[Simple-evcorr-users] SEC variable within RegExp

Mon, 24 Mar 2008 13:43:21 -0700 


I am trying to keep track of users that log onto and off our FTP server
(proftpd). When they do log off I want to notify certain people by email as
to who just used the FTP server.

This would include users that uploaded files then just walked away, so that
the server eventually disconnected them after they finished uploading and
timed out. That makes extended logs unreliable (no QUIT action), so I'm
using SEC to analyze the proftpd system log, using "FTP session closed" as
the trigger. Unfortunately, this type of entry only gives the PID of the
user session not their ID. I therefore need to look back in the logs to
where they logged on (which may have been two minutes or two hours earlier)
then figure out the User ID to include in an email message.

Here's what I've cobbled together so far:

# Rule 1 - write PID and user ID at start of session
type=Single
ptype=RegExp
pattern= .+\sftp\.ourdomain\.com proftpd\[([0-9]+).+USER\s(.+)\: Login
successful
desc=$0
action=write SECdata FTP START > %t PID=$1 User=$2

# Rule 2 - write PID at end of session then spawn cat of file for Rule 3
type=Single
ptype=RegExp
pattern=.+\sftp\.ourdomain\.com proftpd\[([0-9]+).+FTP session closed
desc=$0
action=write SECdata FTP END > %t PID=$1 ; assign %f $1 ; spawn /bin/cat
SECdata

# Rule 3 - Check output from SECdata and create email
type=Single
ptype=RegExp
pattern=FTP START >.+PID=%f User=(.+)
desc=User $1 has logged off
action=write SECdata %t: %s #### <<< This will become an email message

As you may see, I keep track of users in an external file (SECdata) then
use spawn to read it back into SEC to figure out the USER name of that
particular PID. The problem is that the SEC variable %f is not recognized
in the RegExp pattern.

Can anyone please advise me on this? Is there some way of using SEC
variables within a pattern? Is there a better (simple) way? I'm a complete
SEC newbie... maybe you can tell!

Regards to all,

Mark.
Ottawa, Canada.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to