I have tried this in my regex.custom.pm to use with the output from the error log file line(s) below but it doesn't work.
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ auth_basic:error \(\?\@(\d+\.\d+\.\d+\.\d+)\) /)) {
return ("Failed basicauth login from",$1,"basicauth","7","80,443","1","0");
}
The log file I have added as CUSTOM1_LOG returns the following when basic auth fails via https.
[Thu Nov 02 22:28:28.360334 2023] [auth_basic:error] [pid 3077955:tid 139941203703360] [remote 118.173.xxx.xxx:0] AH01618: user test not found: /members/
Thanks in advance.
I need help with a custom log
Re: I need help with a custom log
Your regex is not well constructed to work with the LOG line that you are posting.
You have escape "[" and "]".
You missed "i" at "/))", it should be "/i))".
There is no "@" in the log line.
The IP is better to have in just one "\d+"
There are not any parenthesis in the LOG line and you are declaring it at "\(" the same for the "\@".
If what you are looking to achieve is to get the IP that is causing the "auth_basic:error", you can use the following REGEX:
I have checked it at regex101 and it finds the IP: 118.173.125.126 and saves it on $1
Sergio
You have escape "[" and "]".
You missed "i" at "/))", it should be "/i))".
There is no "@" in the log line.
The IP is better to have in just one "\d+"
There are not any parenthesis in the LOG line and you are declaring it at "\(" the same for the "\@".
If what you are looking to achieve is to get the IP that is causing the "auth_basic:error", you can use the following REGEX:
Code: Select all
/\[\S+\s\S+\s\d+\s\S+\s\d+\]\s\[auth_basic:error\]\s\[pid\s\d+\:tid\s\d+\]\s\[remote\s(\S+):\d\]/iSergio