Trying to find out why y regex is not working

[Progressed]

Hi all,

those regex's huh

according to several regextesters this should work:

Code: Select all

SSHD_LOG = /var/log/auth.log

The regex:

Code: Select all

   if (($globlogs{SSHD_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ wordpress(\(.*)\).* Authentication failure for (.*) from (.*)/)) {
     $ip = $3; $website = $1; $user = $2;
     return ("Failed WordPress login from",$ip,"WP-BRUTEFORCE","5","80,443","86400");
   }

The logline that should trigger.

Code: Select all

May  8 11:00:49 web01 wordpress(DOMAIN.COM)[19462]: Authentication failure for USER from IPADDRESS

Somehow its not triggering. Am i that blind?
Reason for above regex is that i want $website to be added in the return like "Failed WordPress login at $website from" ....

Ok this is not working... so i took it down a notch. simple...

Code: Select all

if (($globlogs{SSHD_LOG}{$lgfile}) and ($line =~ /.*Authentication failure for .* from (.*)\n/)) {
  return ("Wordpress admin user from",$1,"WP-BRUTEFORCE","5","80,443","86400");
}

Also... noting... can someone shed his/her light on this?

[Progressed]

ffs... my mistake.

I took a line Authentication failure out of the log. Only thing is that i should have use Authentication attempt.

Isnt an attempt always a failure? Im goingn to check with the plugin maker.