-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dovecot Decoder Addition #843
Comments
As a secondary fix, I am also seeing issues with the failed logins parsing. There are two things here I am looking to fix, 1st the "method" section isn't present in all logs which match the current dovecot-disconnected-user decoder, and therefore it fails to match when method is missing. To fix that I made the method section optional and a non-matching group. When fixing that, I noticed my user field is showing with the "<>" around the username. I am going to assume if this worked for someone that perhaps there is a dovecot that logs with out the "<>" around the user. I had to switch to pcre2 regex, but I was able to create a match that will correctly pull out the user from both cases. Multiple failure attempts that hit the same decode rule (one without method)
Original syntax
What I needed to get it to decode
|
Another Issue that I can't really figure out what the correct value should be here. It seems ONLY the dovecot-disconnect-user section users the "srcuser" syntax in the order section. All other references in this decoder simply use "user". I am therefore altering it to be just "user" as that is what the rest of the file is doing. I will edit my previous comment with that change. |
I have created a pull request with the above changes for review. I think I lack permissions to actually link it, so I am leaving this note here. |
Hi @sangdrax8, great work! |
I will be closing your PR in this repo |
Created new pull request, although I couldn't find how to add you as the reviewer. I did comment and mention you though. |
I am working on a new install, and found that my dovecot rules are not currently being correctly decoded. It appears mine is adding the "session" to the end of the log line, which is only decoded in failed attempts but apparently was not done in succesful ones. I CAN make my own and comment this one out, but hopefully this change can be rolled into the officially maintained ones so I can stay with that (once it is released)
My Log line that causes issues
The current ruleset in my decoders for dovecot has a $ at the end of the success match, which excludes this from working
My edited success section with session add to the end:
The text was updated successfully, but these errors were encountered: