Custom regex for filtering Prosody failed logins

[Ilia]

I can't believe that I am writing about this matter again! I don't know if it a bug or it's me (most likely) but this time it doesn't seem that obvious!

I have to detect failed logins to my XMPP server (Prosody). The log line (with spaces as it is):

Code: Select all

Feb 19 15:02:04 domain.ru:log_auth	warn	Failed authentication attempt (not-authorized) from IP: 1.2.3.4

The regex is:

Code: Select all

/^(\S+\s+\d+\s+\S+)\s+\S+\s+\S+\s+(Failed authentication attempt)\s+\S+\s+\S+\ IP: (\S*)/

Fully working: RegEx101 example: http://regex101.com/r/cJ3hK3

csf.conf custom log as this:

Code: Select all

CUSTOM2_LOG = "/var/log/prosody/prosody.log"

regex.custom.pm file as this:

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+\s+\d+\s+\S+)\s+\S+\s+\S+\s+(Failed authentication attempt)\s+\S+\s+\S+\ IP: (\S*)/)) {
	return ("Failed Prosody authentication from",$1,"ProsodyAuth","3","5222","604800");
}

I restart csf and lfd all the time after I make a change, like this csf -r && /etc/init.d/lfd restart

What in the world am I doing wrong this time?

[ForumAdmin]

The IP address in that regex is the 3rd set of brackets, so you will need $3, not $1, in the second line. Alternatively get rid of the brackets in the regex which are not needed and only include the 3rd set which detect the IP address and you can then leave it as $1.

[Ilia]

HMMMR.. I just understood!!!!! Sorry, no really, right in few minutes after I posted this question I took a look at the other questions about regex here on the forums.

It appears that the IP in my matched group is 3 (last one). So it should be $3 not $1!

Thanks to everybody!

[Ilia]

Yes, just did! Thank you! There will be no more questions about custom.regex and I hope our posts will help others to learn!