On 03/03/2013 10:10 PM, John P. Rouillard wrote: > In message <5133f3d4.6050...@gmail.com>, > Jeffrey Starin writes: > >> First off, when a rule is entered as such: >> >> pattern=[INFO] (.+)@domain.com is now logged in > If this is a regexp [INFO] is a charcter class definition meanint it > will match any one character between the []'s. I guess you want [INFO] > to literally match the word INFO surrounded by brackets. > > So you need \[INFO\] not [INFO] in your regexp pattern. > >> does sec look for any match within the string or must it match the >> string perfectly? > If you don't anchor it with ^ and $ (see any perl regexp reference) it > will match any substring and does not hve to match from the beginning > to the end of the string. > >> the reason I'm asking is I have logs files that look like this in >> /var/log/messages: >> >> Mar 3 18:36:43 who pure-ftpd: (?@546.45.55.321) [INFO] >> admin-bac...@domain.com is now logged in >> >> Mar 3 18:33:37 who pure-ftpd: >> (admin-bac...@domain.com@546.45.55.321) [NOTICE] >> /home/domain/public_html/admin-backup//Client-contacts.xls >> downloaded (10112 bytes, 116344.81KB/sec) >> >> >> and i want alerts sent to me via email when either 1) someone ftp to the >> account, or 2) downloads a file via ftp. >> >> and I have two separate .cfg files that I want to match on (although I'm >> struggling to find out how I can have one .cfg file for two separate >> rules -- haven't figured out how to do that yet). > I am not sure what you mean a config file can have many rules. Each > additional rule starts with a type= line. > > You just keep adding rules to a .cfg file. > >> Anyway, the rules.cfg file has: >> >> >> type=Single >> ptype=RegExp >> pattern=(admin-backup)@domain.com is now logged in >> desc=successful FTP login for account $1 >> action=pipe '$0' /bin/mail -s "$1 logged in! " m...@gmail.com >> >> >> and rules-download.cfg has: >> >> type=Single >> ptype=RegExp >> pattern=[NOTICE](.) downloaded >> desc=successful FTP download >> action=pipe '$0' /bin/mail -s "FTP download!" m...@gmail.com >> >> >> Although these rules do indeed send emails, an email is sent saying >> someone has logged in when they are downloading, and that is not the >> intent, despite having [NOTICE] as the pattern in the rules-download.cfg >> file. > Again your regular expression patterns don;t mean what you think they > mean. If you are going to capture info (by surrounding then with > parens: ()) you have to use pattern=RegExp (as you have done) and > provide a valid regexp. > > > My guess is things will start working better once you create valid regexps. > > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions. > Again, thanks for this great information. Here is another question from a newbie:
If I want one config file but two log files, i.e., the rules in the config file pull from two different log files, what is the syntax for that? I now have the following two config files and, although I will fix up the regex, they work. I'm assuming I can just paste them together like so: type=RegExp ptype=RegExp pattern=(user-9)@domain.com is now logged in desc=successful FTP login for account $1 action=pipe '$0' /bin/mail -s "$1 logged in!" m...@me.com type=Single ptype=RegExp pattern=sent \/home\/public\_html\/(.*)\/(.*) desc=successful FTP download for account $1 file: $2 action=pipe '$0' /bin/mail -s "Download by $1!" m...@me.com but the first config get input from /var/log/messages and the second one gets input from /var/log/pureftpd.log how does one tell sec to get input from two different log files while making sure they get properly assigned to the right part of the config file? Thank you! I am not sure what you mean a config file can have many rules. Each additional rule starts with a type= line. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
