I'm trying to setup a custom regex for nextcloud login failure detection. It is not working (triggering when I try to login >5 times with incorrect credentials):
I have setup /var/www/nextcloud/data/nextcloud.log as CUSTOM1_LOG. lfd says it is watching the file, and entries look like this:
Code: Select all
{"reqId":"jh3hXB9cFRzocSjYGbPL","level":2,"time":"2018-01-26T09:09:31+00:00","remoteAddr":"1.2.3.4","user":"--","app":"core","method":"HEAD","url":"\/remote.php\/webdav","message":"Login failed: 'hdhs' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (iOS) Nextcloud-iOS\/2.19.1","version":"12.0.4.3"}
Code: Select all
# Nextcloud Login_Failed - 5 attempts in the last hour
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\{"reqId":".*","level":.*,"time":".*","remoteAddr":".*","user":"--","app":"core","method":".*","url":".*","message":"Login failed: (\S+) \(Remote IP: '(\S+)'\)","userAgent":".*","version":".*"\}$/)) {
return ("Incorrect password for $1 ",$2,"Nextcloud_Login_failed","5","","3600");
}
Help?
