On Jun 11, 2010, at 3:18 PM, René Berber wrote: > Try: > > SSHD_FORMAT_REGEX=.*( sshd.*:| \[sshd\]|AppleVNCServer.*:) (?P<message>.*) > > All in one line, a space precedes the last parenthesized part. > >> USERDEF_FAILED_ENTRY_REGEX=Authentication:\ FAILED.* >> Viewer\ Address:\ (?P<host>\S+) > > I would try to get the user name, just in case it is available: > > USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED :: User Name: > (?P<user>.*) :: Viewer Address: (?P<host>\S+) .*
This still does not appear to be catching failed VNC login attempts. From denyhosts.cfg: SSHD_FORMAT_REGEX=.*(sshd.*:|\[sshd\]|AppleVNCServer.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED.* :: User Name: (?P<user>.*) :: Viewer Address: (?P<host>\S+) I also tried the " .*" at the tail end of the USERDEF entry but this didn't catch them either: USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED.* :: User Name: (?P<user>.*) :: Viewer Address: (?P<host>\S+) .* Here's a sample entry from secure.log: Jul 8 10:43:29 machine /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[123]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 192.168.1.1 :: Type: VNC DES Any ideas what I'm doing wrong? Thanks, -Terry ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
