Beta Dovecot Support

[Michael Starks]

Hello List,

I have added Dovecot support and was hoping for some help testing it
out. The decoder and rules should support most, if not all, versions of
Dovecot in both the Dovecot native log and syslog format. But maybe
there are versions that output logs with slight differences that the
decoder or rules don't catch. Here's how to implement:

1. Open the dovecot_decoder_0.1.xml file and append it to your
local_decoders.xml file. Something like this ought to work (untested-pay
attention to the OSSEC path):

cat dovecot_decoder_0.1.xml >> /var/ossec/etc/local_decoder.xml.

This may create a local_decoder if you don't already have one, so watch
the permissions. They should look like this:

-r--r----- 1 root ossec 5104 Jun 29 12:50 etc/local_decoder.xml

2. Next, copy the dovecot_rules_beta_0.1.xml file to the rules directory:

cp dovecot_rules_beta_0.1.xml /var/ossec/rules

Again, make sure the permissions look good. They should look like this
(watch for wrapping):

-r-xr-x--- 1 root ossec 2026 Jun 29 12:36 rules/dovecot_rules_beta_0.1.xml

3. Add the dovecot_rules_beta_0.1.xml line to your ossec.conf file under
the rules section. It should look like this:

<include>dovecot_rules_beta_0.1.xml</include>

4. Finally, restart OSSEC:

/var/ossec/bin/ossec-control restart

Note that I uses a rule ID range starting at 100,500. This shouldn't
conflict with most people's local rules, but if you already have rules
in that range you'll need to adjust accordingly.

The rules and decoder are released under the terms of the GNU GPL v3.

That's about it. Feedback is appreciated.

[Cristiano Deana]

On Mon, Jun 29, 2009 at 8:26 PM, Michael
Starks<ossec...@michaelstarks.com> wrote:

> That's about it. Feedback is appreciated.

Installed, i will let you know.

Thanks

--
Cris, member of G.U.F.I
Italian FreeBSD User Group
http://www.gufi.org/