hi Mark, you can't use %<alnum> variables in patterns - these variables are accessible only from action lists. However, there is a much simpler solution to the problem you have. Provided that you want to get an e-mail message for 1) a user logout (QUIT message), 2) N seconds have elapsed since the beginning of a session without logout (QUIT), the following rule might help you:
type=pairwithwindow ptype=regexp pattern=.+\sftp\.ourdomain\.com proftpd\[([0-9]+)\].+USER\s(.+)\: Login successful desc=FTP session without QUIT pid=$1 user=$2 action=pipe '%s' mail [EMAIL PROTECTED] ptype2=regexp pattern2=.+\sftp\.ourdomain\.com proftpd\[$1\].+FTP session closed desc2=FTP session with QUIT pid=%1 user=%2 action2=pipe '%s' mail [EMAIL PROTECTED] window=3600 Please note that I have employed PairWithWindow rule for creating an association between login and logout messages -- this rule executes 'action' if no logout has been observed for a login in an 1 hour window, and executes 'action2' if logout was observed after login within an 1 hour window. Also, I have used the %2 variable for fetching the user ID from the login message and using it in 'action2' (%<number> variables are specific to Pair* rules and help to pass data from first regular expression to the second). hth, risto > > > I am trying to keep track of users that log onto and > off our FTP server > (proftpd). When they do log off I want to notify > certain people by email as > to who just used the FTP server. > > This would include users that uploaded files then > just walked away, so that > the server eventually disconnected them after they > finished uploading and > timed out. That makes extended logs unreliable (no > QUIT action), so I'm > using SEC to analyze the proftpd system log, using > "FTP session closed" as > the trigger. Unfortunately, this type of entry only > gives the PID of the > user session not their ID. I therefore need to look > back in the logs to > where they logged on (which may have been two > minutes or two hours earlier) > then figure out the User ID to include in an email > message. > > Here's what I've cobbled together so far: > > # Rule 1 - write PID and user ID at start of session > type=Single > ptype=RegExp > pattern= .+\sftp\.ourdomain\.com > proftpd\[([0-9]+).+USER\s(.+)\: Login > successful > desc=$0 > action=write SECdata FTP START > %t PID=$1 User=$2 > > # Rule 2 - write PID at end of session then spawn > cat of file for Rule 3 > type=Single > ptype=RegExp > pattern=.+\sftp\.ourdomain\.com > proftpd\[([0-9]+).+FTP session closed > desc=$0 > action=write SECdata FTP END > %t PID=$1 ; assign %f > $1 ; spawn /bin/cat > SECdata > > # Rule 3 - Check output from SECdata and create > email > type=Single > ptype=RegExp > pattern=FTP START >.+PID=%f User=(.+) > desc=User $1 has logged off > action=write SECdata %t: %s #### <<< This will > become an email message > > As you may see, I keep track of users in an external > file (SECdata) then > use spawn to read it back into SEC to figure out the > USER name of that > particular PID. The problem is that the SEC variable > %f is not recognized > in the RegExp pattern. > > Can anyone please advise me on this? Is there some > way of using SEC > variables within a pattern? Is there a better > (simple) way? I'm a complete > SEC newbie... maybe you can tell! > > Regards to all, > > Mark. > Ottawa, Canada.> ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio > 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users