AI Log Analysis
Get AI-powered insights from your mail server logs to identify delivery issues, security threats, and service health problems.
AI Log Analysis uses Google Gemini to review your mail server's system logs and surface actionable insights. It monitors Postfix, Dovecot, OpenDKIM, SpamAssassin, Fail2ban, and the CeyMail AI filter for issues that need your attention.
Business feature
AI Log Analysis is available on the Business plan and above.
Setup
AI Log Analysis requires a Gemini API key. If you haven't configured one yet:
- Navigate to Settings > AI
- Enter your Gemini API key
- Save the settings
Once configured, the AI Log Analysis widget appears on the dashboard.
How it works
CeyMail collects recent logs from your mail server services and sends them to Gemini for analysis. The AI reviews the logs for patterns, anomalies, and known issues, then returns a severity rating, summary, list of issues, and actionable recommendations.
What it monitors:
- Postfix (mail delivery and queue)
- Dovecot (IMAP/POP3 access)
- OpenDKIM (DKIM signing)
- SpamAssassin (spam filtering)
- Fail2ban (intrusion prevention)
- CeyMail AI Filter (email screening milter)
What it detects:
- Mail delivery failures and queue congestion
- Authentication issues and brute-force patterns
- DKIM/SPF/DMARC alignment problems
- Service crashes and resource exhaustion
- Security threats and targeted attacks
- Milter chain health issues
What it ignores: The AI is trained to filter out normal noise -- scanner probes, bot connections, routine Fail2ban bans/unbans, and other expected background activity that doesn't require attention.
The dashboard widget
The AI Log Analysis widget on the dashboard shows the latest analysis result:
- Severity badge -- overall health status:
- Healthy (green) -- no issues found
- Info (blue) -- minor observations, no action needed
- Warning (orange) -- issues that should be investigated
- Critical (red) -- urgent problems needing immediate attention
- Summary -- a brief description of the current state
- Issues -- expandable list of detected problems with details
- Recommendations -- actionable steps to resolve issues
- Metadata -- when the analysis ran and how many log lines were reviewed
Running an analysis
Analysis runs automatically every 4 hours. Each run is incremental -- it only analyzes logs since the last completed analysis to avoid repeating findings.
To run an analysis manually, click the Analyze Now button on the widget. Manual analyses are rate-limited to 3 per hour.
Severity levels
Each detected issue is classified by severity:
| Level | Meaning | Example |
|---|---|---|
| Info | Observation, no action needed | Minor TLS negotiation warnings |
| Warning | Should be investigated | Repeated delivery failures to a specific domain |
| Critical | Needs immediate attention | Service crash, DKIM signing broken, active attack |
The overall severity badge reflects the highest severity among all detected issues. If no issues are found, the status is Healthy.
AI limitations
AI analysis provides helpful guidance but isn't infallible. Always verify critical findings before taking major actions like restarting services or changing configurations.