D'OH!!! Thank you Risto! That works perfectly! :)
**DON'T PUT IN THE QUOTES** :P ;) :) Jim p.s. I'm glad I'm not the only idiot - several other /very/ smart and /very/ good with SEC (IMHO) people replied to me and didn't catch the quotes either! :P Thanks to everyone who tried to help! This list is awesome! :) James E. Prewett [EMAIL PROTECTED] [EMAIL PROTECTED] Systems Team Leader LoGS: http://www.hpc.unm.edu/~download/LoGS/ Designated Security Officer OpenPGP key: pub 1024D/31816D93 HPC Systems Engineer III UNM HPC 505.277.8210 On Tue, 30 Sep 2008, Risto Vaarandi wrote: > hi Jim, > try the same 'write' action with double quotes removed around the filename -- > does it solve the problem? > risto > > > Jim Prewett wrote: > > Hello, > > > > I'm using SEC 2.4.2 and am having problems with the write action. > > > > I'm using the following rule to try to write all invalid ssh users to a log > > file: > > > > type=single > > ptype=RegExp > > pattern=sshd\[\d+\]: Invalid user \S+ from (\S+)$ > > action=write "/tmp/bad-ssh/foo.log" > > desc=bad ssh from $1 > > > > When running SEC, I'm getting a bunch of these error messages: > > > > Writing event 'bad ssh from 125.69.132.103' to file "/tmp/bad-ssh/foo.log" > > Can't open file "/tmp/bad-ssh/foo.log" for writing event 'bad ssh from > > 125.69.132.103'! > > > > I've tried this both under MacOS 10.4 and OpenSuSE 10.3. Both are Perl > > v5.8.8. > > > > Thanks for any help you can provide, > > Jim > > > > James E. Prewett [EMAIL PROTECTED] [EMAIL PROTECTED] > > Systems Team Leader LoGS: http://www.hpc.unm.edu/~download/LoGS/ > > Designated Security Officer OpenPGP key: pub 1024D/31816D93 HPC > > Systems Engineer III UNM HPC 505.277.8210 > > > > ------------------------------------------------------------------------- > > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > > Build the coolest Linux based applications with Moblin SDK & win great > > prizes > > Grand prize is a trip for two to an Open Source event anywhere in the world > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > _______________________________________________ > > Simple-evcorr-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
