[Logcheck-users] Multi-line rules?
Mark Edwards
mark at antsclimbtree.com
Wed Aug 30 21:03:19 UTC 2006
Is there a way to create multi-line ignore rules?
What I want to do is this -- I have fail2ban in place to block ssh
attack bots, and I don't want to see failed ssh log entries under,
say, 5 failures. Each time an ssh failure occurs there are two
different log lines generated:
Aug 30 04:03:57 mini sshd[19149]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=211.98.88.125 user=root
Aug 30 04:04:00 mini sshd[19149]: Failed password for root from
211.98.88.125 port 43631 ssh2
I want a rule that ignores up to five repeated sets of those two
lines. If somehow the fail2ban mechanism fails and someone logs more
than 5 failures in a row, I want to know about it.
I tried combining two working ignore patters with a \n newline, but
that didn't work. I was thinking of something like this:
^(\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_unix\)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[.
0-9]{7,15} user=root\n\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+
\]: Failed password for root from [.0-9]{7,15} port [0-9]+ ssh2\n){1,5}$
Is this possible in some way?
Thanks!
--
Mark Edwards
More information about the Logcheck-users
mailing list