Recently I created a brute force alarming mechanism to detect login attempts into Dovecot. Since I use xymon for everyday work my solution is based on it.
First of all I needed to catch the trigger words. In /etc/rsyslog.d/50-default.conf I added this:
... # dovecot :programname, isequal, "dovecot" /var/log/dovecot.log #lmtp :msg, contains, "lmtp" /var/log/dovecot-lmtp.log #pop3 :msg, contains, "pop3" /var/log/dovecot-pop3.log #imap :msg, contains, "imap" /var/log/dovecot-imap.log #logout :msg, contains, "Logged out" /var/log/dovecot-logout.log #auth-worker :msg, contains, "auth-worker" /var/log/auth-worker.log ...
After that I restarted rsyslog.
Make sure that the xymon/hobbit client user has permission to read /var/log/auth-worker.log. You may, for example, add the xymon user to the system group adm like this in /etc/group:
... adm:x:4:hobbit ...
Check your dovecot version. Older versions may not log everything I describe here.
Next tell xymonserver in /etc/xymon/analysis.cfg to check Dovecot's log:
HOST=log.mail-log.server ... LOG /var/log/dovecot-aborted.log %failed COLOR=YELLOW ...
And in /etc/xymon/client-local.cfg configure the client as follows:
... [log.mail-log.server] ... log:/var/log/auth-worker.log:20480 ignore mysql ...
Use the ignore line for lines which might create false posiitves
You need at least to have log.mail-log.server in your /etc/xymon/hosts.cfg
Then restart the xymonserver and the xymon client on log.mail-log.server.
A typical alarming line in the xymon gui from the log in xymonservers host msgs tab or in the alarm mail may look like this:
&yellow Jan 28 17:31:45 mail02 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<backup>, method=PLAIN, rip=22.214.171.124, lip=126.96.36.199