0

i am trying to get a regex for an ical service on my host working without success. This is a part of the logfile:

Tue Jul 23 13:55:23 2019: ical|T720] [info ] Accepted connection from [::ffff:2.3.4.5]:56450 Tue Jul 23 13:55:23 2019: [net/[::ffff:5.6|T5234] [error ] HrLogon server "http://localhost:123/" user "Admin": logon failed Tue Jul 23 13:55:23 2019: [net/[::ffff:5.6|T5234] [warning] Login failed (0x80040111 logon failed), resending authentication request Tue Jul 23 13:55:23 2019: [net/[::ffff:5.6|T5234] [notice ] [::ffff:5.61.48.194]:56450 - Admin [23/Jul/2019:13:55:23 +0200] "GET / HTTP/1.1" 401 0 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" Tue Jul 23 13:55:23 2019: [net/[::ffff:5.6|T5234] [info ] Connection closed

This is the part of the log file and i tried already different things to get this into a filter. The important parts are "Login failed" and in the next line the part with the IP. But how can i get this working? Any help would be great!!!

Thanks in advance

icey

Actual configs looking like: ical.conf:

[INCLUDES] before = common.conf [Definition] failregex = ^*Login failed\n^.*\[notice \] \[::ffff:<HOST>\]$ ignoreregex = [Init] maxlines = 2

and the jail conf:

[ical] enabled = false port = 8443 filter = kopano-ical logpath = /var/log/ical.log maxtetry = 3 bantime = 3600
Improve this question
4
  • Welcome to Server Fault! What are the "different things" you have tried? What did you expect to happen? What happened instead? What does your config look like? Commented Jul 24, 2019 at 8:54
  • Hi Jenny, thanks for your answer. The purpose is that the ip is beeing banned as in the config: [ical] enabled = false port = 8443 filter = ical logpath = /var/log/ical.log maxtetry = 3 bantime = 3600 The filter conf looks like this: [INCLUDES] before = common.conf [Definition] failregex = ^*Login failed\n^.*\[notice \] \[::ffff:<HOST>\]$ ignoreregex = [Init] maxlines = 2 Commented Jul 24, 2019 at 8:55
  • It's very hard to read the config when it's in a comment - please instead click the "edit" link below the question, and add the config there. Then use the {} button to format it as code, so it will be easier to read. Commented Jul 24, 2019 at 8:59
  • hope it is better now, sorry for the trouble.. i tried around with several expression variants but i am not able to get the expression written that it finds the correct part in the log file. Commented Jul 24, 2019 at 9:12

1 Answer 1

Reset to default
0

I believe your regex is not correct. You're missing dot (.) at the beginning right after ^, .* before \n and since you used $ and the end you need to put .* before $, ] is not the last character.

failregex = ^.*Login failed.*\n^.*\[notice \] \[::ffff:<HOST>\].*$
Improve this answer
1
  • Thanks Ergec, it seems to work fine :) Thanks a lot!! Commented Jul 24, 2019 at 19:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.