enhancement: Dovecot DATA slices messages in some statements (#1209)

* enhancement: Dont match data since it can slice the login message

* enhancement: Update previous auth worker line also

* enhancement: Tests

* enhancement: auth line also ref: https://www.reddit.com/r/CrowdSec/comments/1hr5y61/help_please_understanding_why_dovecot_auth_fails/

* enhancement: run index workflow manually

.index.json

@@ -8113,7 +8113,7 @@
   "crowdsecurity/dovecot-logs": {
    "path": "parsers/s01-parse/crowdsecurity/dovecot-logs.yaml",
    "stage": "s01-parse",
-   "version": "0.8",
+   "version": "0.9",
    "versions": {
     "0.1": {
      "digest": "3d30684b5d1ceea08ea743a2fa1697178d878bd87eb55e465432c000da162b42",
@@ -8146,9 +8146,13 @@
     "0.8": {
      "digest": "638a4596262469ddaff8d608921513f2e84cb5e822f67e902e0097812ff28ada",
      "deprecated": false
+    },
+    "0.9": {
+     "digest": "daf37a858cc3f3359b9637552f768acc59d7f29db702399fb6e720193dfd5673",
+     "deprecated": false
     }
    },
-   "content": "I2NvbnRyaWJ1dGlvbiBieSBAbHRzaWNoCm9uc3VjY2VzczogbmV4dF9zdGFnZQpkZWJ1ZzogZmFsc2UKZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdkb3ZlY290JyIKbmFtZTogY3Jvd2RzZWN1cml0eS9kb3ZlY290LWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBkb3ZlY290IGxvZ3MiCm5vZGVzOgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogIiV7V09SRDpwcm90b2NvbH0tbG9naW46ICV7REFUQTpkb3ZlY290X2xvZ2luX21lc3NhZ2V9OiB1c2VyPTwle0RBVEE6ZG92ZWNvdF91c2VyfT4uKiwgcmlwPSV7SVA6ZG92ZWNvdF9yZW1vdGVfaXB9LCBsaXA9JXtJUDpkb3ZlY290X2xvY2FsX2lwfSIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAtIGdyb2s6CiAgICAgIHBhdHRlcm46ICJhdXRoLXdvcmtlclxcKCV7SU5UfVxcKTogJXtXT1JEOmRvdmVjb3RfdXNlcl9iYWNrZW5kfVxcKCV7REFUQTpkb3ZlY290X3VzZXJ9LCV7SVA6ZG92ZWNvdF9yZW1vdGVfaXB9LD8le0RBVEF9XFwpOiAoJXtEQVRBfTogKT8le0RBVEE6ZG92ZWNvdF9sb2dpbl9tZXNzYWdlfSQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAiYXV0aC13b3JrZXJcXCgle0lOVH1cXCk6IChJbmZvOiApP2Nvbm4gdW5peDphdXRoLXdvcmtlciBcXChwaWQ9JXtJTlR9LHVpZD0le0lOVH1cXCk6IGF1dGgtd29ya2VyPCV7SU5UfT46ICV7V09SRDpkb3ZlY290X3VzZXJfYmFja2VuZH1cXCgle0RBVEE6ZG92ZWNvdF91c2VyfSwle0lQOmRvdmVjb3RfcmVtb3RlX2lwfSw/JXtEQVRBfVxcKTogKCV7REFUQX06ICk/JXtEQVRBOmRvdmVjb3RfbG9naW5fbWVzc2FnZX0kIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogIC0gZ3JvazoKICAgICAgcGF0dGVybjogImF1dGg6IHBhc3N3ZC1maWxlXFwoJXtEQVRBOmRvdmVjb3RfdXNlcn0sJXtJUDpkb3ZlY290X3JlbW90ZV9pcH1cXCk6ICgle0RBVEF9OiApPyV7REFUQTpkb3ZlY290X2xvZ2luX21lc3NhZ2V9JCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKc3RhdGljczoKICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgdmFsdWU6IGRvdmVjb3RfbG9ncwogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuZG92ZWNvdF9yZW1vdGVfaXAiCiAgICAtIG1ldGE6IGRvdmVjb3RfbG9naW5fcmVzdWx0CiAgICAgIGV4cHJlc3Npb246ICJhbnkoWydBdXRoZW50aWNhdGlvbiBmYWlsdXJlJywgJ1Bhc3N3b3JkIG1pc21hdGNoJywgJ3Bhc3N3b3JkIG1pc21hdGNoJywgJ2F1dGggZmFpbGVkJywgJ3Vua25vd24gdXNlciddLCB7ZXZ0LlBhcnNlZC5kb3ZlY290X2xvZ2luX21lc3NhZ2UgY29udGFpbnMgI30pID8gJ2F1dGhfZmFpbGVkJyA6ICcnIgo=",
+   "content": "I2NvbnRyaWJ1dGlvbiBieSBAbHRzaWNoCm9uc3VjY2VzczogbmV4dF9zdGFnZQpkZWJ1ZzogZmFsc2UKZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdkb3ZlY290JyIKbmFtZTogY3Jvd2RzZWN1cml0eS9kb3ZlY290LWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBkb3ZlY290IGxvZ3MiCnBhdHRlcm5fc3ludGF4OgogIEFVVEhfRlVOQzogJ1tBLVphLXowLTlfXSsoXChcKSk/Jwpub2RlczoKICAtIGdyb2s6CiAgICAgIHBhdHRlcm46ICIle1dPUkQ6cHJvdG9jb2x9LWxvZ2luOiAle0RBVEE6ZG92ZWNvdF9sb2dpbl9tZXNzYWdlfTogdXNlcj08JXtEQVRBOmRvdmVjb3RfdXNlcn0+LiosIHJpcD0le0lQOmRvdmVjb3RfcmVtb3RlX2lwfSwgbGlwPSV7SVA6ZG92ZWNvdF9sb2NhbF9pcH0iCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAiYXV0aC13b3JrZXJcXCgle0lOVH1cXCk6ICV7V09SRDpkb3ZlY290X3VzZXJfYmFja2VuZH1cXCgle0RBVEE6ZG92ZWNvdF91c2VyfSwle0lQOmRvdmVjb3RfcmVtb3RlX2lwfSw/JXtEQVRBfVxcKTogKCV7QVVUSF9GVU5DOmF1dGhfZnVuY30gZmFpbGVkOiApPyV7REFUQTpkb3ZlY290X2xvZ2luX21lc3NhZ2V9JCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAtIGdyb2s6CiAgICAgIHBhdHRlcm46ICJhdXRoLXdvcmtlclxcKCV7SU5UfVxcKTogKEluZm86ICk/Y29ubiB1bml4OmF1dGgtd29ya2VyIFxcKHBpZD0le0lOVH0sdWlkPSV7SU5UfVxcKTogYXV0aC13b3JrZXI8JXtJTlR9PjogJXtXT1JEOmRvdmVjb3RfdXNlcl9iYWNrZW5kfVxcKCV7REFUQTpkb3ZlY290X3VzZXJ9LCV7SVA6ZG92ZWNvdF9yZW1vdGVfaXB9LD8le0RBVEF9XFwpOiAoJXtBVVRIX0ZVTkM6YXV0aF9mdW5jfSBmYWlsZWQ6ICk/JXtEQVRBOmRvdmVjb3RfbG9naW5fbWVzc2FnZX0kIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogIC0gZ3JvazoKICAgICAgcGF0dGVybjogImF1dGg6IHBhc3N3ZC1maWxlXFwoJXtEQVRBOmRvdmVjb3RfdXNlcn0sJXtJUDpkb3ZlY290X3JlbW90ZV9pcH1cXCk6ICgle0FVVEhfRlVOQzphdXRoX2Z1bmN9IGZhaWxlZDogKT8le0RBVEE6ZG92ZWNvdF9sb2dpbl9tZXNzYWdlfSQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCnN0YXRpY3M6CiAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgIHZhbHVlOiBkb3ZlY290X2xvZ3MKICAgIC0gbWV0YTogc291cmNlX2lwCiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLmRvdmVjb3RfcmVtb3RlX2lwIgogICAgLSBtZXRhOiBkb3ZlY290X2xvZ2luX3Jlc3VsdAogICAgICBleHByZXNzaW9uOiAiYW55KFsnQXV0aGVudGljYXRpb24gZmFpbHVyZScsICdQYXNzd29yZCBtaXNtYXRjaCcsICdwYXNzd29yZCBtaXNtYXRjaCcsICdhdXRoIGZhaWxlZCcsICd1bmtub3duIHVzZXInXSwge2V2dC5QYXJzZWQuZG92ZWNvdF9sb2dpbl9tZXNzYWdlIGNvbnRhaW5zICN9KSA/ICdhdXRoX2ZhaWxlZCcgOiAnJyIK",
    "description": "Parse dovecot logs",
    "author": "crowdsecurity",
    "labels": null

.tests/dovecot-logs/dovecot-logs.log

@@ -11,3 +11,5 @@ Apr 29 15:54:19 mail dovecot: auth-worker(14864): conn unix:auth-worker (pid=148
 Apr 29 15:54:21 mail dovecot: auth-worker(14877): conn unix:auth-worker (pid=14830,uid=109): auth-worker<5>: pam(needle,5.34.207.161): pam_authenticate() failed: Authentication failure (Password mismatch?)
 Apr 18 08:31:30 mail dovecot: auth-worker(63712): conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user
 Apr 18 08:31:30 mail dovecot: auth-worker(63712): Info: conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user
+2024-12-31T06:56:17.784598+01:00 mail dovecot: auth-worker(10377): conn unix:auth-worker (pid=919,uid=112): auth-worker<1>: sql([email protected],192.168.1.1): unknown user (given password: Password123$)
+2025-01-01T17:05:06.533969+01:00 mail2 dovecot: auth: passwd-file([email protected],192.168.1.1): unknown user (SHA1 of given password: 21bd12)