[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: logcheck driving me nuts



Pim Bliek wrote:
Hi list

Logcheck is driving me NUTS. I'm not a regular expression guru so
here's my problem:

Every hour I run a script to kick out ssh brute force script kiddies.
This generates the following in syslog:
Apr 2 17:01:01 zenggi2 /USR/SBIN/CRON[29227]: (root) CMD (ruby /root/ autodeny.rb )

Every hour logcheck likes to send me an email with only this line. So I
went to /etc/logcheck/ignore.d.server/cron and put this in:
^[[:alnum:]-]+autodeny[[:alnum:]-]+$

Which does not work.
Can someone please help me with a regexp that just works? I am not such
a whizard with the logcheck regexp format..

I think your rule fails because the "[[:alnum:]-]" expression does not
match the colons, slashes and brackets in your syslog lines, and the
fact that you start the rule with "^" and end it with "$" requires a
match of the entire line. Your rule looks like you want it to match
everything which contains "autodeny" anywhere in the line; you can
achieve this with

^.+autodeny.+$

or, if you want to be bit more specific, you can write

^.+autodeny\.rb.+$

If you want to follow the general style of the existing rules a bit more
closely, you can use

^\w{3} [ :0-9]{11} zenggi2 /USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(ruby /root/ autodeny\.rb \)$

This reduces the risk of missing some important log message which is
not related to your script but which by coincidence happens to
contain "autodeny".

Regards,
          Florian



Reply to: