So I'm an idiot. What can I say?
I've set my customlog1 as follows:
CUSTOM1_LOG = "/var/log/nginx/access_log"
Yes, that is the correct path.
The format looks like:
118.126.124.10 - - [16/Sep/2023:15:31:48 -0400] "HEAD /manager/html HTTP/1.1" 404 0 "-" "Python/3.6 aiohttp/3.8.3"
I'm looking for 5 404's from the same IP in the specified time period in order to give them the boot. Truthfully, if they're appearing in that log, they're not doing anything useful on the server, ie, they're not accessing any domains, so 5 is being extraordinarily generous.
My regex, which I tested on regex101.com, looks as follows:
\"\s404\s
does not appear to trigger LFD, but regex101 matches on 404.
My entry in regex.custom.pm is:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ \"\s404\s
{
return ("NotFound from",$1,"NotFound","5","80,443","1","0");
}
What am I missing? I'm sure I'm being stupid. I'm not all that great w/regex. Still, regex101 indicated my regex was correct, so I'm confused.
Thanks so much for any assistance. I appreciate your time.
Regex not working in custom log
Re: Regex not working in custom log
I did some more studying & made some changes. I guess I'll see if what I did worked. My entry in regex.pm now looks as follows:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ ^(\S+)\s+\S+\s\S+\s\S+\s\S+\s"([^"]*)"\s404\s
{
return ("NotFound from",$1,"NotFound","5","80,443","1","0");
}
I also made absolutely sure that /var/log/nginx/access_log was indeed being watched by CSF.
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ ^(\S+)\s+\S+\s\S+\s\S+\s\S+\s"([^"]*)"\s404\s
{
return ("NotFound from",$1,"NotFound","5","80,443","1","0");
}
I also made absolutely sure that /var/log/nginx/access_log was indeed being watched by CSF.
Re: Regex not working in custom log
Well, I made some additional changes, enclosing (400) and (404) in parentheses. regex101 divides the matches by IP, the irrelevant middle, and the return code correctly, but LFD doesn't seem to trigger. Unless I can come up w/something different, I guess I'll have to wait for Sergio 
. I tried. I'm officially sick of regex. I'll get over it.
. I tried. I'm officially sick of regex. I'll get over it.Re: Regex not working in custom log
Write a full log line of what you want to block and I will help you to do the regex.
Sergio
Sergio
Re: Regex not working in custom log
Sergio, here is a line. Please note, though, that the length of the strings differ widely, as in this 1 is really long. I'm wanting to act on the return code.
As indicated, it seems from my testing that my regexp should have worked, so I'm eager for an explanation as to why it didn't. Thank you for your work w/the CSF community.
205.210.31.66 - - [25/Sep/2023:15:08:00 -0400] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC9\xACCp\x94Qc\x14\xAD\xDB\xA8\x14\xAD\xFE,\xE9.\x81)\x85\xC4\xFA/0Ui\xCA\xBB\xEF\xA8lq\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 150 "-" "-"
As indicated, it seems from my testing that my regexp should have worked, so I'm eager for an explanation as to why it didn't. Thank you for your work w/the CSF community.
205.210.31.66 - - [25/Sep/2023:15:08:00 -0400] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC9\xACCp\x94Qc\x14\xAD\xDB\xA8\x14\xAD\xFE,\xE9.\x81)\x85\xC4\xFA/0Ui\xCA\xBB\xEF\xA8lq\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 150 "-" "-"
Re: Regex not working in custom log
ok,
on that log line what are you looking for to be triggered?
Also, on that log line what do you want to receive?
on that log line what are you looking for to be triggered?
Also, on that log line what do you want to receive?
Re: Regex not working in custom log
I want to block the ip after 5 400 return codes. Is that what you're asking?
Re: Regex not working in custom log
Yes, I wanted to know exactly what you want to do.
Here is the regex that will help you:
Sergio
Here is the regex that will help you:
Code: Select all
/(\S+)\s\-\s\-\s\[\d+\/\S+\d+\s\-\d+\]\s\"\S+\"\s400\s\d+\s\"\-\"/i