[syslog-ng][nate@campin.net: Re: Thanks for syslog-ng info]

Dale Amon amon@vnl.com
Fri, 12 Jul 2002 20:44:44 +0100


> On Fri, Jul 12, 2002 at 08:02:30PM +0100, Dale Amon wrote:
> > On Fri, Jul 12, 2002 at 10:56:41AM -0700, Nate Campi wrote:
> > > They work for me, here's one I have:
> > >=20
> > > filter f_ssh_login_attempt { program("sshd.*") and
> > > match("(Failed|Accepted)") and not match("Accepted (hostbased|publickey)
> > > for root from 63.198.180.27") and not match("Accepted publickey for root
> > > from 12.233.34.75"); };

> > Perhaps I've tickled a bug then. The first two don't work; the third one does.

> > # filter drop1 { not match ( "PAM_unix\[.*\]: \(cron\) session opened for user root|mail by \(uid=3D0\)"); };
> > # filter drop1 { not match ( "\(cron\) session opened for user root|mail by \(uid=3D0\)"); };
> > filter drop1 { not match ( " session opened|closed for user root|mail"); };

> > I wonder if the \ escapes of regexp metachars are causing a problem?

Nate suggested I forward to the list.