# Fail2ban filter for SOGo authentcation
#
# Log file usually in /var/log/sogo/sogo.log

[Definition]

failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$

ignoreregex = "^<ADDR>"

datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
              {^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)?
              ^[^\[]*\[({DATE})
              {^LN-BEG}

# 
# DEV Notes:
#
# The error log may contain multiple hosts, whereas the first one 
# is the client and all others are poxys. We match the first one, only
#
# Author: Arnd Brandes