May 29 14:38:45 mailstore dovecot: imap-login: Login: user=< user@domain.com>, method=PLAIN, rip=10.10.234.2, lip=10.10.234.7

But almost no useful information extracted from this line (I would need at least user and remote ip). I could add new fields but these new fields would not participate in any alert/correlation data.

The solution would be either add/change the filter for this host or include the new fields in the alert filters. Or something else :D Which one is possible and suggested?

Anyway once I have done with imap(s) monitoring I will need to monitor the STMP behavior too and I have the same issue yet.