": "Remote UNIX socket client's process ID.
\n" }, "remote_uid": { "text": "Remote UNIX socket client's system user ID.
\n" } } }, "client_connection_disconnected": { "inherit": "client_connection_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "net_in_bytes": { "changed": { "events_net_in_bytes_changed": "This was previously `in_bytes`." }, "text": "Amount of data read, in bytes.
\nin_bytes.Amount of data written, in bytes.
\nout_bytes.Disconnection reason.
\n" }, "local_ip": { "text": "Local server IP address where TCP client connected to.
\n" }, "remote_ip": { "text": "Remote TCP client's IP address.
\n" }, "remote_port": { "text": "Remote TCP client's source port.
\n" }, "remote_pid": { "text": "Remote UNIX socket client's process ID.
\n" }, "remote_uid": { "text": "Remote UNIX socket client's system user ID.
\n" } }, "text": "Client connection is terminated.
\n" }, "server_connection_connected": { "inherit": "server_connection_common", "text": "Outgoing server connection was either successfully established or failed.
\nTIP
\nCurrently it is not possible to know which one happened.
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "source_ip": { "text": "Source IP address used for the outgoing TCP connection. This is set only if a specific source IP was explicitly requested.
\n" }, "dest_ip": { "text": "TCP connection's destination IP address.
\n" }, "dest_port": { "text": "TCP connection's destination port.
\n" }, "dest_host": { "text": "TCP connection's destination hostname, if known.
\n" }, "socket_path": { "text": "UNIX socket connection's path.
\n" }, "remote_pid": { "text": "Remote UNIX socket server's process ID.
\n" }, "remote_uid": { "text": "Remote UNIX socket server's system user ID.
\n" } } }, "server_connection_disconnected": { "inherit": "server_connection_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "reason": { "text": "Disconnection reason.
\n" }, "source_ip": { "text": "Source IP address used for the outgoing TCP connection. This is set only if a specific source IP was explicitly requested.
\n" }, "dest_ip": { "text": "TCP connection's destination IP address.
\n" }, "dest_port": { "text": "TCP connection's destination port.
\n" }, "dest_host": { "text": "TCP connection's destination hostname, if known.
\n" }, "socket_path": { "text": "UNIX socket connection's path.
\n" }, "remote_pid": { "text": "Remote UNIX socket server's process ID.
\n" }, "remote_uid": { "text": "Remote UNIX socket server's system user ID.
\n" } }, "text": "Server connection is terminated.
\n" }, "fs": { "root": "fs", "text": "May be inherited from various different parents (e.g. "Mail User" event) or even from no parent.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" } } }, "fs_file": { "root": "fs", "text": "Inherits from fs or any other specified event (e.g. mail).
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" } } }, "mail_user_session_finished": { "inherit": "mail_user", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "utime": { "text": "User CPU time used in microseconds.
\n" }, "stime": { "text": "System CPU time used in microseconds.
\n" }, "minor_faults": { "text": "Page reclaims (soft page faults).
\n" }, "major_faults": { "text": "Page faults (hard page faults).
\n" }, "vol_cs": { "text": "Voluntary context switches.
\n" }, "invol_cs": { "text": "Involuntary context switches.
\n" }, "rss": { "text": "Resident set size in bytes. (Skipped in non-Linux environments.)
\n" }, "vsz": { "text": "Virtual memory size in bytes. (Skipped in non-Linux environments.)
\n" }, "rchar": { "text": "I/O counter: chars (bytes) read from storage. (Skipped in non-Linux environments.)
\n" }, "wchar": { "text": "I/O counter: chars (bytes) written to storage. (Skipped in non-Linux environments.)
\n" }, "syscr": { "text": "Number of read syscalls. (Skipped in non-Linux environments.)
\n" }, "syscw": { "text": "Number of write syscalls. (Skipped in non-Linux environments.)
\n" }, "net_in_bytes": { "text": "Bytes received during this session (for applicable processes.)
\nin_bytes.Bytes sent during this session (for applicable processes.)
\nout_bytes.Username of the user.
\n" }, "session": { "text": "Session ID for the storage session.
\n" }, "service": { "text": "Name of the service. Examples: imap, pop3, lmtp, ...
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "uid": { "text": "UID of the expunged mail.
\n" }, "mailbox": { "text": "Full mailbox name in UTF-8
\n" }, "mailbox_guid": { "text": "Mailbox GUID
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID for the storage session.
\n" }, "service": { "text": "Name of the service. Examples: imap, pop3, lmtp, ...
A mail was expunged from the mailbox.
\nTIP
\nThis event inherits from mailbox, not mail.
\nAdded: 2.4.0
\nA mail was opened for reading its metadata.
\nTIP
\nThis event is not sent when mails' body is accessed.
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "seq": { "text": "Mail sequence number.
\n" }, "uid": { "text": "Mail IMAP UID number.
\n" }, "mailbox": { "text": "Full mailbox name in UTF-8
\n" }, "mailbox_guid": { "text": "Mailbox GUID
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID for the storage session.
\n" }, "service": { "text": "Name of the service. Examples: imap, pop3, lmtp, ...
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "reason": { "text": "Reason why the mail was opened. (optional)
\n" }, "seq": { "text": "Mail sequence number.
\n" }, "uid": { "text": "Mail IMAP UID number.
\n" }, "mailbox": { "text": "Full mailbox name in UTF-8
\n" }, "mailbox_guid": { "text": "Mailbox GUID
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID for the storage session.
\n" }, "service": { "text": "Name of the service. Examples: imap, pop3, lmtp, ...
A mail was opened, e.g., for reading its body.
\nTIP
\nThis event is not sent when mails' metadata is accessed, even if it causes\nopening the mail file.
\nA mail is set to be expunged.
\nTIP
\nExpunges can be rolled back later on, this event is emitted when an expunge\nis requested.
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "seq": { "text": "Mail sequence number.
\n" }, "uid": { "text": "Mail IMAP UID number.
\n" }, "mailbox": { "text": "Full mailbox name in UTF-8
\n" }, "mailbox_guid": { "text": "Mailbox GUID
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID for the storage session.
\n" }, "service": { "text": "Name of the service. Examples: imap, pop3, lmtp, ...
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "filepath": { "text": "Path to the index file being recreated.
\n" }, "reason": { "text": "Human-readable reason why the mail index was recreated.
\n" } }, "text": "A mail index file was recreated.
\n" }, "indexer_worker_indexing_finished": { "root": "mail-index", "inherit": "mailbox", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "message_count": { "text": "Number of messages indexed.
\n" }, "first_uid": { "text": "UID of the first indexed message.
\n" }, "last_uid": { "text": "UID of the last indexed message.
\n" }, "user_cpu_usecs": { "text": "Total user CPU spent on the indexing transaction in microseconds.
\n" }, "mailbox": { "text": "Full mailbox name in UTF-8
\n" }, "mailbox_guid": { "text": "Mailbox GUID
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID for the storage session.
\n" }, "service": { "text": "Name of the service. Examples: imap, pop3, lmtp, ...
Indexer worker process completed an indexing transaction.
\n" }, "mail_cache_decision_changed": { "root": "mail-cache", "inherit": "mail_index_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "field": { "text": "Cache field name (e.g. imap.body or hdr.from).
UNIX timestamp of when the field was accessed the last time. This is updated only once per 24 hours.
\n" }, "reason": { "text": "Reason why the caching decision changed:
\nadd: no -> temp decision change, because a new field was added to cache.old_mail: temp -> yes decision change, because a mail older than 1 week was accessed.unordered_access: temp -> yes decision change, because mails weren't accessed in ascending order.IMAP UID number that caused the decision change. This is set only for some reasons, not all.
\n" }, "old_decision": { "text": "Old cache decision.
\n" }, "new_decision": { "text": "New cache decision.
\n" } }, "text": "A field's caching decision changed.
\n\nDecisions:
\n| Decision | \nDescription | \n
|---|---|
no | \nThe field is not cached. | \n
temp | \nThe field is cached for 1 week and dropped on the next purge. | \n
yes | \nThe field is cached permanently. If the field isn't accessed for 30 days it's dropped. | \n
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "field": { "text": "Cache field name (e.g. hdr.from).
Reason why the caching decision changed:
\ntoo_many_headers\n: This can happen when the count of headers in the cache exceeds the maximum configured with mail_cache_max_headers_count.The decision to promote a field (from no to temp) was rejected.
Cache file purging is started.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "file_seq": { "text": "Sequence of the new cache file that is created.
\n" }, "prev_file_seq": { "text": "Sequence of the cache file that is to be purged.
\n" }, "prev_file_size": { "text": "Size of the cache file that is to be purged.
\n" }, "prev_deleted_records": { "text": "Number of records (mails) marked as deleted in the cache file that is to be purged.
\n" }, "reason": { "text": "Reason string for purging the cache file:
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "field": { "text": "Cache field name (e.g. imap.body or hdr.from).
Old caching decision: temp, or yes.
UNIX timestamp of when the field was accessed the last time. This is updated only once per 24 hours.
\n" }, "file_seq": { "text": "Sequence of the new cache file that is created.
\n" }, "prev_file_seq": { "text": "Sequence of the cache file that is to be purged.
\n" }, "prev_file_size": { "text": "Size of the cache file that is to be purged.
\n" }, "prev_deleted_records": { "text": "Number of records (mails) marked as deleted in the cache file that is to be purged.
\n" }, "reason": { "text": "Reason string for purging the cache file:
\nExisting field is dropped from the cache file because it hadn't been accessed\nfor 30 days.
\n" }, "mail_cache_purge_finished": { "root": "mail-cache", "inherit": [ "mail_cache_purge", "mail_index_common" ], "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "file_size": { "text": "Size of the new cache file.
\n" }, "max_uid": { "text": "IMAP UID of the last mail in the cache file.
\n" }, "file_seq": { "text": "Sequence of the new cache file that is created.
\n" }, "prev_file_seq": { "text": "Sequence of the cache file that is to be purged.
\n" }, "prev_file_size": { "text": "Size of the cache file that is to be purged.
\n" }, "prev_deleted_records": { "text": "Number of records (mails) marked as deleted in the cache file that is to be purged.
\n" }, "reason": { "text": "Reason string for purging the cache file:
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "reason": { "text": "Reason string why cache was found to be corrupted.
\n" } }, "text": "Cache file was found to be corrupted and the whole file is deleted.
\n" }, "mail_cache_record_corrupted": { "root": "mail-cache", "inherit": "mail_index_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "reason": { "text": "Reason string why cache was found to be corrupted.
\n" }, "uid": { "text": "IMAP UID of the mail whose cache record is corrupted.
\n" } }, "text": "Cache record for a specific mail was found to be corrupted and the record\nis deleted.
\n" }, "http_request_finished": { "root": "http-client", "inherit": "http_client", "text": "HTTP request is complete.
\nThis event is useful to track and monitor external services.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "attempts": { "text": "Amount of individual HTTP request attempts (number of retries after failures + 1).
\n" }, "net_in_bytes": { "changed": { "events_net_in_bytes_changed": "This was previously `in_bytes`." }, "text": "Amount of data read, in bytes.
\nin_bytes.Amount of data written, in bytes.
\nout_bytes.Destination host.
\n" }, "dest_ip": { "text": "Destination IP address.
\n" }, "dest_port": { "text": "Destination port.
\n" }, "method": { "text": "HTTP verb used uppercased, e.g. GET.
Number of redirects done while processing request.
\n" }, "status_code": { "text": "HTTP result status code (integer).
\n" }, "target": { "text": "Request path with parameters, e.g. /path/?delimiter=%2F&prefix=test%2F.
Intermediate event emitted when an HTTP request is being redirected.
\nThe http_request_finished is still sent at the end of the request.
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "attempts": { "text": "Amount of individual HTTP request attempts (number of retries after failures + 1).
\n" }, "net_in_bytes": { "changed": { "events_net_in_bytes_changed": "This was previously `in_bytes`." }, "text": "Amount of data read, in bytes.
\nin_bytes.Amount of data written, in bytes.
\nout_bytes.Destination host.
\n" }, "dest_ip": { "text": "Destination IP address.
\n" }, "dest_port": { "text": "Destination port.
\n" }, "method": { "text": "HTTP verb used uppercased, e.g. GET.
Number of redirects done while processing request.
\n" }, "status_code": { "text": "HTTP result status code (integer).
\n" }, "target": { "text": "Request path with parameters, e.g. /path/?delimiter=%2F&prefix=test%2F.
Intermediate event emitted when an HTTP request is being retried.
\nThe http_request_finished is still sent at the end of the request.
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "attempts": { "text": "Amount of individual HTTP request attempts (number of retries after failures + 1).
\n" }, "net_in_bytes": { "changed": { "events_net_in_bytes_changed": "This was previously `in_bytes`." }, "text": "Amount of data read, in bytes.
\nin_bytes.Amount of data written, in bytes.
\nout_bytes.Destination host.
\n" }, "dest_ip": { "text": "Destination IP address.
\n" }, "dest_port": { "text": "Destination port.
\n" }, "method": { "text": "HTTP verb used uppercased, e.g. GET.
Number of redirects done while processing request.
\n" }, "status_code": { "text": "HTTP result status code (integer).
\n" }, "target": { "text": "Request path with parameters, e.g. /path/?delimiter=%2F&prefix=test%2F.
A new HTTP request has been received and the request headers (but not body\npayload) are parsed.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "request_id": { "text": "Assigned ID of the received request.
\n" }, "method": { "text": "HTTP verb used uppercased, e.g. GET.
Request path with parameters, e.g. /path/?delimiter=%2F&prefix=test%2F.
Local server IP address where TCP client connected to.
\n" }, "remote_ip": { "text": "Remote TCP client's IP address.
\n" }, "remote_port": { "text": "Remote TCP client's source port.
\n" }, "remote_pid": { "text": "Remote UNIX socket client's process ID.
\n" }, "remote_uid": { "text": "Remote UNIX socket client's system user ID.
\n" } } }, "http_server_request_finished": { "root": "http-server", "inherit": "http_server", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "net_in_bytes": { "changed": { "events_net_in_bytes_changed": "This was previously `in_bytes`." }, "text": "Amount of request data read, in bytes.
\nin_bytes.Amount of response data written, in bytes.
\nout_bytes.HTTP result status code (integer).
\n" }, "request_id": { "text": "Assigned ID of the received request.
\n" }, "method": { "text": "HTTP verb used uppercased, e.g. GET.
Request path with parameters, e.g. /path/?delimiter=%2F&prefix=test%2F.
Local server IP address where TCP client connected to.
\n" }, "remote_ip": { "text": "Remote TCP client's IP address.
\n" }, "remote_port": { "text": "Remote TCP client's source port.
\n" }, "remote_pid": { "text": "Remote UNIX socket client's process ID.
\n" }, "remote_uid": { "text": "Remote UNIX socket client's system user ID.
\n" } }, "text": "HTTP request is fully completed, i.e. the incoming request body is read and\nthe full response to the request has been sent to the client.
\n" }, "pop3_command_finished": { "root": "pop3", "inherit": "pop3_command", "added": { "events_pop3_command_finished_added": false }, "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "reply": { "text": "POP3 reply. Values:
\nOKFAILAmount of data read for this command, in bytes.
\n" }, "net_out_bytes": { "text": "Amount of data written for this command, in bytes.
\n" }, "cmd_name": { "text": "POP3 command name uppercased (e.g. UIDL).
POP3 command's full parameters (e.g. 1 1).
Username of the user.
\n" }, "session": { "text": "Session ID of the POP3 connection.
\n" }, "local_ip": { "text": "POP3 connection's local (server) IP.
\n" }, "local_port": { "text": "POP3 connection's local (server) port.
\n" }, "remote_ip": { "text": "POP3 connection's remote (client) IP.
\n" }, "remote_port": { "text": "POP3 connection's remote (client) port.
\n" } }, "text": "Added: 2.4.0
\nPOP3 command is completed.
\nThis event is useful to track individual command usage, debug specific\nsessions, and/or detect broken clients.
\nTIP
\nThis event is currently not sent for pre-login POP3 commands.
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mailbox": { "text": "Mailbox name where hibernation was started in.
\n" }, "error": { "text": "Reason why hibernation attempt failed.
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID of the IMAP connection.
\n" }, "local_ip": { "text": "IMAP connection's local (server) IP.
\n" }, "local_port": { "text": "IMAP connection's local (server) port.
\n" }, "remote_ip": { "text": "IMAP connection's remote (client) IP.
\n" }, "remote_port": { "text": "IMAP connection's remote (client) port.
\n" } }, "text": "IMAP client is hibernated or the hibernation attempt failed.
\nTIP
\nFor failures, this event can be logged by either imap or imap-hibernate\nprocess depending on which side the error was detected in.
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mailbox": { "text": "Mailbox name where hibernation was started in.
\n" }, "reason": { "text": "Reason why client was unhibernated:
\nidle_done: IDLE command was stopped with DONE.idle_bad_reply: IDLE command was stopped with some other command than DONE.mailbox_changes: Mailbox change notifications need to be sent to the client.Number of microseconds how long the client was hibernated.
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID of the IMAP connection.
\n" }, "local_ip": { "text": "IMAP connection's local (server) IP.
\n" }, "local_port": { "text": "IMAP connection's local (server) port.
\n" }, "remote_ip": { "text": "IMAP connection's remote (client) IP.
\n" }, "remote_port": { "text": "IMAP connection's remote (client) port.
\n" } }, "text": "IMAP client is unhibernated or the unhibernation attempt failed.
\nTIP
\nFor failures, this event can be logged by either imap or imap-hibernate\nprocess depending on which side the error was detected in.
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "Reason why unhibernation failed.
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID of the IMAP connection.
\n" }, "local_ip": { "text": "IMAP connection's local (server) IP.
\n" }, "local_port": { "text": "IMAP connection's local (server) port.
\n" }, "remote_ip": { "text": "IMAP connection's remote (client) IP.
\n" }, "remote_port": { "text": "IMAP connection's remote (client) port.
\n" } }, "text": "An IMAP client is attempted to be unhibernated, but imap processes are busy\nand the unhibernation attempt is retried.
\nThis event is sent each time when retrying is done.
\nThe imap_client_unhibernated event is still sent when unhibernation\neither succeeds or fails permanently.
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "tagged_reply_state": { "text": "Values:
\nOKNOBADFull tagged reply (e.g. OK SELECT finished.).
Timestamp when the command was running last time. (Command may be followed by internal "mailbox sync" that can take some time to complete.)
\n" }, "running_usecs": { "text": "How many usecs this command has spent running.
\n" }, "lock_wait_usecs": { "text": "How many usecs this command has spent waiting for locks.
\n" }, "net_in_bytes": { "changed": { "events_net_in_bytes_changed": "This was previously `in_bytes`." }, "text": "Amount of data read for this command, in bytes.
\nin_bytes.Amount of data written for this command, in bytes.
\nout_bytes.IMAP command tag.
\n" }, "cmd_name": { "text": "IMAP command name uppercased (e.g. FETCH).
Contains unknown for unknown command names.
IMAP command name exactly as sent (e.g. fetcH) regardless of whether or not it is valid.
IMAP command's full parameters (e.g. 1:* FLAGS).
IMAP command's full parameters, as human-readable output. Often it's the\nsame as cmd_args, but it is guaranteed to contain only valid UTF-8\ncharacters and no control characters.
Multi-line parameters are written only as <N byte multi-line literal>.
Username of the user.
\n" }, "session": { "text": "Session ID of the IMAP connection.
\n" }, "local_ip": { "text": "IMAP connection's local (server) IP.
\n" }, "local_port": { "text": "IMAP connection's local (server) port.
\n" }, "remote_ip": { "text": "IMAP connection's remote (client) IP.
\n" }, "remote_port": { "text": "IMAP connection's remote (client) port.
\n" } }, "text": "IMAP command is completed.
\nThis event is useful to track individual command usage, debug specific\nsessions, and/or detect broken clients.
\nTIP
\nThis event is currently not sent for pre-login IMAP commands.
\nDuration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "internal": { "text": "If yes, ID command parameters include the internally known x-* fields\nto update e.g. the IP or session ID. Typically these fields would be sent only\nby Dovecot proxies. The internal fields are not actually used, unless\ntrusted=yes also.
If yes, ID command parameters include fields sent by a regular IMAP client\n(non-internal fields). Dovecot proxy can send an ID command to a backend\ncontaining both internal and external fields. If the IMAP client sends only\ntag ID NIL command, the event is sent but external is not set.
If yes, the ID command came from an IP matching\nlogin_trusted_networks. If any internal fields were sent, they were\nprocessed.
Received parameters. The event name is the lowercase parameter key prefixed\nwith id_param_, the value is the parameter value.
Each key that contains invalid characters are enumerated starting with 1.\nValid characters are latin alphabetic characters (= a .. z),\nnumerals (= 0 .. 9), the dash (= -) and\nthe underscore (= _), every other character is\nconsidered invalid. The value of this field is the\noriginal parameter key including invalid characters,\nfollowed by a space character, and finally the\noriginal value concatenated into a single string.
IMAP command tag.
\n" }, "cmd_name": { "text": "IMAP command name uppercased (e.g. FETCH).
Contains unknown for unknown command names.
IMAP command name exactly as sent (e.g. fetcH) regardless of whether or not it is valid.
IMAP command's full parameters (e.g. 1:* FLAGS).
IMAP command's full parameters, as human-readable output. Often it's the\nsame as cmd_args, but it is guaranteed to contain only valid UTF-8\ncharacters and no control characters.
Multi-line parameters are written only as <N byte multi-line literal>.
Username of the user.
\n" }, "session": { "text": "Session ID of the IMAP connection.
\n" }, "local_ip": { "text": "IMAP connection's local (server) IP.
\n" }, "local_port": { "text": "IMAP connection's local (server) port.
\n" }, "remote_ip": { "text": "IMAP connection's remote (client) IP.
\n" }, "remote_port": { "text": "IMAP connection's remote (client) port.
\n" } }, "text": "Added: 2.4.0
\nThis event is emitted when the IMAP ID command was received, both for pre-\nas well as post-login. The parameters slightly differ for an unauthenticated\nclient, e.g. there is no user id.
\n" }, "mail_delivery_started": { "root": "local-delivery", "inherit": "mail_delivery", "text": "Message delivery has started.
\nThis event is useful for debugging mail delivery flow.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "message_id": { "text": "Message-ID header value (truncated to 200 bytes).
\n" }, "message_subject": { "text": "Subject header value, in UTF-8 (truncated to 80 bytes).
\n" }, "message_from": { "text": "Email address in the From header (e.g. user@example.com).
Size of the message, in bytes.
\n" }, "message_vsize": { "text": "Size of the message with CRLF linefeeds, in bytes.
\n" }, "rcpt_to": { "text": "Recipient address.
\n" }, "rcpt_param_notify": { "text": "The value of the NOTIFY parameter for the RCPT command.
\n" }, "rcpt_param_orcpt": { "text": "The address value of the ORCPT parameter for the RCPT command.
\n" }, "rcpt_param_orcpt_type": { "text": "The address type (typically "rfc822") of the ORCPT parameter for the RCPT command.
\n" }, "session": { "text": "The session ID for this connection (same as connection_id).
Transaction ID used by the server for this transaction (this ID is logged, mentioned in the DATA reply and part of the "Received:" header). It is based on the connection_id with a ":<seq>" sequence number suffix.
\n" }, "mail_from": { "text": "Sender address.
\n" }, "mail_param_auth": { "text": "The value of the AUTH parameter for the MAIL command.
\n" }, "mail_param_body": { "text": "The value of the BODY parameter for the MAIL command.
\n" }, "mail_param_envid": { "text": "The value of the ENVID parameter for the MAIL command.
\n" }, "mail_param_ret": { "text": "The value of the RET parameter for the MAIL command.
\n" }, "mail_param_size": { "text": "The value of the SIZE parameter for the MAIL command.
\n" }, "data_size": { "text": "The number data of bytes received from the client. This field is only present when the transaction finished receiving the DATA command.
\n" }, "connection_id": { "text": "The session ID for this connection. The connection ID is forwarded through proxies, allowing correlation between sessions on frontend and backend systems.
\n" }, "protocol": { "text": "The protocol used by the connection; i.e., either smtp or lmtp.
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "Error message if the delivery failed.
\n" }, "message_id": { "text": "Message-ID header value (truncated to 200 bytes).
\n" }, "message_subject": { "text": "Subject header value, in UTF-8 (truncated to 80 bytes).
\n" }, "message_from": { "text": "Email address in the From header (e.g. user@example.com).
Size of the message, in bytes.
\n" }, "message_vsize": { "text": "Size of the message with CRLF linefeeds, in bytes.
\n" }, "rcpt_to": { "text": "Recipient address.
\n" }, "rcpt_param_notify": { "text": "The value of the NOTIFY parameter for the RCPT command.
\n" }, "rcpt_param_orcpt": { "text": "The address value of the ORCPT parameter for the RCPT command.
\n" }, "rcpt_param_orcpt_type": { "text": "The address type (typically "rfc822") of the ORCPT parameter for the RCPT command.
\n" }, "session": { "text": "The session ID for this connection (same as connection_id).
Transaction ID used by the server for this transaction (this ID is logged, mentioned in the DATA reply and part of the "Received:" header). It is based on the connection_id with a ":<seq>" sequence number suffix.
\n" }, "mail_from": { "text": "Sender address.
\n" }, "mail_param_auth": { "text": "The value of the AUTH parameter for the MAIL command.
\n" }, "mail_param_body": { "text": "The value of the BODY parameter for the MAIL command.
\n" }, "mail_param_envid": { "text": "The value of the ENVID parameter for the MAIL command.
\n" }, "mail_param_ret": { "text": "The value of the RET parameter for the MAIL command.
\n" }, "mail_param_size": { "text": "The value of the SIZE parameter for the MAIL command.
\n" }, "data_size": { "text": "The number data of bytes received from the client. This field is only present when the transaction finished receiving the DATA command.
\n" }, "connection_id": { "text": "The session ID for this connection. The connection ID is forwarded through proxies, allowing correlation between sessions on frontend and backend systems.
\n" }, "protocol": { "text": "The protocol used by the connection; i.e., either smtp or lmtp.
Message delivery is completed.
\nThis event is useful for logging and tracking mail deliveries.
\n" }, "dns_worker_request_started": { "root": "dns-worker", "text": "DNS request started being processed by DNS worker process.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" } } }, "dns_request_started": { "root": "dns-client", "text": "DNS request sent by DNS client library to DNS worker process.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" } } }, "dns_worker_request_finished": { "root": "dns-worker", "inherit": "dns", "text": "DNS request finished being processed by DNS worker process.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "Human readable error.
\n" }, "error_code": { "text": "Error code usable with net_gethosterror().
\n" } } }, "dns_request_finished": { "root": "dns-client", "inherit": "dns", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "cached": { "text": "Set to yes or no depending if it was a cached reply or not.
Human readable error.
\n" }, "error_code": { "text": "Error code usable with net_gethosterror().
\n" } }, "text": "DNS request sent by DNS client library to DNS worker process has been\nfinished.
\n" }, "sql_query_finished": { "root": "sql", "inherit": "sql_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "Human readable error.
\n" }, "error_code": { "text": "Error code (if available).
\n" }, "query_first_word": { "text": "First word of the query (e.g. SELECT).
Requested consistency for the query (Cassandra only).
\nConsistency attempted to be used by Cassandra for the failed query (Cassandra only).
\nName of the sql driver, e.g. mysql or cassandra.
Response was received to SQL query.
\n" }, "sql_transaction_finished": { "root": "sql", "inherit": "sql_common", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "Human readable error.
\n" }, "error_code": { "text": "Error code (if available).
\n" }, "sql_driver": { "text": "Name of the sql driver, e.g. mysql or cassandra.
SQL transaction was committed or rolled back.
\n" }, "sql_connection_finished": { "root": "sql", "inherit": "sql_common", "text": "Connection to SQL server is closed.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "sql_driver": { "text": "Name of the sql driver, e.g. mysql or cassandra.
The command is received from the client.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "cmd_name": { "text": "Name of the command.
\n" }, "cmd_input_name": { "text": "SMTP command name exactly as sent (e.g. MaIL) regardless of whether or not it is valid.
SMTP command's full parameters (e.g. <from@example.com>).
SMTP command's full parameters, as human-readable output. For SMTP, this is currently identical to cmd_args.
The session ID for this connection. The connection ID is forwarded through proxies, allowing correlation between sessions on frontend and backend systems.
\n" }, "protocol": { "text": "The protocol used by the connection; i.e., either smtp or lmtp.
The session ID for this connection (same as connection_id).
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "status_code": { "text": "SMTP status code for the (first) reply. This is = 9000 for aborted commands (e.g., when the connection is closed prematurely).
\n" }, "enhanced_code": { "text": "SMTP enhanced status code for the (first) reply. This is "9.0.0" for aborted commands (e.g., when the connection is closed prematurely).
\n" }, "error": { "text": "Error message for the reply. There is no field for a success message.
\n" }, "cmd_name": { "text": "Name of the command.
\n" }, "cmd_input_name": { "text": "SMTP command name exactly as sent (e.g. MaIL) regardless of whether or not it is valid.
SMTP command's full parameters (e.g. <from@example.com>).
SMTP command's full parameters, as human-readable output. For SMTP, this is currently identical to cmd_args.
The session ID for this connection. The connection ID is forwarded through proxies, allowing correlation between sessions on frontend and backend systems.
\n" }, "protocol": { "text": "The protocol used by the connection; i.e., either smtp or lmtp.
The session ID for this connection (same as connection_id).
The command is finished. Either a success reply was sent for it or it\nfailed somehow.
\n" }, "smtp_server_transaction_started": { "root": "smtp-server", "inherit": "smtp_transaction", "text": "The transaction is started.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "transaction_id": { "text": "Transaction ID used by the server for this transaction (this ID is logged, mentioned in the DATA reply and part of the "Received:" header). It is based on the connection_id with a ":<seq>" sequence number suffix.
\n" }, "session": { "text": "The session ID for this connection (same as connection_id).
Sender address.
\n" }, "mail_param_auth": { "text": "The value of the AUTH parameter for the MAIL command.
\n" }, "mail_param_body": { "text": "The value of the BODY parameter for the MAIL command.
\n" }, "mail_param_envid": { "text": "The value of the ENVID parameter for the MAIL command.
\n" }, "mail_param_ret": { "text": "The value of the RET parameter for the MAIL command.
\n" }, "mail_param_size": { "text": "The value of the SIZE parameter for the MAIL command.
\n" }, "data_size": { "text": "The number data of bytes received from the client. This field is only present when the transaction finished receiving the DATA command.
\n" }, "connection_id": { "text": "The session ID for this connection. The connection ID is forwarded through proxies, allowing correlation between sessions on frontend and backend systems.
\n" }, "protocol": { "text": "The protocol used by the connection; i.e., either smtp or lmtp.
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "status_code": { "text": "SMTP status code for the (first failure) reply. This is = 9000 for aborted commands (e.g., when the connection is closed prematurely).
\n" }, "enhanced_code": { "text": "SMTP enhanced status code for the (first failure) reply. This is "9.0.0" for aborted commands (e.g., when the connection is closed prematurely).
\n" }, "error": { "text": "Error message for the first failure reply. There is no field for a success message.
\n" }, "recipients": { "text": "Total number of recipients.
\n" }, "recipients_aborted": { "text": "The number of recipients that got aborted before these could either finish\nor fail. This means that the transaction failed early somehow while these\nrecipients were still being processed by the server.
\n" }, "recipients_denied": { "text": "The number of recipients denied by the server using a negative reply to the RCPT command.
\n" }, "recipients_failed": { "text": "The number of recipients that failed somehow (includes denied recipients, but not aborted recipients).
\n" }, "recipients_succeeded": { "text": "The number of recipients for which the transaction finally succeeded.
\n" }, "is_reset": { "text": "The transaction was reset (RSET) rather than finishing\nwith a DATA/BDAT command as it normally would. This happens when client\nside issues the RSET command. Note that a reset event is a success (no\nerror field is present).
\n" }, "transaction_id": { "text": "Transaction ID used by the server for this transaction (this ID is logged, mentioned in the DATA reply and part of the "Received:" header). It is based on the connection_id with a ":<seq>" sequence number suffix.
\n" }, "session": { "text": "The session ID for this connection (same as connection_id).
Sender address.
\n" }, "mail_param_auth": { "text": "The value of the AUTH parameter for the MAIL command.
\n" }, "mail_param_body": { "text": "The value of the BODY parameter for the MAIL command.
\n" }, "mail_param_envid": { "text": "The value of the ENVID parameter for the MAIL command.
\n" }, "mail_param_ret": { "text": "The value of the RET parameter for the MAIL command.
\n" }, "mail_param_size": { "text": "The value of the SIZE parameter for the MAIL command.
\n" }, "data_size": { "text": "The number data of bytes received from the client. This field is only present when the transaction finished receiving the DATA command.
\n" }, "connection_id": { "text": "The session ID for this connection. The connection ID is forwarded through proxies, allowing correlation between sessions on frontend and backend systems.
\n" }, "protocol": { "text": "The protocol used by the connection; i.e., either smtp or lmtp.
Transaction is finished or failed.
\n" }, "smtp_server_transaction_rcpt_finished": { "root": "smtp-server", "inherit": "smtp_recipient", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "status_code": { "text": "SMTP status code for the reply. This is = 9000 for aborted commands (e.g., when the connection is closed prematurely).
\n" }, "enhanced_code": { "text": "SMTP enhanced status code for the reply. This is "9.0.0" for aborted commands (e.g., when the connection is closed prematurely).
\n" }, "error": { "text": "Error message for the reply if it is a failure. There is no field for a success message.
\n" }, "dest_host": { "text": "LMTP proxying only: Proxy destination hostname.
\nLMTP proxying only: Proxy destination IP address.
\nRecipient address.
\n" }, "rcpt_param_notify": { "text": "The value of the NOTIFY parameter for the RCPT command.
\n" }, "rcpt_param_orcpt": { "text": "The address value of the ORCPT parameter for the RCPT command.
\n" }, "rcpt_param_orcpt_type": { "text": "The address type (typically "rfc822") of the ORCPT parameter for the RCPT command.
\n" }, "session": { "text": "The session ID for this connection (same as connection_id).
Transaction ID used by the server for this transaction (this ID is logged, mentioned in the DATA reply and part of the "Received:" header). It is based on the connection_id with a ":<seq>" sequence number suffix.
\n" }, "mail_from": { "text": "Sender address.
\n" }, "mail_param_auth": { "text": "The value of the AUTH parameter for the MAIL command.
\n" }, "mail_param_body": { "text": "The value of the BODY parameter for the MAIL command.
\n" }, "mail_param_envid": { "text": "The value of the ENVID parameter for the MAIL command.
\n" }, "mail_param_ret": { "text": "The value of the RET parameter for the MAIL command.
\n" }, "mail_param_size": { "text": "The value of the SIZE parameter for the MAIL command.
\n" }, "data_size": { "text": "The number data of bytes received from the client. This field is only present when the transaction finished receiving the DATA command.
\n" }, "connection_id": { "text": "The session ID for this connection. The connection ID is forwarded through proxies, allowing correlation between sessions on frontend and backend systems.
\n" }, "protocol": { "text": "The protocol used by the connection; i.e., either smtp or lmtp.
The transaction is finished or failed for this particular recipient. When\nsuccessful, this means the DATA command for the transaction yielded success\nfor that recipient (even for SMTP this event is generated for each\nrecipient separately). Recipients can fail at various stages, particularly\nat the actual RCPT command where the server can deny the recipient.
\n" }, "smtp_submit_started": { "root": "smtp-submit", "text": "Started message submission.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" } } }, "smtp_submit_finished": { "root": "smtp-submit", "inherit": "smtp_submit", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "Error message for submission failure.
\n" }, "mail_from": { "text": "The envelope sender for the outgoing message.
\n" }, "recipients": { "text": "The number of recipients for the outgoing message.
\n" }, "data_size": { "text": "The size of the outgoing message.
\n" } }, "text": "Finished the message submission.
\n" }, "push_notification_finished": { "root": "push-notification", "inherit": "mail_user", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "mailbox": { "text": "Mailbox for event.
\n" }, "user": { "text": "Username of the user.
\n" }, "session": { "text": "Session ID for the storage session.
\n" }, "service": { "text": "Name of the service. Examples: imap, pop3, lmtp, ...
Push notification event was sent. See push notification stats.
\n" }, "sieve_runtime_script_started": { "root": "sieve-runtime", "inherit": "sieve_runtime", "text": "Started evaluating a Sieve script.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "script_name": { "text": "The name of the Sieve script as it is visible to the user.
\n" }, "script_location": { "text": "The full location string of the Sieve script.
\n" }, "binary_path": { "text": "The path of the Sieve binary being executed (if it is not only in memory).
\n" }, "error": { "text": "If present, this field indicates that the script execution has failed. The error message itself is very simple.
\n" }, "message_id": { "text": "The message-id of the message being filtered.
\n" }, "mail_from": { "text": "Envelope sender address if available.
\n" }, "rcpt_to": { "text": "Envelope recipient address if available.
\n" }, "user": { "text": "Username of the user.
\n" } } }, "sieve_runtime_script_finished": { "root": "sieve-runtime", "inherit": "sieve_runtime", "text": "Finished evaluating a Sieve script.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "script_name": { "text": "The name of the Sieve script as it is visible to the user.
\n" }, "script_location": { "text": "The full location string of the Sieve script.
\n" }, "binary_path": { "text": "The path of the Sieve binary being executed (if it is not only in memory).
\n" }, "error": { "text": "If present, this field indicates that the script execution has failed. The error message itself is very simple.
\n" }, "message_id": { "text": "The message-id of the message being filtered.
\n" }, "mail_from": { "text": "Envelope sender address if available.
\n" }, "rcpt_to": { "text": "Envelope recipient address if available.
\n" }, "user": { "text": "Username of the user.
\n" } } }, "sieve_action_finished": { "root": "sieve-execute", "inherit": "sieve_execute", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "action_name": { "text": "| Action | \nDescription | \n
|---|---|
discard | \nThe discard action was executed successfully (only has an effect when no explicit keep is executed). | \n
| ileinto` | \nThe fileinto action was executed successfully. | \n
keep | \nThe keep action was executed successfully (maps to fileinto internally, so the fields are identical). | \n
notify | \nThe notify action was executed successfully (either from the notify or the enotify extension). | \n
pipe | \nThe pipe action (from vnd.dovecot.pipe extension) was executed successfully. | \n
redirect | \nThe redirect action was executed successfully. | \n
reject | \nThe reject action was executed successfully. | \n
report | \nThe report action (from vnd.dovecot.report extension) was executed successfully. | \n
vacation | \nThe vacation action was executed successfully. | \n
The location string for this Sieve action (a combination of "<script-name>: line <number>".
\n" }, "redirect_target": { "text": "The target address for the redirect action.
\n" }, "notify_target": { "text": "The list of target addresses for the notify action.
\n" }, "report_target": { "text": "The target address for the report action.
\n" }, "report_type": { "text": "The feedback type for the report action.
\n" }, "fileinto_mailbox": { "text": "The target mailbox for the fileinto/keep action.
\n" }, "pipe_program": { "text": "The name of the program being executed by the pipe action.
\n" }, "message_id": { "text": "The message-id of the message being filtered.
\n" }, "mail_from": { "text": "Envelope sender address if available.
\n" }, "rcpt_to": { "text": "Envelope recipient address if available.
\n" }, "user": { "text": "Username of the user.
\n" } }, "text": "Emitted when sieve action is completed successfully.
\n" }, "sieve_script_opened": { "root": "sieve-storage", "inherit": "sieve_storage", "text": "Opened a Sieve script for reading (e.g. for ManageSieve GETSCRIPT or\ncompiling it at delivery).
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "storage_driver": { "text": "The driver name of the Sieve storage (file, ldap, or dict).
The location string for the Sieve script.
\n" }, "error": { "text": "Error message for when storage operation has failed.
\n" }, "user": { "text": "Username of the user.
\n" } } }, "sieve_script_closed": { "root": "sieve-storage", "inherit": "sieve_storage", "text": "Closed a Sieve script (after reading it).
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "storage_driver": { "text": "The driver name of the Sieve storage (file, ldap, or dict).
The location string for the Sieve script.
\n" }, "error": { "text": "Error message for when storage operation has failed.
\n" }, "user": { "text": "Username of the user.
\n" } } }, "sieve_script_deleted": { "root": "sieve-storage", "inherit": "sieve_storage", "text": "Deleted a Sieve script.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "storage_driver": { "text": "The driver name of the Sieve storage (file, ldap, or dict).
The location string for the Sieve script.
\n" }, "error": { "text": "Error message for when storage operation has failed.
\n" }, "user": { "text": "Username of the user.
\n" } } }, "sieve_script_activated": { "root": "sieve-storage", "inherit": "sieve_storage", "text": "Activated a Sieve script.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "storage_driver": { "text": "The driver name of the Sieve storage (file, ldap, or dict).
The location string for the Sieve script.
\n" }, "error": { "text": "Error message for when storage operation has failed.
\n" }, "user": { "text": "Username of the user.
\n" } } }, "sieve_script_renamed": { "root": "sieve-storage", "inherit": "sieve_storage", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "old_script_name": { "text": "Old name of the Sieve script.
\n" }, "new_script_name": { "text": "New name for the Sieve script.
\n" }, "storage_driver": { "text": "The driver name of the Sieve storage (file, ldap, or dict).
The location string for the Sieve script.
\n" }, "error": { "text": "Error message for when storage operation has failed.
\n" }, "user": { "text": "Username of the user.
\n" } }, "text": "Renamed a Sieve script.
\n" }, "sieve_storage_save_started": { "root": "sieve-storage", "inherit": "sieve_storage", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "script_name": { "text": "Name of the Sieve script.
\n" }, "storage_driver": { "text": "The driver name of the Sieve storage (file, ldap, or dict).
The location string for the Sieve script.
\n" }, "error": { "text": "Error message for when storage operation has failed.
\n" }, "user": { "text": "Username of the user.
\n" } }, "text": "Started saving a Sieve script.
\n" }, "sieve_storage_save_finished": { "root": "sieve-storage", "inherit": "sieve_storage", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "script_name": { "text": "Name of the Sieve script.
\n" }, "storage_driver": { "text": "The driver name of the Sieve storage (file, ldap, or dict).
The location string for the Sieve script.
\n" }, "error": { "text": "Error message for when storage operation has failed.
\n" }, "user": { "text": "Username of the user.
\n" } }, "text": "Finished saving a Sieve script.
\n" }, "managesieve_command_finished": { "root": "managesieve", "inherit": "managesieve", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "script_name": { "text": "Name for the Sieve script this command operated on (if any).
\n" }, "old_script_name": { "text": "Old name of the Sieve script (only set for RENAMESCRIPT).
\n" }, "new_script_name": { "text": "New name for the Sieve script (only set for RENAMESCRIPT).
\n" }, "compile_errors": { "text": "The number of compile errors that occurred (only set for PUTSCRIPT, CHECKSCRIPT and SETACTIVE when compile fails).
\n" }, "compile_warnings": { "text": "The number of compile warnings that occurred (only set for PUTSCRIPT, CHECKSCRIPT and SETACTIVE when script is compiled).
\n" }, "cmd_name": { "text": "Name of the ManageSieve command.
\n" }, "cmd_args": { "text": "Arguments for the ManageSieve command.
\n" }, "error": { "text": "Error message for when the command failed.
\n" } }, "text": "Finished the ManageSieve command.
\n" }, "dict_created": { "root": "dict", "inherit": "dict_init", "text": "Dictionary is initialized.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "dict_name": { "text": "Name of the dict as set in configurations.
\n" }, "dict_driver": { "text": "Name of the dictionary driver, e.g. sql or proxy.
Error, if one occurred.
\n" } } }, "dict_destroyed": { "root": "dict", "inherit": "dict_init", "text": "Dictionary is destroyed.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "dict_name": { "text": "Name of the dict as set in configurations.
\n" }, "dict_driver": { "text": "Name of the dictionary driver, e.g. sql or proxy.
Error, if one occurred.
\n" } } }, "dict_lookup_finished": { "root": "dict", "inherit": "dict_lookup", "text": "Dictionary lookup finishes.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username, if it's not empty.
\n" }, "key": { "text": "Key name, starts with priv/ or shared/.
Set to yes if key not found.
Name of the dictionary driver, e.g. sql or proxy.
Error, if one occurred.
\n" } } }, "dict_iteration_finished": { "root": "dict", "inherit": "dict_iteration", "text": "Dictionary iteration finished.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "rows": { "text": "Number of rows returned.
\n" }, "user": { "text": "Username, if it's not empty.
\n" }, "key": { "text": "Key name, starts with priv/ or shared/.
Set to yes if key not found.
Name of the dictionary driver, e.g. sql or proxy.
Error, if one occurred.
\n" } } }, "dict_transaction_finished": { "root": "dict", "inherit": "dict_transaction", "text": "Dictionary transaction has been committed or rolled back.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username, if it's not empty.
\n" }, "rollback": { "text": "Set to yes when transaction was rolled back.
Set to yes if write was not confirmed.
Name of the dictionary driver, e.g. sql or proxy.
Error, if one occurred.
\n" } } }, "dict_server_lookup_finished": { "root": "dict-server", "inherit": "dict_lookup", "text": "Dictionary server finishes lookup.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username, if it's not empty.
\n" }, "key": { "text": "Key name, starts with priv/ or shared/.
Set to yes if key not found.
Name of the dictionary driver, e.g. sql or proxy.
Error, if one occurred.
\n" } } }, "dict_server_iteration_finished": { "root": "dict-server", "inherit": "dict_iteration", "text": "Dictionary server finishes iteration.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "rows": { "text": "Number of rows returned.
\n" }, "user": { "text": "Username, if it's not empty.
\n" }, "key": { "text": "Key name, starts with priv/ or shared/.
Set to yes if key not found.
Name of the dictionary driver, e.g. sql or proxy.
Error, if one occurred.
\n" } } }, "dict_server_transaction_finished": { "root": "dict-server", "inherit": "dict_transaction", "text": "Dictionary server finishes transaction.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "user": { "text": "Username, if it's not empty.
\n" }, "rollback": { "text": "Set to yes when transaction was rolled back.
Set to yes if write was not confirmed.
Name of the dictionary driver, e.g. sql or proxy.
Error, if one occurred.
\n" } } }, "login_aborted": { "added": { "events_login_aborted_added": false }, "inherit": "pre_login_client", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "reason": { "text": "Short reason; see the short reason to description mapping.
\n" }, "auth_successes": { "text": "Number of successful authentications, which eventually failed due to other reasons.
\n" }, "auth_attempts": { "text": "Total number of authentication attempts, both successful and failed.
\n" }, "auth_usecs": { "text": "How long ago the first authentication attempt was started.
\n" }, "connected_usecs": { "text": "How long ago the client connection was created.
\n" }, "local_ip": { "text": "Local IP address.
\n" }, "local_name": { "text": "TLS SNI hostname, if given.
\nLocal port.
\n" }, "remote_ip": { "text": "Remote IP address.
\n" }, "remote_port": { "text": "Remote port.
\n" }, "user": { "text": "Full username.
\n" }, "service": { "text": "Same as protocol
Name of service e.g. submission, imap.
Added: 2.4.0
\n\nreason values:
| Reason | \nDescription | \n
|---|---|
anonymous_auth_disabled | \nAnonymous authentication is not allowed. | \n
authorization_failed | \nMaster user authentication succeeded, but authorization to access the requested login user wasn't allowed. | \n
auth_aborted_by_client | \nClient started SASL authentication, but returned "*" reply to abort it. | \n
auth_failed | \nGeneric authentication failure. Possibly due to invalid username/password, but could have been some other unspecified reason also. | \n
auth_nologin_referral | \nAuthentication returned auth referral to redirect the client to another server. This is normally configured to be sent only when the client is a Dovecot proxy, which handles the redirection. | \n
auth_process_comm_fail | \nInternal error communicating with the auth process. | \n
auth_process_not_ready | \nClient disconnected before auth process was ready. This may indicate a hanging auth process if connected_usecs is large. | \n
auth_waiting_client | \nClient started SASL authentication, but disconnected instead of sending the next SASL continuation reply. | \n
cleartext_auth_disabled | \nAuthentication using cleartext mechanism is not allowed at this point. It would be allowed if SSL/TLS was enabled. | \n
client_ssl_cert_untrusted | \nClient sent an SSL certificate that is untrusted with auth_ssl_require_client_cert = yes. | \n
client_ssl_cert_missing | \nClient didn't send SSL certificate, but auth_ssl_require_client_cert = yes. | \n
client_ssl_not_started | \nClient didn't even start SSL with auth_ssl_require_client_cert = yes. | \n
connection_limit | \nClient reached mail_max_userip_connections limit. | \n
internal_failure | \nInternal failure. The error log has more details. | \n
invalid_base64 | \nClient sent invalid base64 in SASL response. | \n
invalid_mech | \nUnknown SASL authentication mechanism requested. | \n
login_disabled | \nThe user has the passdb: Authentication `nologin` Extra Field field set in passdb and is thereby not able to login. | \n
no_auth_attempts | \nClient didn't send any authentication attempts. | \n
password_expired | \nThe user's password is expired. | \n
process_full | \nservice configuration (client_limit) and service configuration (process_limit) was hit and this login session was killed. | \n
shutting_down | \nThe process is shutting down so the login is aborted. | \n
tls_handshake_not_finished | \nTLS handshake failed or was not finished. | \n
user_disabled | \nUser is in deny passdb, or in some other way disabled passdb. | \n
Proxying reason values:
| Reason | \nDescription | \n
|---|---|
proxy_dest_connect_failed | \nLocal authentication succeeded, but connection to destination hop failed. | \n
proxy_dest_internal_failure | \nLocal authentication succeeded, but internal failure occurred after that. | \n
proxy_dest_remote_failure | \nLocal authentication succeeded, but destination hop reported unspecified failure. | \n
proxy_dest_protocol_failure | \nLocal authentication succeeded, but destination hop unexpectedly violated the protocol standard. | \n
proxy_dest_auth_failed | \nLocal authentication succeeded, but proxying failed to authenticate to the destination hop. | \n
proxy_dest_auth_temp_failed | \nLocal authentication succeeded, but proxying failed to temporarily authenticate to the destination hop. | \n
proxy_dest_redirected | \nLocal authentication succeeded, but destination hop redirected to another host. | \n
proxy_dest_connection_limit | \nAdded: 2.4.3 Login to backend failed because client reached mail_max_userip_connections limit. | \n
Connection to proxy destination has started.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "dest_host": { "text": "Host name of the proxy destination (if proxying is configured with IP address, will have the same value as dest_ip).
Proxy destination IP.
\n" }, "dest_port": { "text": "Proxy destination port.
\n" }, "source_ip": { "text": "Source IP where proxy connection originated from.
\n" }, "master_user": { "text": "If proxying is done with a master user authentication, contains the full username of master user.
\n" }, "local_ip": { "text": "Local IP address.
\n" }, "local_name": { "text": "TLS SNI hostname, if given.
\nLocal port.
\n" }, "remote_ip": { "text": "Remote IP address.
\n" }, "remote_port": { "text": "Remote port.
\n" }, "user": { "text": "Full username.
\n" }, "service": { "text": "Same as protocol
Name of service e.g. submission, imap.
Connection to proxy destination is established and user is successfully\nlogged into the backend.
\n", "fields": { "duration": { "text": "Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "source_port": { "text": "Source port where proxy connection originated from.
\n" }, "reconnect_attempts": { "text": "Number of times connection failed and reconnection was attempted.
\n" }, "dest_host": { "text": "Host name of the proxy destination (if proxying is configured with IP address, will have the same value as dest_ip).
Proxy destination IP.
\n" }, "dest_port": { "text": "Proxy destination port.
\n" }, "source_ip": { "text": "Source IP where proxy connection originated from.
\n" }, "master_user": { "text": "If proxying is done with a master user authentication, contains the full username of master user.
\n" }, "local_ip": { "text": "Local IP address.
\n" }, "local_name": { "text": "TLS SNI hostname, if given.
\nLocal port.
\n" }, "remote_ip": { "text": "Remote IP address.
\n" }, "remote_port": { "text": "Remote port.
\n" }, "user": { "text": "Full username.
\n" }, "service": { "text": "Same as protocol
Name of service e.g. submission, imap.
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "If login to destination failed, contains the error.
\n" }, "error_code": { "text": "If login to destination failed, contains the error code.
\nWhich side disconnected: client, server, proxy.
Reason for disconnection (empty = clean disconnect).
\n" }, "idle_usecs": { "changed": { "events_proxy_session_finished_idle_usecs_changed": "This was previously named `idle_secs`." }, "text": "Number of seconds the connection was idling before getting disconnected.
\nidle_secs.Amount of data read from client, in bytes.
\nin_bytes.Amount of data written to client, in bytes.
\nout_bytes.Source port where proxy connection originated from.
\n" }, "reconnect_attempts": { "text": "Number of times connection failed and reconnection was attempted.
\n" }, "dest_host": { "text": "Host name of the proxy destination (if proxying is configured with IP address, will have the same value as dest_ip).
Proxy destination IP.
\n" }, "dest_port": { "text": "Proxy destination port.
\n" }, "source_ip": { "text": "Source IP where proxy connection originated from.
\n" }, "master_user": { "text": "If proxying is done with a master user authentication, contains the full username of master user.
\n" }, "local_ip": { "text": "Local IP address.
\n" }, "local_name": { "text": "TLS SNI hostname, if given.
\nLocal port.
\n" }, "remote_ip": { "text": "Remote IP address.
\n" }, "remote_port": { "text": "Remote port.
\n" }, "user": { "text": "Full username.
\n" }, "service": { "text": "Same as protocol
Name of service e.g. submission, imap.
Connection to proxy destination has ended, either successfully or with error.
\n\nList of error codes:
\n| Error Code | \nExplanation | \n
|---|---|
authorization_failed | \nUser authorization failed. | \n
temp_fail | \nAuth service reported temporary failure. | \n
user_disabled | \nUser is disabled. | \n
password_expired | \nPassword is expired. | \n
invalid_base64 | \nChallenge response was invalid base64 encoded. | \n
login_disabled | \nLogin is disabled. | \n
invalid_mech | \nUsed mechanism isn't supported. | \n
cleartext_auth_disabled | \nCleartext authentication is not enabled, use TLS. | \n
anonymous_auth_disabled | \nAnonymous authentication is not enabled. | \n
Proxying error codes:
\n| Reason | \nDescription | \n
|---|---|
proxy_dest_connect_failed | \nLocal authentication succeeded, but connection to destination hop failed. | \n
proxy_dest_internal_failure | \nLocal authentication succeeded, but internal failure occurred after that. | \n
proxy_dest_remote_failure | \nLocal authentication succeeded, but destination hop reported unspecified failure. | \n
proxy_dest_protocol_failure | \nLocal authentication succeeded, but destination hop unexpectedly violated the protocol standard. | \n
proxy_dest_auth_failed | \nLocal authentication succeeded, but proxying failed to authenticate to the destination hop. | \n
proxy_dest_auth_temp_failed | \nLocal authentication succeeded, but proxying failed to temporarily authenticate to the destination hop. | \n
proxy_dest_redirected | \nLocal authentication succeeded, but destination hop redirected to another host. | \n
proxy_dest_connection_limit | \nAdded: 2.4.3 Login to backend failed because client reached mail_max_userip_connections limit. | \n
Duration of the event (in microseconds)
\n" }, "reason_code": { "text": "List of reason code strings why the event happened. See event reasons for possible values.
\n" }, "error": { "text": "Reason for the attempt failure.
\n" }, "error_code": { "text": "Error code for the attempt failure.
\n" }, "source_port": { "text": "Source port where proxy connection originated from.
\n" }, "reconnect_attempts": { "text": "Number of times connection failed and reconnection was attempted.
\n" }, "dest_host": { "text": "Host name of the proxy destination (if proxying is configured with IP address, will have the same value as dest_ip).
Proxy destination IP.
\n" }, "dest_port": { "text": "Proxy destination port.
\n" }, "source_ip": { "text": "Source IP where proxy connection originated from.
\n" }, "master_user": { "text": "If proxying is done with a master user authentication, contains the full username of master user.
\n" }, "local_ip": { "text": "Local IP address.
\n" }, "local_name": { "text": "TLS SNI hostname, if given.
\nLocal port.
\n" }, "remote_ip": { "text": "Remote IP address.
\n" }, "remote_port": { "text": "Remote port.
\n" }, "user": { "text": "Full username.
\n" }, "service": { "text": "Same as protocol
Name of service e.g. submission, imap.
Connection to proxy failed, but reconnect will be attempted.\nreconnect_attempts=1 for the first event and increases for each subsequent\nevent.