I am trying to implement logging of all failed authentication attempts to catch bruteforce automatically. Currently, I have the following configuration:
event_exporter log { format = json format_args = time-rfc3339 transport = log }
metric auth_fail { filter = event=auth_request_finished and not success=yes exporter = log }
However, in logs I only see events similar to this:
{ "event": "auth_request_finished", "hostname": "cheems", "start_time": "2024-08-04T00:00:04.079723Z", "end_time": "2024-08-04T00:00:12.224906Z", "categories": [ "service:auth", "auth" ], "fields": { "duration": 8145091, "policy_result": "ok", "mechanism": "LOGIN", "transport": "trusted", "service": "smtp", "local_ip": "195.201.247.11", "real_local_ip": "195.201.247.11", "remote_ip": "185.29.xx.xx", "real_remote_ip": "185.29.xx.xx", "original_user": "example@example.com", "user": "example@example.com", "translated_user": "example@example.com" } }
But for me it doesn't look like what is specified in docs1:
Field | Description
error | Set when error happens success | yes, when authentication succeeded policy_penalty | Time of penalty added by policy server policy_result | Values: ok, delayed, refused
Why I don't see neither "success" and "error" field in logs? Also, why policy_result is ok despite I am logging only failed authentication attempts? From postfix I can see that those attempts were actually failed:
Aug 04 00:00:14 cheems postfix/smtpd[2362656]: warning: unknown[185.29.xx.xx]:54330: SASL LOGIN authentication failed: (reason unavailable), sasl_username=example@example.com
-- Send unsolicited bulk mail to carle34@at.encryp.ch