Custom regex for filtering Prosody failed logins
Posted: 19 Feb 2014, 17:52
I can't believe that I am writing about this matter again! I don't know if it a bug or it's me (most likely) but this time it doesn't seem that obvious!
I have to detect failed logins to my XMPP server (Prosody). The log line (with spaces as it is):
The regex is:
Fully working: RegEx101 example: http://regex101.com/r/cJ3hK3
csf.conf custom log as this:
regex.custom.pm file as this:
I restart csf and lfd all the time after I make a change, like this csf -r && /etc/init.d/lfd restart
What in the world am I doing wrong this time?
I have to detect failed logins to my XMPP server (Prosody). The log line (with spaces as it is):
Code: Select all
Feb 19 15:02:04 domain.ru:log_auth warn Failed authentication attempt (not-authorized) from IP: 1.2.3.4Code: Select all
/^(\S+\s+\d+\s+\S+)\s+\S+\s+\S+\s+(Failed authentication attempt)\s+\S+\s+\S+\ IP: (\S*)/csf.conf custom log as this:
Code: Select all
CUSTOM2_LOG = "/var/log/prosody/prosody.log"Code: Select all
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+\s+\d+\s+\S+)\s+\S+\s+\S+\s+(Failed authentication attempt)\s+\S+\s+\S+\ IP: (\S*)/)) {
return ("Failed Prosody authentication from",$1,"ProsodyAuth","3","5222","604800");
}What in the world am I doing wrong this time?