Menu
▾
▴
#99 Dovecot script missing log lines
Hello,
I am running Debian 13 Trixie and have manually installed the latest logwatch. Dovecot version is 2.4.1-4 .
The current dovecot script is not capturing these lines in the "Authentication failed at login" section at line 268:
auth(user@example.com,000.000.000.000,sasl:login): passwd-file: Password mismatch
auth(user@example.com,000.000.000.000,sasl:plain)<Praf3JlNkTIbffRG>: passwd-file:
imap-login: Login aborted: Logged out (auth failed, 1 attempts in 4 secs) (auth_failed): user=<troublemaker@example.com>, method=PLAIN, rip=45.186.249.180, lip=000.000.000.000, TLS, session=<7ktqYcBNzGAtuvm0>
imap-login: Login aborted: Connection closed (auth failed, 1 attempts in 2 secs) (auth_failed): user=<user@example.com>, method=PLAIN, rip=201.223.106.155, lip=000.000.000.000, TLS: Connection closed, session=<zEcJQMpNRIfJ32qb>
imap-login: Login aborted: Inactivity (auth failed, 2 attempts in 178 secs) (auth_failed): user=<sallie_acklen@example.com>, method=PLAIN, rip=103.207.4.46, lip=000.000.000.000, TLS, session=<cAGahMpNTeNnzwQu>
The following regex captures those lines:
auth\(([^,]+),([^,]+),.+\).+(?:pam|passwd-file): unknown user
auth\(([^,]+),([^,]+),.+\).+(?:pam|passwd-file): Password mismatch
Login aborted:.*Connection closed.*rip=([^,]+).*
Login aborted:.*Logged out.*rip=([^,]+).*
Login aborted:.*Inactivity.*rip=([^,]+).*
Thanks,
Terry
Terry,
Do you actually have a patch for these or just the suggested regex lines?
I have an update to the dovecot script that captures some of them (I haven't seen the others in my logs) which I will push shortly, which may take care of some of your issues, but we may need to go through a couple of tests to see if it covers all of them. For example, I don't think it currently handles the passwd-file messages, which also may not be a dovecot module issue anyway.
Frank
Frank,
Here's the patch.
Terry
Terry,
Thanks for that I'll look at rolling it in soon. I do know that one of the items is currently in already (but in slightly different format) but will also check out the others and do something about them.
Frank