I had a problem with 535 incorrect authentication in exim mainlog not being picked up. I did some research using a regex tester and the Exim SMTP AUTH line from regex.pm (5.54 version) which is:
Code: Select all
^\S+\s+\S+\s+(\S+) authenticator failed for \S+ (\S+ )?\[(\S+)\]:(\S*:)? 535 Incorrect authentication data( \(set_id=(\S+)\))?
-pid (process id - in example below it's [12898]
-incoming_interface - in example below it's I=[1.2.3.4]
-outgoing_port - in example below it's 25
I use the +all log selector. Example output of log selector "all" is:
Code: Select all
2012-05-23 14:07:24 [12898] dovecot_login authenticator failed for (ylmf-pc) [183.7.98.74]:3654 I=[1.2.3.4]:25: 535 Incorrect authentication data (set_id=hlvest2@mail.domain[dot]com)The third field in the log line is the process id. This is where the regex.pm line fails initially. The first part of the regex
Code: Select all
^\S+\s+\S+\s+(\S+)Code: Select all
^\S+\s+\S+\s+(\[\S+\]\s)?(\S+)The second problem comes in with the placement of the ending semicolon and the insertion of the tenth field - I=[1.2.3.4]:25. I changed the part of the regex that matches the ip and port to match both the external ip and optional port as well as an optional ip and port for the server.
Complete new regex is
Code: Select all
^\S+\s+\S+\s+(?:\[\S+\]\s)?(\S+) authenticator failed for \S+ (\S+ )?\[(\S+)\](:)?(?:\S*)?(?:\s)?(?:\S*)?(?::) 535 Incorrect authentication data( \(set_id=(\S+)\))?I am no regex expert. I'm sure it could be improved upon. I've tested it with lines from my log file using +all and with lines from log files found when googling. Seems to work. I am going to put it into regex.custom.pm to see if it will work. My server's pretty small potatoes though and I don't experience attacks often so it may take a while for me to test it out in real life.
For your consideration.
Thanks,
Terry