Re: newbie using regex.custom.pm
Posted: 04 Apr 2014, 17:19
sergio - i believe the date string [04/Apr/2014:02:01:45 -0400] cannot be matched with \S+ since it contains semicolons, dashes and spaces. so i used .+ instead.
this seems to be working:
advice to newbies: write this out first to make sure your regex works properly:
~
~
~
~
~
this seems to be working:
Code: Select all
#50.22.3.226 - - [04/Apr/2014:02:01:45 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
#50.22.3.226 - - [04/Apr/2014:02:01:50 -0400] "POST /wp-login.php HTTP/1.0" 403 214 "-" "-"
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[(.+)\] "POST \/wp-login\.php HTTP\S+" [500,403]/)) {
#if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[([\S+,\s])\] "POST \/wp-login\.php HTTP\S+" [500,403]/)) {
#if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST \/wp-login\.php \S+" 500/)) {
open (LOGFILE, '>>/tmp/regex.custom.pm.log');
print LOGFILE localtime . ' - ' . $1 . ' - ' . $2 . "\n";
close (LOGFILE);
return ("Failed wp-login.php login from",$1,"wp-login.php","1","80","60");
}
Code: Select all
#!/usr/bin/perl
#$line = '50.22.3.226 - - [04/Apr/2014:02:01:45 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"';
$line = '50.22.3.226 - - [04/Apr/2014:02:01:50 -0400] "POST /wp-login.php HTTP/1.0" 403 214 "-" "-"';
if ( ($line =~ /(\S+) - - \[(.+)\] "POST \/wp-login\.php HTTP\S+" [500,403]/)) {
print ("Failed wp-login.php login from",$1,"wp-login.php","1","80","60");
}
~
~
~
~