| Line 7... |
Line 7... |
| 7 |
|
7 |
|
| 8 |
[Definition]
|
8 |
[Definition]
|
| 9 |
|
9 |
|
| 10 |
_daemon = (auth|dovecot(-auth)?|auth-worker)
|
10 |
_daemon = (auth|dovecot(-auth)?|auth-worker)
|
| 11 |
|
11 |
|
| 12 |
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
|
12 |
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
|
| 13 |
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
|
13 |
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
|
| 14 |
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
|
14 |
^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
|
| - |
|
15 |
^%(__prefix_line)sauth-worker\(\d+\): pam\(\S+,<HOST>\): unknown user\s*$
|
| 15 |
|
16 |
|
| 16 |
ignoreregex =
|
17 |
ignoreregex =
|
| - |
|
18 |
|
| - |
|
19 |
[Init]
|
| - |
|
20 |
|
| - |
|
21 |
journalmatch = _SYSTEMD_UNIT=dovecot.service
|
| 17 |
|
22 |
|
| 18 |
# DEV Notes:
|
23 |
# DEV Notes:
|
| 19 |
# * the first regex is essentially a copy of pam-generic.conf
|
24 |
# * the first regex is essentially a copy of pam-generic.conf
|
| 20 |
# * Probably doesn't do dovecot sql/ldap backends properly
|
25 |
# * Probably doesn't do dovecot sql/ldap backends properly
|
| 21 |
# * Removed the 'no auth attempts' log lines from the matches because produces
|
26 |
# * Removed the 'no auth attempts' log lines from the matches because produces
|
| 22 |
# lots of false positives on misconfigured MTAs making regexp unuseable
|
27 |
# lots of false positives on misconfigured MTAs making regexp unusable
|
| 23 |
#
|
28 |
#
|
| 24 |
# Author: Martin Waschbuesch
|
29 |
# Author: Martin Waschbuesch
|
| 25 |
# Daniel Black (rewrote with begin and end anchors)
|
30 |
# Daniel Black (rewrote with begin and end anchors)
|