[syslog-ng] request for smtp/imap/pop3 server log samples

[Peter Czanik]

Hello,

As you can see from my last few e-mails, I started to work on patterns
for mail related (smtp/imap/pop3) servers. For now I'm only
concentrating on login/login failure/logout events. There are many
related servers, so it is a lot of work to install/configure/collect
logs from them, even from the most important ones. So I'd like to ask
for some help here, with an offer, which is beneficial also for you.

Here is my offer:
- you send me log samples for the following situations from your mail
related servers: successful login, logout, invalid password, invalid
username)
- I create patterns, discuss here when I run into troubles
- I push the results into the git tree, so patterns will be available
for you and the syslog-ng community
- you have patterns you can use immediately with your software (vs.
patterns for software I find interesting :-) )
- you see how your log samples turn into patterns

If you send the log samples to the list, please make sure, that
confidential information is replaced. If you send them directly to me, I
can also do it for you, but obviously it's better when sensitive
information never leaves your network.

Please use the method I showed at
http://czanik.blogs.balabit.com/2010/10/pattern-writing-tips-and-tricks/
to collect your logs. If you don't want to read those few paragraphs,
here is the most important part, a short syslog-ng.conf snippet:

filter f_myprogi { program('pure-ftpd'); };
destination d_myprogi { file('/var/log/myprogi'); };
log { source(src); filter(f_myprogi); destination(d_myprogi); };

As other way messages are scattered among many log files, and difficult
to see which messages cover which event.

Thanks for your help! Bye,

-- 
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/