[DOC] - Tutorial: Monitoring SASL attacks with Metabase + MailLogSentinel on Debian 12/13

[monozoide]

🎯 Type of documentation

Examples/Tutorials

🐛 Identified user problem

New users want an end‑to‑end, copy‑pasteable tutorial to turn Postfix SASL failure logs into an actionable dashboard.

The current docs explain CSV output and email reports, but there is no guided walkthrough to:

1. install/verify MailLogSentinel (MLS) on Debian 12/13,
2. wire the produced data into Metabase,
3. build a first dashboard with key metrics.

📍 Target audience

• Beginner to intermediate sysadmins running Debian 12/13 with Postfix
• Security/ops folks who want quick visibility into SASL brute‑force attempts
• Contributors who want to improve onboarding with a concrete, reproducible example

📋 Suggested content outline

1. Goal & prerequisites

   • Debian 12 or 13 with Postfix + Syslog
   • Basic shell access and sudo
   • Metabase (self‑hosted)

2. Install MailLogSentinel (MLS)

   • Clone repo
   • Minimal configuration (paths, service/timer if applicable)
   • Start MLS and confirm it tails Postfix logs incrementally

3. Verify data generation

   • Locate the CSV and the SQL output (document the default path)
   • Check a few rows (date, IP, username, …)
   • Ensure daily email report runs (optional)

4. Install Metabase

5. Connect data to Metabase (present at least one simple path; list alternatives)

   • Option A (Self‑host): Install CSV driver plugin and connect to the CSV file
   • Option B (Self‑host): Install SQLite driver and connect Metabase to that DB

6. Build the first questions (with Query Builder and/or SQL examples)

   • Failed logins by day (time‑series)
   • Top source IPs & number of attempts
   • Top targeted SASL users
   • (If data available) Country / ASN breakdown

7. Assemble the dashboard

   • Add cards created above; set date filter; layout tips
   • Optional: thresholds/goal lines

8. Refresh & data updates

   • How MLS appends to CSV incrementally and handles rotation
   • How/when Metabase refreshes metadata/caches

9. Troubleshooting

   • No data in CSV/SQL (permissions, path)
   • Timezone mismatch
   • CSV/SQL schema not recognized: casting dates/IPs, header row

10. Deliverables & PR checklist

• Markdown tutorial file under docs/tutorials/
• 3–5 screenshots (Metabase model, question, dashboard)
• Optional: sample dashboard export (.json)
• Links to README, Wiki, and Metabase docs

📂 Expected deliverables

• Text written in Markdown
• Screenshots/examples if applicable
• Links to external resources
• Review by a test user

📋 Files to modify

• Create: docs/tutorials/metabase-sasl-monitoring.md

• Add assets: docs/assets/metabase/ (screenshots)

• (Optional) Add Wiki page: Use-cases / Metabase dashboard for SASL attacks

• Reference the tutorial from README.md and the Wiki index

✅ How to validate the result

• Follow the tutorial end‑to‑end on two fresh VMs (Debian 12 and 13)

• Confirm MLS produces the CSVSQL and that at least 3 questions render correctly in Metabase

• A dashboard shows: time‑series of attempts, top IPs, top targeted users (with working date filter)

• Another contributor (not the author) can reproduce it in ≤ 60 minutes

[AnirudhPhophalia]

Hey @monozoide
Can you please assign this issue to me under hactoberfest

[monozoide]

Hey @monozoide Can you please assign this issue to me under hactoberfest

@AnirudhPhophalia Welcome and thank you for your contribution! 🙌 I'm glad you're participating in the project. I've assigned the issue to you; please don't hesitate to ask any questions if needed.

[monozoide]

Without answers from @AnirudhPhophalia , the issue is released.