[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: logcheck driving me nuts



Now that works!
Dankjewel Florian ;)  (thanks in dutch for the rest of the list ;))

Pim

On Apr 2, 2006, at 7:07 PM, Florian Kulzer wrote:

Pim Bliek wrote:
Hi list
Logcheck is driving me NUTS. I'm not a regular expression guru so
here's my problem:
Every hour I run a script to kick out ssh brute force script kiddies.
This generates the following in syslog:
Apr 2 17:01:01 zenggi2 /USR/SBIN/CRON[29227]: (root) CMD (ruby / root/ autodeny.rb ) Every hour logcheck likes to send me an email with only this line. So I
went to /etc/logcheck/ignore.d.server/cron and put this in:
^[[:alnum:]-]+autodeny[[:alnum:]-]+$
Which does not work.
Can someone please help me with a regexp that just works? I am not such
a whizard with the logcheck regexp format..

I think your rule fails because the "[[:alnum:]-]" expression does not
match the colons, slashes and brackets in your syslog lines, and the
fact that you start the rule with "^" and end it with "$" requires a
match of the entire line. Your rule looks like you want it to match
everything which contains "autodeny" anywhere in the line; you can
achieve this with

^.+autodeny.+$

or, if you want to be bit more specific, you can write

^.+autodeny\.rb.+$

If you want to follow the general style of the existing rules a bit more
closely, you can use

^\w{3} [ :0-9]{11} zenggi2 /USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \ (ruby /root/ autodeny\.rb \)$

This reduces the risk of missing some important log message which is
not related to your script but which by coincidence happens to
contain "autodeny".

Regards,
          Florian


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


--
---------------------------------------------
PingWings - Making the penguin fly
- - - - - - - - - - - - - - - - - - - - - - -
M:  06-24711729
E:  info@pingwings.nl
I:  www.pingwings.nl
---------------------------------------------





Reply to: