> On 22/07/2024 19:14 EEST Yassine Chaouche via dovecot <dovecot@dovecot.org> > wrote: > > > Dear list, > > look at this grep auth-worker | nl output from my dovecot log : > > 166 Jul 22 15:49:47 auth-worker(24409): Info: > sql(hakim.boukha...@domain.tld): unknown user > 167 Jul 22 15:49:47 auth-worker(13026): Info: sql(p...@domain.tld): > unknown user > 168 Jul 22 15:53:00 auth-worker(13026): Info: > sql(feriel.ab...@domain.tld,10.10.10.19): Password mismatch > 169 Jul 22 15:53:15 auth-worker(13026): Info: > sql(feriel.ab...@domain.tld,10.10.10.19): Password mismatch > 170 Jul 22 15:55:26 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 171 Jul 22 15:59:30 auth-worker(13026): Info: > sql(radioaintemouchent.domain.tld,10.10.10.19): unknown user > 172 Jul 22 15:59:43 auth-worker(13026): Info: > sql(mouadouss...@radioalgerie.dz): unknown user > 173 Jul 22 16:00:38 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 174 Jul 22 16:00:58 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 175 Jul 22 16:02:01 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 176 Jul 22 16:09:35 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 177 Jul 22 16:09:42 auth-worker(13026): Info: sql(p...@domain.tld): > unknown user > 178 Jul 22 16:10:11 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 179 Jul 22 16:15:37 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 180 Jul 22 16:26:55 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 181 Jul 22 16:32:01 auth-worker(13026): Info: sql(it_...@domain.tld): > unknown user > 182 Jul 22 16:35:37 auth-worker(19555): Info: sql(it_...@domain.tld): > unknown user > > As you can see, > sometimes the IP addresses of the dubious login attempts are noted, > other times this crucial piece of evidence is conspicuously absent. > > I am wondering what is the source of all those login attempts? > or could those be mere username lookups instead to test for mail > deliverability? > > Many thanks, > > -- > yassine -- sysadm
You would probably want to use the new event based system for these logs: event_exporter log { format = json format_args = time-rfc3339 transport = log } metric auth_failed { event=filter=auth_request_finished and not success=yes exporter=log } Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org