[Logcheck-users] Logcheck And Dovecot Bug

[Mathieu GILLOOTS]

Hi,

I've Bug in my log report.

 

Oct 31 20:46:59 ks306288 dovecot: lda( <mailto:support at mg-hebergement.com>
support at mg-hebergement.com): sieve: msgid=<
<mailto:20101031194659.AA62128EC08E at mail.mg-hebergement.com>
20101031194659.AA62128EC08E at mail.mg-hebergement.com>: stored mail into
mailbox 'INBOX'

Oct 31 20:46:59 ks306288 dovecot: dict: mysql: Connected to 127.0.0.1
(postfix)

Oct 31 20:47:03 ks306288 dovecot: pop3-login: Login: user=<
<mailto:paiements at stoglio-corporation.com>
paiements at stoglio-corporation.com>, method=PLAIN, rip=78.228.64.77,
lip=94.23.221.65, mpid=9906, TLS

Oct 31 20:47:03 ks306288 dovecot: pop3(
<mailto:paiements at stoglio-corporation.com>
paiements at stoglio-corporation.com): Disconnected: Logged out top=0/0,
retr=0/0, del=0/0, size=0

Oct 31 20:47:04 ks306288 dovecot: pop3-login: Login: user=<
<mailto:support at mg-hebergement.com> support at mg-hebergement.com>,
method=PLAIN, rip=78.228.64.77, lip=94.23.221.65, mpid=9908, TLS

Oct 31 20:47:04 ks306288 dovecot: pop3( <mailto:support at mg-hebergement.com>
support at mg-hebergement.com): Disconnected: Logged out top=0/0, retr=1/5664,
del=1/1, size=5647

Oct 31 20:47:05 ks306288 dovecot: pop3-login: Login: user=<
<mailto:contact at stoglio-corporation.com> contact at stoglio-corporation.com>,
method=PLAIN, rip=78.228.64.77, lip=94.23.221.65, mpid=9910, TLS

Oct 31 20:47:05 ks306288 dovecot: pop3(
<mailto:contact at stoglio-corporation.com> contact at stoglio-corporation.com):
Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0

 

My dovecot config (in logcheck ignore.d.server directory): 

 

# pre 1.0

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Login:
[.[:alnum:]@-]+ \[[.:[:xdigit:]]+\]$

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3)-login:
Disconnected \[[.:[:xdigit:]]+\]$

# 1.0 and beyond

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login:
user=<[-_.@[:alnum:]]+>,
method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS( handshake)?|secured))?$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted
login: (user=<[-_.@[:alnum:]]+>,
method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
)?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS( handshake)?|secured))?$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login:
Disconnected: ((Too many invalid commands|Inactivity):
)?(user=<[-_.@[:alnum:]]+>,
)?(method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
)?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS( handshake)?|secured))?$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login:
Disconnected: Logged out$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted
login( \([[:digit:]]+ authentication attempts\))?: rip=[.:[:xdigit:]]+,
lip=[.:[:xdigit:]]+(, (TLS( handshake)?|secured))$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: POP3\([-_.@[:alnum:]]+\):
Disconnected(: Logged out| for inactivity|: Disconnected)?
top=[[:digit:]]+/[[:digit:]]+, retr=[[:digit:]]+/[[:digit:]]+,
del=[[:digit:]]+/[[:digit:]]+, size=[[:digit:]]+$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: IMAP\([-_.@[:alnum:]]+\):
Disconnected(: Logged out| for inactivity|: Disconnected| in [[:upper:]]+)?$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-build-param: SSL
parameters regeneration completed$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\(-_.[[:alnum:]]+\):
(pg|my)sql: Connected to [-_.[:alnum:]]+$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) check
pass; user unknown$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth:
pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ deliver\([-_.@[:alnum:]]+\):
msgid=<[^[:space:]]+>( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\))?:
saved mail to [-_.[:alnum:]]+$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ deliver\([-_.@[:alnum:]]+\):
msgid=<[^[:space:]]+>?( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\))?:
(saved mail to [-_.[:alnum:]]+|forwarded to <[^[:space:]]+>)$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot:
auth-worker\([-_.[:alnum:]]+\): (pg|my)sql: Connected to [-_.[:alnum:]]+
\([-_.[:alnum:]]+\)$

# see #396760

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\([[:alnum:]]+\):
client in: AUTH
[[:digit:]]+[[:space:]]+(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|dig
est)-md5)[[:space:]]+service=IMAP[[:space:]]+(secured
)?lip=[.:[:xdigit:]]+[[:space:]]+rip=[.:[:xdigit:]]+[[:space:]]+resp=<hidden
>$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\([[:alnum:]]+\):
client in: CONT<hidden>

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\([[:alnum:]]+\):
client out: CONT[[:space:]]+[[:digit:]]+[[:space:]]+[[:alnum:]]+$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: IMAP\([-_.@[:alnum:]]+\):
Fixed index file /[-._/[:alnum:]&]+/dovecot\.index:
first_(recent|unseen)_uid_lowwater [[:digit:]]+ -> [[:digit:]]+$

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: IMAP\([-_.@[:alnum:]]+\):
Connection closed(: Connection reset by peer)?$

 

Thanks for your help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20101031/dc291caf/attachment.htm>