[EMAIL PROTECTED] wrote: > type=single > desc=Illegal User Attempt > ptype=RegExp > pattern=\S+\s+\d+\s+\S+\s+([\w\.\-]+)\s+.+(No account present for user > for illegal user) > action=pipe '$0' /bin/mailx -s "***ALERT*** $1 SSH Illegal User" > [EMAIL PROTECTED]
The pattern you are trying to use does not match the input you are giving it. Try something like follows (completely untested): pattern= ([A-z0-9._-\\]+) sshd\[[0-9]+\]: .*No account present for user for illegal user > Mar 10 11:41:38 myhost/myhost sshd[28961]: [ID 800047 auth.error] error: > PAM: No account present for user for illegal user user1 from host111 I think one of the issues is that your syslog instance is setting the hostname to <sysloghost>/<hostname> which is not matching [\w\.\-]+ -- -dave ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
