Permalink
Browse files

ENH: dovecot regex to match failure reported by Bob Cohen on mailing …

…list
  • Loading branch information...
1 parent 596abde commit 89e0520675ad822ab6935ade97554e8fd338e2c4 @grooverdan committed Sep 18, 2013
Showing with 4 additions and 0 deletions.
  1. +1 −0 config/filter.d/dovecot.conf
  2. +3 −0 testcases/files/logs/dovecot
View
1 config/filter.d/dovecot.conf
@@ -18,6 +18,7 @@ _daemon = dovecot(-auth)?
#
failregex = ^%(__prefix_line)s(pam_unix(\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
+ ^%(__prefix_line)sdovecot: auth\(\S+\): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: User not known to the underlying authentication module: \d+ Time\(s\)\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
View
3 testcases/files/logs/dovecot
@@ -29,3 +29,6 @@ Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth fa
Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "192.51.100.13" }
Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session=<LgDINsQCkttVIMPg>
+
+# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "200.76.17.206" }
+Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSERVERNAME.com,200.76.17.206): pam_authenticate() failed: User not known to the underlying authentication module: 2 Time(s)

0 comments on commit 89e0520

Please sign in to comment.