Re: logcheck driving me nuts

From: Florian Kulzer <florian@xxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 02 Apr 2006 19:07:24 +0200

Pim Bliek wrote:

Hi list

Logcheck is driving me NUTS. I'm not a regular expression guru so
here's my problem:

Every hour I run a script to kick out ssh brute force script kiddies.
This generates the following in syslog:
Apr 2 17:01:01 zenggi2 /USR/SBIN/CRON[29227]: (root) CMD (ruby /root/ autodeny.rb )

Every hour logcheck likes to send me an email with only this line. So I
went to /etc/logcheck/ignore.d.server/cron and put this in:
^[[:alnum:]-]+autodeny[[:alnum:]-]+$

Which does not work.
Can someone please help me with a regexp that just works? I am not such
a whizard with the logcheck regexp format..

I think your rule fails because the "[[:alnum:]-]" expression does not
match the colons, slashes and brackets in your syslog lines, and the
fact that you start the rule with "^" and end it with "$" requires a
match of the entire line. Your rule looks like you want it to match
everything which contains "autodeny" anywhere in the line; you can
achieve this with

^.+autodeny.+$

or, if you want to be bit more specific, you can write

^.+autodeny\.rb.+$

If you want to follow the general style of the existing rules a bit more
closely, you can use

^\w{3} [ :0-9]{11} zenggi2 /USR/SBIN/CRON\[[0-9]+\]: $root$ CMD $ruby /root/ autodeny\.rb $$

This reduces the risk of missing some important log message which is
not related to your script but which by coincidence happens to
contain "autodeny".

Regards,
Florian

--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: logcheck driving me nuts
  - From: Pim Bliek

References:
- logcheck driving me nuts
  - From: Pim Bliek

Prev by Date: Re: logcheck driving me nuts
Next by Date: Re: Xeon processors
Previous by thread: Re: logcheck driving me nuts
Next by thread: Re: logcheck driving me nuts
Index(es):
- Date
- Thread

Relevant Pages

Re: logcheck driving me nuts
... Dankjewel Florian;) ) ... Every hour I run a script to kick out ssh brute force script kiddies. ... Every hour logcheck likes to send me an email with only this line. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
(Debian-User)
Re: logcheck driving me nuts
... Can I get a copy of the script you use to block brute force attempts? ... Every hour logcheck likes to send me an email with only this line. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
(Debian-User)
Re: Cron output logging
... >> activity, and other cron activity. ... >> It's a custom script that checks some file permissions on files I ... configuration of logcheck, but I can't find documentation that explains ...
(Debian-User)
logcheck driving me nuts
... Every hour I run a script to kick out ssh brute force script kiddies. ... Every hour logcheck likes to send me an email with only this line. ... I am not such a whizard with the logcheck regexp format.. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
(Debian-User)
RE: forwarding logs
... Same with another script. ... >> You should not need to cange anything in the log script itself. ... >> Reuben D. Budiardja ...
(RedHat)