# Example patterns.  To be used with "journalctl --output=cat" (which
# only prints the log message, with no additional metadata).

### SSH authentication failures

# Silly brute-forcers that do not support our kex:
/^Unable to negotiate with ([.:0-9a-f]+) port \d+: no matching host key type found./ ssh

### Email-related rules

# Postscreen failures - protocol errors are (in high volume) characteristic of spammers
/^NOQUEUE: reject: RCPT from \[([.:0-9a-f]+)\]:\d+: 550 5.5.1 Protocol error;/ spammer

# Spammers trying to send email via disabled accounts
/^NOQUEUE: reject: RCPT from [^[]+\[([.:0-9a-f]+)\]: 553 5.7.1 <[^>]+>: Sender address rejected: not owned by user/ spammer

# Spammers triggering SPF failures
/^550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http:\/\/www.openspf.net\/Why?s=mfrom;id=[^;]*;ip=([.:0-9a-f]+);/ spammer

### Authentication

# General auth-server errors
/^auth-server\[\d+\]: auth: user=.* service=smtp status=error ip=([.:0-9a-f]+) error=/ auth

### Wordpress-specific rules

/^.*nginx_access: .+ .+ (?:::ffff:)?([.:0-9a-f]+) .*"POST \/wp-login\.php HTTP/ wordpress
/^.*nginx_access: .+ .+ (?:::ffff:)?([.:0-9a-f]+) .*"POST \/wp-comments-post\.php HTTP/ wordpress