1[auth failed]
2log 1 pass = Dec 19 06:21:06 ny dovecot: imap-login: Disconnected (auth failed, 7 attempts in 111 secs): user=<thousands>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<+hgd5vxDBMZtycjJ>
3log 2 pass = Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user
4log 3 pass = Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
5
6rule = 9705
7alert = 5
8decoder = dovecot
9
10[dovecot is starting]
11log 1 pass = Jun 17 10:15:24 hostname dovecot: Dovecot v1.2.rc3 starting up (core dumps disabled)
12
13rule = 9703
14alert = 3
15decoder = dovecot
16
17[fatal error]
18log 1 pass = Jun 17 10:15:24 hostname dovecot: Fatal: auth(default): Support not compiled in for passdb driver 'ldap'
19log 2 pass = Jun 17 10:15:24 hostname dovecot: Fatal: Auth process died too early - shutting down
20
21rule = 9704
22alert = 2
23decoder = dovecot
24
25[user authentication failure]
26log 1 pass = Jun 23 15:04:05 Info: imap-login: Login: user=<username>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.5 Authentication Failure:
27
28rule = 9770
29alert = 0
30decoder = dovecot-info
31
32[dovecot auth failed]
33log 1 pass = Jan 11 03:42:09 hostname dovecot: auth-worker(default): sql(user@example.com,1.2.3.4): Password mismatch
34
35rule = 9702
36alert = 5
37decoder = dovecot
38
39[XXX nothing]
40log 1 fail = Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb
41log 3 fail = May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured
42
43rule = 1002
44alert = 2
45decoder =
46
47[XXX unknown 1002]
48log 1 pass = Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
49
50rule = 9771
51alert = 5
52decoder = dovecot-info
53
54[session disconnected]
55log 1 pass = Jul  4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5
56
57rule = 9706
58alert = 3
59decoder = dovecot
60
61[aborted login]
62log 1 pass = Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5
63
64rule = 9707
65alert = 5
66decoder = dovecot
67
68[XXX logged out]
69log 1 fail = Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566
70
71rule = 1002
72alert = 2
73decoder = dovecot-info
74
75[unknown user]
76log 1 pass = Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user
77
78rule = 9771
79alert = 5
80decoder = dovecot-info
81
82