Hi, here is an example from my maillog (dovecot on a RHEL8 machine):

Feb 13 11:10:52 mailhub dovecot[1436]: auth: passwd-file(user@wildeboer.net,122.170.99.81): Password mismatch

which doesn't get parsed as a hit by the dovecot parser. Is this considered a bug?

Thx!

Jan

We dont have a parser for passwd-file https://hub.crowdsec.net/author/crowdsecurity/configurations/dovecot-logs

We make one though

Nice 🙂 Thx! Happy to test on my machine (I get some 50 per day when one of those pesky scripts hits my server)

I guess it would look sth like:

pattern: "auth: passwd-file\(%{DATA:dovecotuser},%{IP:dovecotremoteip}\): %{DATA:dovecotlogin_message}$"

OK.

• grok:
        pattern: "auth: passwd-file\(%{DATA:dovecotuser},%{IP:dovecotremoteip}\): (%{DATA}: )?%{DATA:dovecotloginmessage}$"       applyon: message

With double backslashes of course delivers

You can drop the $ at the end

Gives me

So I guess I now have to add it to the scenario somehow.

The scenario is done with doveloginresult

Yep. And I had to add 'Password mismatch' with a capital P 🙂

Now it triggers:

To save it you could also do "any(['authentication failure', 'password mismatch', 'auth failed', 'unknown user'], {Lower(evt.Parsed.dovecot_login_message) contains #}) ? 'auth_failed' : ''"

Works at keast for me 🙂

I could also use 'assword mismatch' to catch both cases, but I guess that would trigger a profanity filter …

👀

😆 it works

Feel free to add that grok to the dovecot parser 🙂 No credits needed or expected. It's just playing with regexes 🙂

Thank you, will do!

Ah, to save you the work, I created PR 654 https://github.com/crowdsecurity/hub/pull/654

Damn you, typo. Sorry. New PR to fix is done.