Squid custom regex to filter login failure

[Ilia]

Dear guys,

Could you please help me to fix my regex to filter login failure from Squid. Its log line is:

Code: Select all

1392714132.861 0 1.2.3.4 TCP_DENIED/407 3922 CONNECT google.com:443 username HIER_NONE/- text/html

I need to catch TCP_DENIED/407 part. Here is what I did in my regex.custom.pm but it fails to catch it:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] TCP_DENIED\/407/)) {
	return ("Failed Squid authentication from",$1,"SquidAuth","3","3128","604800");
}

What am I doing wrong here?
Please help.

[Sergio]

Where in your error line is the " \[ " ?
The line that you are showing has:
1392714132.861 0 1.2.3.4 TCP_DENIED/407 3922 CONNECT google.com:443 username HIER_NONE/- text/html

So, the regex don't need any "\[" nor "\]" that doesn't exist. The regex should be something like this:
\S+\s+\d+\s+\S+ TCP_DENIED\/407 .*
Try not to use the caret "^".

You can check this regex against a list of errors on http://regexpal.com/

Sergio

[Ilia]

Thanks Sergio.

I just tested your example and the one I just made (http://regex101.com/r/jC8aE7). They both match but it's still not working. LFD doesn't trigger the block?

After editing I restarted both. csf -r, lfd -r. added log 1 to .conf..

Not sure what is wrong.

[Sergio]

Can you paste more lines of the errors that you want to block?

What is the log file where you are searching for these errors?

[Ilia]

The log file is:

Code: Select all

CUSTOM1_LOG = "/var/log/squid/access.log"

The cutom regex is this (as after update):

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ TCP_DENIED\/407 .*/)) {
	return ("Failed Squid authentication from",$1,"SquidAuth","3","3128","604800");
}

The log lines are:

Code: Select all

1392714132.861 0 1.2.3.4 TCP_DENIED/407 3922 CONNECT google.com:443 username HIER_NONE/- text/html

1392714132.861 0 1.2.3.4 TCP_DENIED/407 3922 CONNECT www.google.com:80 username HIER_NONE/- text/html

[Ilia]

Does it have to just match TCP_DENIED/407 or also match and extract an IP, for example: http://regex101.com/r/qJ5wL4

If so no wonder it doesn't work?

[Sergio]

By the way, it seems that LFD -r doesn't exist, you should use:
/etc/init.d/lfd restart

[Ilia]

OHHH, NO!!! You're are right!! Thanks!! What ever you pass to lfd, like lfd -r or lfd -v, it returns nothing!

Now it got it to work!! So much time wasted..

[Sergio]

It is not wasted time, I called learning time

[Ilia]

Yes, you are right! Thanks again!