Skip to content

Commit bd175f0

Browse files
committed
ENH: Improve cyrus-imap regex and add sample log file
1 parent 83a80a2 commit bd175f0

File tree

2 files changed

+22
-4
lines changed

2 files changed

+22
-4
lines changed

Diff for: config/filter.d/cyrus-imap.conf

+12-4
Original file line numberDiff line numberDiff line change
@@ -4,19 +4,27 @@
44
#
55
#
66

7+
[INCLUDES]
8+
9+
# Read common prefixes. If any customizations available -- read them from
10+
# common.local
11+
before = common.conf
12+
13+
714
[Definition]
815

16+
_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
17+
918
# Option: failregex
1019
# Notes.: regex to match the password failures messages in the logfile. The
1120
# host must be matched by a group named "host". The tag "<HOST>" can
1221
# be used for standard IP/hostname matching and is only an alias for
1322
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
1423
# Values: TEXT
1524
#
16-
failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
17-
: badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
18-
: badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
19-
: badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
25+
failregex = ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:plaintext|LOGIN) .* \[?SASL\(-13\): authentication failure: checkpass failed\]?$
26+
^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
27+
^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
2028

2129
# Option: ignoreregex
2230
# Notes.: regex to ignore. If this regex matches, the line is ignored.

Diff for: testcases/files/logs/cyrus-imap

+10
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1" }
2+
Jan 4 21:51:05 hostname cyrus/imap[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed
3+
# failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "198.51.100.23" }
4+
Feb 20 17:23:32 domain cyrus/pop3[18635]: badlogin: localhost [198.51.100.23] plaintext administrator SASL(-13): authentication failure: checkpass failed
5+
# failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "1.2.3.4" }
6+
Feb 20 17:23:32 cyrus/pop3[4297]: badlogin: example.com [1.2.3.4] plaintext mail0001 SASL(-13): authentication failure: checkpass failed
7+
# failJSON: { "time": "2005-06-08T18:11:13", "match": true , "host": "198.51.100.45" }
8+
Jun 8 18:11:13 lampserver imap[4480]: badlogin: example.com [198.51.100.45] DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match what we generated]
9+
# failJSON: { "time": "2004-12-21T10:01:57", "match": true , "host": "198.51.100.57" }
10+
Dec 21 10:01:57 hostname imapd[18454]: badlogin: example.com [198.51.100.57] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response]

0 commit comments

Comments
 (0)