Hello, As you can see from my last few e-mails, I started to work on patterns for mail related (smtp/imap/pop3) servers. For now I'm only concentrating on login/login failure/logout events. There are many related servers, so it is a lot of work to install/configure/collect logs from them, even from the most important ones. So I'd like to ask for some help here, with an offer, which is beneficial also for you. Here is my offer: - you send me log samples for the following situations from your mail related servers: successful login, logout, invalid password, invalid username) - I create patterns, discuss here when I run into troubles - I push the results into the git tree, so patterns will be available for you and the syslog-ng community - you have patterns you can use immediately with your software (vs. patterns for software I find interesting :-) ) - you see how your log samples turn into patterns If you send the log samples to the list, please make sure, that confidential information is replaced. If you send them directly to me, I can also do it for you, but obviously it's better when sensitive information never leaves your network. Please use the method I showed at http://czanik.blogs.balabit.com/2010/10/pattern-writing-tips-and-tricks/ to collect your logs. If you don't want to read those few paragraphs, here is the most important part, a short syslog-ng.conf snippet: filter f_myprogi { program('pure-ftpd'); }; destination d_myprogi { file('/var/log/myprogi'); }; log { source(src); filter(f_myprogi); destination(d_myprogi); }; As other way messages are scattered among many log files, and difficult to see which messages cover which event. Thanks for your help! Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/