thr3ads.net - Logcheck devel - [Logcheck-devel] dovecot message coming through filters [Jul 2006]

If this information is useful, please help other people find it:
Share via:

martin f krafft

2006-Jul-06 09:02 UTC

[Logcheck-devel] dovecot message coming through filters

Okay, this confuses the hell out of me:

  [System Events]
  Jul  6 10:48:23 seamus dovecot: pop3-login: Login: user=<madduck at
belligerence.net>, method=PLAIN, rip=84.72.30.149, lip=213.203.238.82, TLS

and here's the filter in ignore.d.server:

  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login:
user=<[-_.@[:alnum:]]+>,
method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$

Also:

seamus:~> echo "Jul  6 10:48:23 seamus dovecot: pop3-login: Login:
user=<madduck at belligerence.net>, method=PLAIN, rip=84.72.30.149,
lip=213.203.238.82, TLS" | egrep -c "^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login:
user=<[-_.@[:alnum:]]+>,
method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$"
1

Yet, for every POP3 (or IMAP) login, I get a logcheck mail. What's
going on?

-- 
 .''`.     martin f. krafft <madduck at debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
darwinism is nothing without enough dead bodies.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (GPG/PGP)
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060706/d418d81b/attachment.pgp

maximilian attems

2006-Jul-06 10:20 UTC

head link

[Logcheck-devel] dovecot message coming through filters

On Thu, Jul 06, 2006 at 11:02:25AM +0200, martin f krafft
wrote:> Okay, this confuses the hell out of me:
> 
>   [System Events]
>   Jul  6 10:48:23 seamus dovecot: pop3-login: Login: user=<madduck at
belligerence.net>, method=PLAIN, rip=84.72.30.149, lip=213.203.238.82, TLS
> 
> and here's the filter in ignore.d.server:
> 
>   ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login:
Login: user=<[-_.@[:alnum:]]+>,
method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$
> 
> Also:
> 
> seamus:~> echo "Jul  6 10:48:23 seamus dovecot: pop3-login: Login:
user=<madduck at belligerence.net>, method=PLAIN, rip=84.72.30.149,
lip=213.203.238.82, TLS" | egrep -c "^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login:
user=<[-_.@[:alnum:]]+>,
method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$"
> 1indeed rule seems good.
 > Yet, for every POP3 (or IMAP) login, I get a logcheck mail. What's
> going on?
did you check that the permissions of your rule file is ok?
does it get sourced when you run logcheck in debug mode.

-- 
maks

Logcheck devel - Jul 2006 - dovecot message coming through filters

[Logcheck-devel] dovecot message coming through filters

[Logcheck-devel] dovecot message coming through filters