-
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=([-_.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?( user=[-_.@[:alnum:]]+)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): pam\([[:alnum:]]+,[[:digit:].]+\): unknown user$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher, session=<[[:alnum:]/+]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol, session=<[[:alnum:]/+]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low, session=<[[:alnum:]/+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:141A20F4:SSL routines:ossl_statem_server_read_transition:unexpected message, session=<[[:alnum:]/+]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? syscall failed: (Broken pipe|Connection reset by peer|Success)(, session=<[[:alnum:]/+]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(tried to use disallowed plaintext auth\): user=<>, rip=[.[:xdigit:]]+, lip=[.[:xdigit:]]+, session=<[[:alnum:]/+]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Too many (invalid|bad) commands\.?)? \(no auth attempts( in [[:digit:]]+ secs)?\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+,( TLS,)? session=<[[:alnum:]/+]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [._[:alnum:]-]+ from [[:alnum:].-]+ not allowed because none of user's groups are listed in AllowGroups$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: can't get client address: Connection reset by peer$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: WARNING: no suitable primes in /etc/ssh/moduli$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: beginning MaxStartups throttling$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: drop connection #[[:digit:]]+ from \[[:.[:xdigit:]]+\]:[[:digit:]]+ on \[[:.[:xdigit:]]+\]:[[:digit:]]+ past MaxStartups$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: exited MaxStartups throttling after [[:digit:]:]+, [[:digit:]]+ connections dropped$
projects / user / henk / code / puppet / modules / logcheck.git / commitdiff