/decoders/50_vpopmail_decoder.xml

 1
 2
 3
 4<!-- Vpopmail decoder. (by Ceg Ryan <cegryan ( at ) gmail.com>)
 5  - Examples:
 6  - vpopmail[32485]: vchkpw-pop3: password fail abc@xxx.com:x.x.x.x
 7  - vpopmail[32485]: vchkpw-2110 password fail abc@xxx.com:x.x.x.x
 8  -                  vchkpw-pop3: password fail (pass: 'test') user@my_domain:1.2.3.4
 9  - vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@xxx.com:x.x.x.x
10  - vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
11  -->
12<decoder name="vpopmail">
13  <program_name>^vpopmail</program_name>
14</decoder>
15
16<decoder name="vpopmail-fail">
17  <parent>vpopmail</parent>
18  <prematch>^vchkpw-\S+: password fail</prematch>
19  <regex offset="after_prematch"> (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex>
20  <order>user, srcip</order>
21</decoder>
22
23<decoder name="vpopmail-notfound">
24  <parent>vpopmail</parent>
25  <prematch>^vchkpw-\S+: vpopmail user not </prematch>
26  <regex offset="after_prematch">^found (\S+):(\d+.\d+.\d+.\d+)$</regex>
27  <order>user, srcip</order>
28</decoder>
29
30<decoder name="vpopmail-empty">
31  <parent>vpopmail</parent>
32  <prematch>^vchkpw-\S+: null password </prematch>
33  <regex offset="after_prematch">^given (\S+):(\d+.\d+.\d+.\d+)$</regex>
34  <order>user, srcip</order>
35</decoder>
36
37<decoder name="vpopmail-success">
38  <parent>vpopmail</parent>
39  <prematch>^vchkpw-\S+: \(\S+\) login </prematch>
40  <regex offset="after_prematch">^success (\S+):(\d+.\d+.\d+.\d+)$</regex>
41  <order>user, srcip</order>
42</decoder>