ENH: sasl - anchor regex at start

11 years ago · f4c7c8f4b3
parent dd10eaa5c0
commit f4c7c8f4b3
2 changed files with 8 additions and 13 deletions
--- a/1
+++ b/1
@ -80,6 +80,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
     linux-pam before version 0.99.2.0 (2005)
   * filter.d/gssftpd - anchored regex at start
   * filter.d/mysqld-auth.conf - mysql can use syslog
+   * filter.d/sasl - anchor at start and base on syslog
   * fail2ban-regex - now generates http://www.debuggex.com urls for debugging
 	 	 regular expressions with the -D parameter.
   * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
--- a/config/filter.d/sasl.conf
+++ b/config/filter.d/sasl.conf
@ -4,19 +4,13 @@
 #
 #

+[INCLUDES]
+
+before = common.conf
+
 [Definition]

-# Option: failregex
-# Notes.: regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values: TEXT
-#
-failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex =