Permalink
Browse files

ENH: Improve cyrus-imap regex and add sample log file

  • Loading branch information...
1 parent 83a80a2 commit bd175f026737d66e7110868fb50b3760ff75e087 @kwirk kwirk committed Jul 20, 2013
Showing with 22 additions and 4 deletions.
  1. +12 −4 config/filter.d/cyrus-imap.conf
  2. +10 −0 testcases/files/logs/cyrus-imap
View
16 config/filter.d/cyrus-imap.conf
@@ -4,19 +4,27 @@
#
#
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
[Definition]
+_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
+
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
-failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
- : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
- : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
- : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
+failregex = ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:plaintext|LOGIN) .* \[?SASL\(-13\): authentication failure: checkpass failed\]?$
+ ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
+ ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
View
10 testcases/files/logs/cyrus-imap
@@ -0,0 +1,10 @@
+# failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1" }
+Jan 4 21:51:05 hostname cyrus/imap[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed
+# failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "198.51.100.23" }
+Feb 20 17:23:32 domain cyrus/pop3[18635]: badlogin: localhost [198.51.100.23] plaintext administrator SASL(-13): authentication failure: checkpass failed
+# failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "1.2.3.4" }
+Feb 20 17:23:32 cyrus/pop3[4297]: badlogin: example.com [1.2.3.4] plaintext mail0001 SASL(-13): authentication failure: checkpass failed
+# failJSON: { "time": "2005-06-08T18:11:13", "match": true , "host": "198.51.100.45" }
+Jun 8 18:11:13 lampserver imap[4480]: badlogin: example.com [198.51.100.45] DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match what we generated]
+# failJSON: { "time": "2004-12-21T10:01:57", "match": true , "host": "198.51.100.57" }
+Dec 21 10:01:57 hostname imapd[18454]: badlogin: example.com [198.51.100.57] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response]

0 comments on commit bd175f0

Please sign in to comment.