diff --git a/.index.json b/.index.json index a0a852ff5be..cafd947502a 100644 --- a/.index.json +++ b/.index.json @@ -8113,7 +8113,7 @@ "crowdsecurity/dovecot-logs": { "path": "parsers/s01-parse/crowdsecurity/dovecot-logs.yaml", "stage": "s01-parse", - "version": "0.8", + "version": "0.9", "versions": { "0.1": { "digest": "3d30684b5d1ceea08ea743a2fa1697178d878bd87eb55e465432c000da162b42", @@ -8146,9 +8146,13 @@ "0.8": { "digest": "638a4596262469ddaff8d608921513f2e84cb5e822f67e902e0097812ff28ada", "deprecated": false + }, + "0.9": { + "digest": "daf37a858cc3f3359b9637552f768acc59d7f29db702399fb6e720193dfd5673", + "deprecated": false } }, - "content": "I2NvbnRyaWJ1dGlvbiBieSBAbHRzaWNoCm9uc3VjY2VzczogbmV4dF9zdGFnZQpkZWJ1ZzogZmFsc2UKZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdkb3ZlY290JyIKbmFtZTogY3Jvd2RzZWN1cml0eS9kb3ZlY290LWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBkb3ZlY290IGxvZ3MiCm5vZGVzOgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogIiV7V09SRDpwcm90b2NvbH0tbG9naW46ICV7REFUQTpkb3ZlY290X2xvZ2luX21lc3NhZ2V9OiB1c2VyPTwle0RBVEE6ZG92ZWNvdF91c2VyfT4uKiwgcmlwPSV7SVA6ZG92ZWNvdF9yZW1vdGVfaXB9LCBsaXA9JXtJUDpkb3ZlY290X2xvY2FsX2lwfSIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAtIGdyb2s6CiAgICAgIHBhdHRlcm46ICJhdXRoLXdvcmtlclxcKCV7SU5UfVxcKTogJXtXT1JEOmRvdmVjb3RfdXNlcl9iYWNrZW5kfVxcKCV7REFUQTpkb3ZlY290X3VzZXJ9LCV7SVA6ZG92ZWNvdF9yZW1vdGVfaXB9LD8le0RBVEF9XFwpOiAoJXtEQVRBfTogKT8le0RBVEE6ZG92ZWNvdF9sb2dpbl9tZXNzYWdlfSQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAiYXV0aC13b3JrZXJcXCgle0lOVH1cXCk6IChJbmZvOiApP2Nvbm4gdW5peDphdXRoLXdvcmtlciBcXChwaWQ9JXtJTlR9LHVpZD0le0lOVH1cXCk6IGF1dGgtd29ya2VyPCV7SU5UfT46ICV7V09SRDpkb3ZlY290X3VzZXJfYmFja2VuZH1cXCgle0RBVEE6ZG92ZWNvdF91c2VyfSwle0lQOmRvdmVjb3RfcmVtb3RlX2lwfSw/JXtEQVRBfVxcKTogKCV7REFUQX06ICk/JXtEQVRBOmRvdmVjb3RfbG9naW5fbWVzc2FnZX0kIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogIC0gZ3JvazoKICAgICAgcGF0dGVybjogImF1dGg6IHBhc3N3ZC1maWxlXFwoJXtEQVRBOmRvdmVjb3RfdXNlcn0sJXtJUDpkb3ZlY290X3JlbW90ZV9pcH1cXCk6ICgle0RBVEF9OiApPyV7REFUQTpkb3ZlY290X2xvZ2luX21lc3NhZ2V9JCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKc3RhdGljczoKICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgdmFsdWU6IGRvdmVjb3RfbG9ncwogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuZG92ZWNvdF9yZW1vdGVfaXAiCiAgICAtIG1ldGE6IGRvdmVjb3RfbG9naW5fcmVzdWx0CiAgICAgIGV4cHJlc3Npb246ICJhbnkoWydBdXRoZW50aWNhdGlvbiBmYWlsdXJlJywgJ1Bhc3N3b3JkIG1pc21hdGNoJywgJ3Bhc3N3b3JkIG1pc21hdGNoJywgJ2F1dGggZmFpbGVkJywgJ3Vua25vd24gdXNlciddLCB7ZXZ0LlBhcnNlZC5kb3ZlY290X2xvZ2luX21lc3NhZ2UgY29udGFpbnMgI30pID8gJ2F1dGhfZmFpbGVkJyA6ICcnIgo=", + "content": "I2NvbnRyaWJ1dGlvbiBieSBAbHRzaWNoCm9uc3VjY2VzczogbmV4dF9zdGFnZQpkZWJ1ZzogZmFsc2UKZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdkb3ZlY290JyIKbmFtZTogY3Jvd2RzZWN1cml0eS9kb3ZlY290LWxvZ3MKZGVzY3JpcHRpb246ICJQYXJzZSBkb3ZlY290IGxvZ3MiCnBhdHRlcm5fc3ludGF4OgogIEFVVEhfRlVOQzogJ1tBLVphLXowLTlfXSsoXChcKSk/Jwpub2RlczoKICAtIGdyb2s6CiAgICAgIHBhdHRlcm46ICIle1dPUkQ6cHJvdG9jb2x9LWxvZ2luOiAle0RBVEE6ZG92ZWNvdF9sb2dpbl9tZXNzYWdlfTogdXNlcj08JXtEQVRBOmRvdmVjb3RfdXNlcn0+LiosIHJpcD0le0lQOmRvdmVjb3RfcmVtb3RlX2lwfSwgbGlwPSV7SVA6ZG92ZWNvdF9sb2NhbF9pcH0iCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAiYXV0aC13b3JrZXJcXCgle0lOVH1cXCk6ICV7V09SRDpkb3ZlY290X3VzZXJfYmFja2VuZH1cXCgle0RBVEE6ZG92ZWNvdF91c2VyfSwle0lQOmRvdmVjb3RfcmVtb3RlX2lwfSw/JXtEQVRBfVxcKTogKCV7QVVUSF9GVU5DOmF1dGhfZnVuY30gZmFpbGVkOiApPyV7REFUQTpkb3ZlY290X2xvZ2luX21lc3NhZ2V9JCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAtIGdyb2s6CiAgICAgIHBhdHRlcm46ICJhdXRoLXdvcmtlclxcKCV7SU5UfVxcKTogKEluZm86ICk/Y29ubiB1bml4OmF1dGgtd29ya2VyIFxcKHBpZD0le0lOVH0sdWlkPSV7SU5UfVxcKTogYXV0aC13b3JrZXI8JXtJTlR9PjogJXtXT1JEOmRvdmVjb3RfdXNlcl9iYWNrZW5kfVxcKCV7REFUQTpkb3ZlY290X3VzZXJ9LCV7SVA6ZG92ZWNvdF9yZW1vdGVfaXB9LD8le0RBVEF9XFwpOiAoJXtBVVRIX0ZVTkM6YXV0aF9mdW5jfSBmYWlsZWQ6ICk/JXtEQVRBOmRvdmVjb3RfbG9naW5fbWVzc2FnZX0kIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogIC0gZ3JvazoKICAgICAgcGF0dGVybjogImF1dGg6IHBhc3N3ZC1maWxlXFwoJXtEQVRBOmRvdmVjb3RfdXNlcn0sJXtJUDpkb3ZlY290X3JlbW90ZV9pcH1cXCk6ICgle0FVVEhfRlVOQzphdXRoX2Z1bmN9IGZhaWxlZDogKT8le0RBVEE6ZG92ZWNvdF9sb2dpbl9tZXNzYWdlfSQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCnN0YXRpY3M6CiAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgIHZhbHVlOiBkb3ZlY290X2xvZ3MKICAgIC0gbWV0YTogc291cmNlX2lwCiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLmRvdmVjb3RfcmVtb3RlX2lwIgogICAgLSBtZXRhOiBkb3ZlY290X2xvZ2luX3Jlc3VsdAogICAgICBleHByZXNzaW9uOiAiYW55KFsnQXV0aGVudGljYXRpb24gZmFpbHVyZScsICdQYXNzd29yZCBtaXNtYXRjaCcsICdwYXNzd29yZCBtaXNtYXRjaCcsICdhdXRoIGZhaWxlZCcsICd1bmtub3duIHVzZXInXSwge2V2dC5QYXJzZWQuZG92ZWNvdF9sb2dpbl9tZXNzYWdlIGNvbnRhaW5zICN9KSA/ICdhdXRoX2ZhaWxlZCcgOiAnJyIK", "description": "Parse dovecot logs", "author": "crowdsecurity", "labels": null diff --git a/.tests/dovecot-logs/dovecot-logs.log b/.tests/dovecot-logs/dovecot-logs.log index b3a9b227ccb..b5d81502acb 100644 --- a/.tests/dovecot-logs/dovecot-logs.log +++ b/.tests/dovecot-logs/dovecot-logs.log @@ -11,3 +11,5 @@ Apr 29 15:54:19 mail dovecot: auth-worker(14864): conn unix:auth-worker (pid=148 Apr 29 15:54:21 mail dovecot: auth-worker(14877): conn unix:auth-worker (pid=14830,uid=109): auth-worker<5>: pam(needle,5.34.207.161): pam_authenticate() failed: Authentication failure (Password mismatch?) Apr 18 08:31:30 mail dovecot: auth-worker(63712): conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user Apr 18 08:31:30 mail dovecot: auth-worker(63712): Info: conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user +2024-12-31T06:56:17.784598+01:00 mail dovecot: auth-worker(10377): conn unix:auth-worker (pid=919,uid=112): auth-worker<1>: sql(testing@example.com,192.168.1.1): unknown user (given password: Password123$) +2025-01-01T17:05:06.533969+01:00 mail2 dovecot: auth: passwd-file(karen@co.uk,192.168.1.1): unknown user (SHA1 of given password: 21bd12) diff --git a/.tests/dovecot-logs/parser.assert b/.tests/dovecot-logs/parser.assert index 8a7066be0ba..a1b5e8f177a 100644 --- a/.tests/dovecot-logs/parser.assert +++ b/.tests/dovecot-logs/parser.assert @@ -1,70 +1,78 @@ len(results) == 3 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 13 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 15 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "dovecot" -results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Sep 8 07:46:30" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "auth-worker(24544): pam(toto,1.1.1.1): unknown user" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "dovecot" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Sep 8 07:46:30" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "auth-worker(24058): pam(toto,1.1.1.1,): pam_authenticate() failed: Authentication failure (password mismatch?)" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "dovecot" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Sep 8 07:16:29" -results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Sep 8 07:16:27" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=1.1.1.1, lip=7.7.7.7, TLS, session=" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "7508" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "dovecot" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Sep 8 07:16:27" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "pop3-login: Info: Disconnected: Connection closed (auth failed, 2 attempts in 30 secs): user=, method=PLAIN, rip=172.17.0.1, lip=172.17.0.2, TLS: Connection closed, session=" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "dovecot" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Oct 12 15:44:43" -results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "canyon" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "imap-login: Info: Disconnected: Aborted login by logging out (auth failed, 1 attempts in 15 secs): user=, method=PLAIN, rip=172.17.0.1, lip=172.17.0.2, TLS, session=<6wzJvinOOLisEQAB>" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "dovecot" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Oct 12 15:46:28" -results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "canyon" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "dovecot" -results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Oct 12 15:53:32" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "imap-login: Info: Disconnected: Too many invalid commands (auth failed, 1 attempts in 0 secs): user=, rip=172.17.0.1, lip=172.17.0.2, session=<5Tfu2CnO3pKsEQAB>" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "dovecot" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Oct 12 15:53:32" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "pop3-login: Info: Disconnected: Disconnected: Too many bad commands (auth failed, 2 attempts in 0 secs): user=, rip=172.17.0.1, lip=172.17.0.2, session=<02qW3CnO5tWsEQAB>" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "dovecot" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Oct 12 15:54:33" -results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "pop3-login: Info: Disconnected: Disconnected: Too many bad commands (no auth attempts in 22 secs): user=<>, rip=172.17.0.1, lip=172.17.0.2, TLS, session=" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "dovecot" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Oct 13 09:22:47" -results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["message"] == "pop3-login: Info: Login: user=, method=PLAIN, rip=172.17.0.1, lip=172.17.0.2, mpid=18, TLS, session=" @@ -73,22 +81,25 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp"] == "O results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["machine"] == "canyon" +results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["program"] == "dovecot" -results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["timestamp"] == "Apr 29 15:54:19" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["message"] == "auth-worker(14864): conn unix:auth-worker (pid=14830,uid=109): auth-worker<6>: pam(caliph@customdomaine.com,5.34.207.151): pam_authenticate() failed: Authentication failure (Password mismatch?)" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["program"] == "dovecot" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["timestamp"] == "Apr 29 15:54:19" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["machine"] == "mail" +results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "dovecot" -results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "Apr 29 15:54:21" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["message"] == "auth-worker(14877): conn unix:auth-worker (pid=14830,uid=109): auth-worker<5>: pam(needle,5.34.207.161): pam_authenticate() failed: Authentication failure (Password mismatch?)" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "dovecot" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp"] == "Apr 29 15:54:21" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["machine"] == "mail" +results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["message"] == "auth-worker(63712): conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user" @@ -97,213 +108,280 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["timestamp"] == " results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["machine"] == "mail" +results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Whitelisted == false results["s00-raw"]["crowdsecurity/syslog-logs"][12].Success == true -results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["timestamp"] == "Apr 18 08:31:30" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["message"] == "auth-worker(63712): Info: conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["program"] == "dovecot" +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["timestamp"] == "Apr 18 08:31:30" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["machine"] == "mail" -len(results["s01-parse"]["crowdsecurity/dovecot-logs"]) == 13 +results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["message"] == "auth-worker(10377): conn unix:auth-worker (pid=919,uid=112): auth-worker<1>: sql(testing@example.com,192.168.1.1): unknown user (given password: Password123$)" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["program"] == "dovecot" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["timestamp8601"] == "2024-12-31T06:56:17.784598+01:00" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_path"] == "dovecot-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["machine"] == "mail" +results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["message"] == "auth: passwd-file(karen@co.uk,192.168.1.1): unknown user (SHA1 of given password: 21bd12)" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["program"] == "dovecot" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["timestamp8601"] == "2025-01-01T17:05:06.533969+01:00" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_path"] == "dovecot-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["machine"] == "mail2" +results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/dovecot-logs"]) == 15 results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["message"] == "auth-worker(24544): pam(toto,1.1.1.1): unknown user" -results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["program"] == "dovecot" -results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["timestamp"] == "Sep 8 07:46:30" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["dovecot_login_message"] == "unknown user" +results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["dovecot_remote_ip"] == "1.1.1.1" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["dovecot_user"] == "toto" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["dovecot_user_backend"] == "pam" -results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["dovecot_remote_ip"] == "1.1.1.1" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["message"] == "auth-worker(24544): pam(toto,1.1.1.1): unknown user" +results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Parsed["timestamp"] == "Sep 8 07:46:30" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["auth_func"] == "pam_authenticate()" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["dovecot_login_message"] == "Authentication failure (password mismatch?)" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["dovecot_remote_ip"] == "1.1.1.1" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["dovecot_user"] == "toto" +results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["dovecot_user_backend"] == "pam" +results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["message"] == "auth-worker(24058): pam(toto,1.1.1.1,): pam_authenticate() failed: Authentication failure (password mismatch?)" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["program"] == "dovecot" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["timestamp"] == "Sep 8 07:16:29" -results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["dovecot_user_backend"] == "pam" -results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["log_type"] == "dovecot_logs" -results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["machine"] == "canyon" -results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["source_ip"] == "1.1.1.1" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["log_type"] == "dovecot_logs" +results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["machine"] == "canyon" +results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][1].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["pid"] == "7508" +results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["dovecot_local_ip"] == "7.7.7.7" +results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["dovecot_login_message"] == "Disconnected (auth failed, 1 attempts in 6 secs)" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["dovecot_remote_ip"] == "1.1.1.1" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["dovecot_user"] == "toto@toto.com" +results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["message"] == "imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=1.1.1.1, lip=7.7.7.7, TLS, session=" +results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["pid"] == "7508" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["program"] == "dovecot" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["protocol"] == "imap" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["timestamp"] == "Sep 8 07:16:27" -results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["dovecot_local_ip"] == "7.7.7.7" -results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["dovecot_login_message"] == "Disconnected (auth failed, 1 attempts in 6 secs)" -results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Meta["source_ip"] == "1.1.1.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][2].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["dovecot_login_message"] == "Info: Disconnected: Connection closed (auth failed, 2 attempts in 30 secs)" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["dovecot_remote_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["message"] == "pop3-login: Info: Disconnected: Connection closed (auth failed, 2 attempts in 30 secs): user=, method=PLAIN, rip=172.17.0.1, lip=172.17.0.2, TLS: Connection closed, session=" -results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["timestamp"] == "Oct 12 15:44:43" -results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["dovecot_user"] == "hess@lol.fr" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["message"] == "pop3-login: Info: Disconnected: Connection closed (auth failed, 2 attempts in 30 secs): user=, method=PLAIN, rip=172.17.0.1, lip=172.17.0.2, TLS: Connection closed, session=" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["program"] == "dovecot" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["protocol"] == "pop3" -results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Parsed["timestamp"] == "Oct 12 15:44:43" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["machine"] == "canyon" +results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][3].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["dovecot_login_message"] == "Info: Disconnected: Aborted login by logging out (auth failed, 1 attempts in 15 secs)" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["dovecot_remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["dovecot_user"] == "hess@test.fr" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["timestamp"] == "Oct 12 15:46:28" -results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["message"] == "imap-login: Info: Disconnected: Aborted login by logging out (auth failed, 1 attempts in 15 secs): user=, method=PLAIN, rip=172.17.0.1, lip=172.17.0.2, TLS, session=<6wzJvinOOLisEQAB>" +results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["program"] == "dovecot" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["protocol"] == "imap" +results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Parsed["timestamp"] == "Oct 12 15:46:28" +results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["datasource_path"] == "dovecot-logs.log" +results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["datasource_path"] == "dovecot-logs.log" -results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/dovecot-logs"][4].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["dovecot_login_message"] == "Info: Disconnected: Too many invalid commands (auth failed, 1 attempts in 0 secs)" -results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["message"] == "imap-login: Info: Disconnected: Too many invalid commands (auth failed, 1 attempts in 0 secs): user=, rip=172.17.0.1, lip=172.17.0.2, session=<5Tfu2CnO3pKsEQAB>" -results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["program"] == "dovecot" -results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["timestamp"] == "Oct 12 15:53:32" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" +results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["dovecot_login_message"] == "Info: Disconnected: Too many invalid commands (auth failed, 1 attempts in 0 secs)" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["dovecot_remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["dovecot_user"] == "hess@testnew.fr" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["message"] == "imap-login: Info: Disconnected: Too many invalid commands (auth failed, 1 attempts in 0 secs): user=, rip=172.17.0.1, lip=172.17.0.2, session=<5Tfu2CnO3pKsEQAB>" +results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["program"] == "dovecot" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["protocol"] == "imap" +results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Parsed["timestamp"] == "Oct 12 15:53:32" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][5].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["dovecot_remote_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["timestamp"] == "Oct 12 15:54:33" -results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["message"] == "pop3-login: Info: Disconnected: Disconnected: Too many bad commands (auth failed, 2 attempts in 0 secs): user=, rip=172.17.0.1, lip=172.17.0.2, session=<02qW3CnO5tWsEQAB>" -results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["program"] == "dovecot" -results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["protocol"] == "pop3" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["dovecot_login_message"] == "Info: Disconnected: Disconnected: Too many bad commands (auth failed, 2 attempts in 0 secs)" +results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["dovecot_remote_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["dovecot_user"] == "test@yourdomain.net" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["message"] == "pop3-login: Info: Disconnected: Disconnected: Too many bad commands (auth failed, 2 attempts in 0 secs): user=, rip=172.17.0.1, lip=172.17.0.2, session=<02qW3CnO5tWsEQAB>" +results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["protocol"] == "pop3" +results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Parsed["timestamp"] == "Oct 12 15:54:33" +results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["source_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Meta["datasource_path"] == "dovecot-logs.log" +results["s01-parse"]["crowdsecurity/dovecot-logs"][6].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["protocol"] == "pop3" -results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["timestamp"] == "Oct 13 09:22:47" +results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["dovecot_login_message"] == "Info: Disconnected: Disconnected: Too many bad commands (no auth attempts in 22 secs)" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["dovecot_remote_ip"] == "172.17.0.1" -results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["program"] == "dovecot" -results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["message"] == "pop3-login: Info: Disconnected: Disconnected: Too many bad commands (no auth attempts in 22 secs): user=<>, rip=172.17.0.1, lip=172.17.0.2, TLS, session=" +results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["protocol"] == "pop3" +results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Parsed["timestamp"] == "Oct 13 09:22:47" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][7].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["dovecot_user"] == "test@yourdomain.net" -results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["message"] == "pop3-login: Info: Login: user=, method=PLAIN, rip=172.17.0.1, lip=172.17.0.2, mpid=18, TLS, session=" -results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["program"] == "dovecot" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["dovecot_local_ip"] == "172.17.0.2" +results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["dovecot_login_message"] == "Info: Login" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["dovecot_remote_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["dovecot_user"] == "test@yourdomain.net" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["message"] == "pop3-login: Info: Login: user=, method=PLAIN, rip=172.17.0.1, lip=172.17.0.2, mpid=18, TLS, session=" +results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["program"] == "dovecot" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["protocol"] == "pop3" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["timestamp"] == "Oct 13 09:22:59" -results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Parsed["dovecot_login_message"] == "Info: Login" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Meta["machine"] == "canyon" results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Meta["source_ip"] == "172.17.0.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][8].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["program"] == "dovecot" -results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["timestamp"] == "Apr 29 15:54:19" +results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["auth_func"] == "pam_authenticate()" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["dovecot_login_message"] == "Authentication failure (Password mismatch?)" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["dovecot_remote_ip"] == "5.34.207.151" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["dovecot_user"] == "caliph@customdomaine.com" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["dovecot_user_backend"] == "pam" +results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["message"] == "auth-worker(14864): conn unix:auth-worker (pid=14830,uid=109): auth-worker<6>: pam(caliph@customdomaine.com,5.34.207.151): pam_authenticate() failed: Authentication failure (Password mismatch?)" -results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["source_ip"] == "5.34.207.151" +results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Parsed["timestamp"] == "Apr 29 15:54:19" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["machine"] == "mail" +results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Meta["source_ip"] == "5.34.207.151" +results["s01-parse"]["crowdsecurity/dovecot-logs"][9].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["dovecot_remote_ip"] == "5.34.207.161" -results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["timestamp"] == "Apr 29 15:54:21" -results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["auth_func"] == "pam_authenticate()" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["dovecot_login_message"] == "Authentication failure (Password mismatch?)" +results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["dovecot_remote_ip"] == "5.34.207.161" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["dovecot_user"] == "needle" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["dovecot_user_backend"] == "pam" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["message"] == "auth-worker(14877): conn unix:auth-worker (pid=14830,uid=109): auth-worker<5>: pam(needle,5.34.207.161): pam_authenticate() failed: Authentication failure (Password mismatch?)" +results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Parsed["timestamp"] == "Apr 29 15:54:21" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["machine"] == "mail" results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Meta["source_ip"] == "5.34.207.161" +results["s01-parse"]["crowdsecurity/dovecot-logs"][10].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Success == true -results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["message"] == "auth-worker(63712): conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user" -results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["timestamp"] == "Apr 18 08:31:30" +results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["dovecot_login_message"] == "unknown user" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["dovecot_remote_ip"] == "220.169.110.101" -results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["dovecot_user"] == "contact" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["dovecot_user_backend"] == "sql" +results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["message"] == "auth-worker(63712): conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["program"] == "dovecot" -results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["dovecot_login_message"] == "unknown user" -results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["dovecot_user"] == "contact" -results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["source_ip"] == "220.169.110.101" +results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Parsed["timestamp"] == "Apr 18 08:31:30" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["machine"] == "mail" +results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Meta["source_ip"] == "220.169.110.101" +results["s01-parse"]["crowdsecurity/dovecot-logs"][11].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Success == true +results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["dovecot_login_message"] == "unknown user" +results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["dovecot_remote_ip"] == "220.169.110.101" +results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["dovecot_user"] == "contact" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["dovecot_user_backend"] == "sql" +results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["message"] == "auth-worker(63712): Info: conn unix:auth-worker (pid=58074,uid=109): auth-worker<4>: sql(contact,220.169.110.101): unknown user" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["program"] == "dovecot" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["timestamp"] == "Apr 18 08:31:30" -results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["dovecot_remote_ip"] == "220.169.110.101" -results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["dovecot_user"] == "contact" -results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Parsed["dovecot_login_message"] == "unknown user" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["datasource_path"] == "dovecot-logs.log" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["dovecot_login_result"] == "auth_failed" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["log_type"] == "dovecot_logs" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["machine"] == "mail" results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Meta["source_ip"] == "220.169.110.101" +results["s01-parse"]["crowdsecurity/dovecot-logs"][12].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Success == true +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["dovecot_login_message"] == "unknown user (given password: Password123$)" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["dovecot_remote_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["dovecot_user"] == "testing@example.com" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["dovecot_user_backend"] == "sql" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["message"] == "auth-worker(10377): conn unix:auth-worker (pid=919,uid=112): auth-worker<1>: sql(testing@example.com,192.168.1.1): unknown user (given password: Password123$)" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Parsed["timestamp8601"] == "2024-12-31T06:56:17.784598+01:00" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["datasource_path"] == "dovecot-logs.log" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["log_type"] == "dovecot_logs" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["machine"] == "mail" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][13].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Success == true +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["dovecot_login_message"] == "unknown user (SHA1 of given password: 21bd12)" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["dovecot_remote_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["dovecot_user"] == "karen@co.uk" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["message"] == "auth: passwd-file(karen@co.uk,192.168.1.1): unknown user (SHA1 of given password: 21bd12)" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["program"] == "dovecot" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Parsed["timestamp8601"] == "2025-01-01T17:05:06.533969+01:00" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["datasource_path"] == "dovecot-logs.log" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["dovecot_login_result"] == "auth_failed" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["log_type"] == "dovecot_logs" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["machine"] == "mail2" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Meta["source_ip"] == "192.168.1.1" +results["s01-parse"]["crowdsecurity/dovecot-logs"][14].Evt.Whitelisted == false len(results["success"][""]) == 0 diff --git a/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml b/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml index 652bcf6058c..f750be71dab 100644 --- a/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml @@ -4,18 +4,20 @@ debug: false filter: "evt.Parsed.program == 'dovecot'" name: crowdsecurity/dovecot-logs description: "Parse dovecot logs" +pattern_syntax: + AUTH_FUNC: '[A-Za-z0-9_]+(\(\))?' nodes: - grok: pattern: "%{WORD:protocol}-login: %{DATA:dovecot_login_message}: user=<%{DATA:dovecot_user}>.*, rip=%{IP:dovecot_remote_ip}, lip=%{IP:dovecot_local_ip}" apply_on: message - grok: - pattern: "auth-worker\\(%{INT}\\): %{WORD:dovecot_user_backend}\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip},?%{DATA}\\): (%{DATA}: )?%{DATA:dovecot_login_message}$" + pattern: "auth-worker\\(%{INT}\\): %{WORD:dovecot_user_backend}\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip},?%{DATA}\\): (%{AUTH_FUNC:auth_func} failed: )?%{DATA:dovecot_login_message}$" apply_on: message - grok: - pattern: "auth-worker\\(%{INT}\\): (Info: )?conn unix:auth-worker \\(pid=%{INT},uid=%{INT}\\): auth-worker<%{INT}>: %{WORD:dovecot_user_backend}\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip},?%{DATA}\\): (%{DATA}: )?%{DATA:dovecot_login_message}$" + pattern: "auth-worker\\(%{INT}\\): (Info: )?conn unix:auth-worker \\(pid=%{INT},uid=%{INT}\\): auth-worker<%{INT}>: %{WORD:dovecot_user_backend}\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip},?%{DATA}\\): (%{AUTH_FUNC:auth_func} failed: )?%{DATA:dovecot_login_message}$" apply_on: message - grok: - pattern: "auth: passwd-file\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip}\\): (%{DATA}: )?%{DATA:dovecot_login_message}$" + pattern: "auth: passwd-file\\(%{DATA:dovecot_user},%{IP:dovecot_remote_ip}\\): (%{AUTH_FUNC:auth_func} failed: )?%{DATA:dovecot_login_message}$" apply_on: message statics: - meta: log_type