ENH: Improve sieve regex and add sample line

config/filter.d/sieve.conf

@@ -4,15 +4,24 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
 [Definition]
 
+_deamon = (?:cyrus/)?(?:tim)?sieved?
+
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching.
 # Values: TEXT
 #
-failregex = : badlogin: .*\[<HOST>\] (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure$
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] (?:LOGIN|PLAIN|OTP|(?:CRAM|DIGEST)-MD5) authentication failure$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

testcases/files/logs/sieve

@@ -1,2 +1,6 @@
 # failJSON: { "time": "2004-12-01T20:36:56", "match": true , "host": "1.2.3.4" }
 Dec 1 20:36:56 mail sieve[23713]: badlogin: example.com[1.2.3.4] PLAIN authentication failure
+# failJSON: { "time": "2005-07-18T17:21:58", "match": true , "host": "1.2.3.4" }
+Jul 18 17:21:58 ophelia cyrus/timsieved[12305]: badlogin: example.com[1.2.3.4] PLAIN authentication failure
+# failJSON: { "time": "2004-09-25T22:07:38", "match": true , "host": "1.2.3.4" }
+Sep 25 22:07:38 web9 timsieved[21040]: badlogin: web4[1.2.3.4] OTP authentication failure