Robin Atwood wrote: [snip] > Ok, I understand, by the time the second rule is applied, the proftpd header > has been stripped off. After some experimentation, I ended up with: > > SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd.* \- )(?P<message>.*) > > USERDEF_FAILED_ENTRY_REGEX=USER (?P<user>.*):.*\[(::ffff:)?(?P<host>\S+)\] > > which seems to work fine. :)
One problem with the above, you changed the sshd part, which will affect the built-in regexes: you stripped the space before the "message". I have not tested but it seems like looking for trouble. SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd.*:) (?P<message>.*) works fine with your other change. Or using something close to your change: SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd.* -) (?P<message>.*) i.e. just leave the space before the capture of the message. -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
