Re: logcheck driving me nuts
Pim Bliek wrote:
Hi list
Logcheck is driving me NUTS. I'm not a regular expression guru so
here's my problem:
Every hour I run a script to kick out ssh brute force script kiddies.
This generates the following in syslog:
Apr 2 17:01:01 zenggi2 /USR/SBIN/CRON[29227]: (root) CMD (ruby /root/
autodeny.rb )
Every hour logcheck likes to send me an email with only this line. So I
went to /etc/logcheck/ignore.d.server/cron and put this in:
^[[:alnum:]-]+autodeny[[:alnum:]-]+$
Which does not work.
Can someone please help me with a regexp that just works? I am not such
a whizard with the logcheck regexp format..
I think your rule fails because the "[[:alnum:]-]" expression does not
match the colons, slashes and brackets in your syslog lines, and the
fact that you start the rule with "^" and end it with "$" requires a
match of the entire line. Your rule looks like you want it to match
everything which contains "autodeny" anywhere in the line; you can
achieve this with
^.+autodeny.+$
or, if you want to be bit more specific, you can write
^.+autodeny\.rb.+$
If you want to follow the general style of the existing rules a bit more
closely, you can use
^\w{3} [ :0-9]{11} zenggi2 /USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(ruby /root/ autodeny\.rb \)$
This reduces the risk of missing some important log message which is
not related to your script but which by coincidence happens to
contain "autodeny".
Regards,
Florian
Reply to: