Lehels, your regex rule is no good, the "echo" will be triggered any time and is not a good indicator that your rule "is working", as it is not.
As I said before, you need to escape all the "(" and ")" and only left one pair not escaped that the regex rule will call $1.
Code: Select all
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?(\S+) authenticator failed for \S+ (.*)?\[(\S+)\](:\S*:?)? 535 Incorrect authentication data (\(set_id=(\S+)\))?/)) {
`echo "IS MATCHED" > /tmp/test`;
return ("Failed SMTP authentication",$1,"dovecotplain","5","25","1");
}
Which one contains the IP that you want to block?
I recommend you to delete the "echo" line as it is not a way to tell if the rule is working or not.