From: Hendrik Jaeger <root@netwichtig.de>
Date: Sun, 7 Apr 2019 15:55:10 +0000 (+0200)
Subject: Update logcheck rules for dovecot
X-Git-Url: https://git.netwichtig.de/gitweb/?a=commitdiff_plain;h=d744165089658e6718f6eeb90dc280b347da43d7;p=user%2Fhenk%2Fcode%2Fpuppet%2Fmodules%2Flogcheck.git

Update logcheck rules for dovecot
---

diff --git a/files/etc/logcheck/ignore.d.server/local-dovecot b/files/etc/logcheck/ignore.d.server/local-dovecot
index 02fbf3d..1de0681 100644
--- a/files/etc/logcheck/ignore.d.server/local-dovecot
+++ b/files/etc/logcheck/ignore.d.server/local-dovecot
@@ -15,11 +15,9 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[-_.@[:alnum:]]+>, method=(PLAIN|LOGIN), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)(( handshaking)?(: Disconnected)?)?(, session=<[[:alnum:]/+]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[-_.@[:alnum:]]+>, method=(PLAIN|LOGIN), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)(( handshaking)?(: Disconnected)?)? SSL_read\(\) syscall failed: Connection reset by peer, session=<[[:alnum:]/+]+>?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[-_.@[:alnum:]]+>, method=(PLAIN|LOGIN), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)(: SSL_read\(\) syscall failed: Connection reset by peer)?(, session=<[[:alnum:]/+]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? syscall failed: (Broken pipe|Connection reset by peer|Success)(, session=<[[:alnum:]/+]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS handshaking: read\(size=[[:digit:]]+\) failed: Connection reset by peer, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS, )?session=<[[:alnum:]/+]+>?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? (Connection closed|Disconnected), session=<[[:alnum:]/+]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?: read\(size=[[:digit:]]+\) failed: Connection reset by peer, session=<[[:alnum:]/+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? read\(size=[[:digit:]]+\) failed: Connection reset by peer, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:1407609C:SSL routines:SSL(2)?3_GET_CLIENT_HELLO:http request, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:140760FC:SSL routines:SSL(2)?3_GET_CLIENT_HELLO:unknown protocol, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:14076102:SSL routines:SSL(2)?3_GET_CLIENT_HELLO:unsupported protocol, session=<[[:alnum:]/+]+>$
@@ -38,6 +36,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:1417D18C:SSL routines:tls_process_client_hello:version too low, session=<[[:alnum:]/+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, ([[:digit:]]+|no auth) attempts in [[:digit:]]+ secs|disconnected before auth was ready, waited 0 secs)?\): user=<[[:alnum:]]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? syscall failed: (Broken pipe|Connection reset by peer|Success)(, session=<[[:alnum:]/+]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(disconnected before greeting, waited 0 secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, session=<[[:alnum:]/+]+>?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(disconnected before greeting, waited 0 secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) syscall failed: Connection reset by peer(, session=<[[:alnum:]/+]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(tried to use disallowed plaintext auth\): user=<>, rip=[.[:xdigit:]]+, lip=[.[:xdigit:]]+, session=<[[:alnum:]/+]+>?$