Regex ProFtpd 530 DA -Solved
Posted: 10 Feb 2015, 15:07
Could someone point me in the right direction because I feel quite lost.
I have tried to search for an example or clue on this forum and Google. But I can't find a working custom regex.
I'm on a Debian server with DirectAdmin
The following is found in /var/log/proftpd/auth.log
ProFTPd [7098] 123.123.123.123 [10/Feb/2015:15:00:05 +0100] "PASS (hidden)" 530
Since this format is not caught by default I have tried to create a custom regex
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^ProFTPd \[\d+\] \d+.\d+.\d+.\d+ \[\d+\/\S+\/\d+:\d+:\d+\:\d+ \+\d+\] \"PASS \(hidden\)\" 530/)) {
return ("Failed FTP login from",$1,"myftpmatch","3","21","1");
}
The regex string catches the log string on various regex online tools. So as far I understand it should be ok.
In config file /etc/csf/csf.conf
LP_TRIGGER=0
CUSTOM2_LOG is set to /var/log/proftpd/auth.log
Any ideas?
I have tried to search for an example or clue on this forum and Google. But I can't find a working custom regex.
I'm on a Debian server with DirectAdmin
The following is found in /var/log/proftpd/auth.log
ProFTPd [7098] 123.123.123.123 [10/Feb/2015:15:00:05 +0100] "PASS (hidden)" 530
Since this format is not caught by default I have tried to create a custom regex
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^ProFTPd \[\d+\] \d+.\d+.\d+.\d+ \[\d+\/\S+\/\d+:\d+:\d+\:\d+ \+\d+\] \"PASS \(hidden\)\" 530/)) {
return ("Failed FTP login from",$1,"myftpmatch","3","21","1");
}
The regex string catches the log string on various regex online tools. So as far I understand it should be ok.
In config file /etc/csf/csf.conf
LP_TRIGGER=0
CUSTOM2_LOG is set to /var/log/proftpd/auth.log
Any ideas?