Hello. I am a beginner with SEC and have read lots of the tutorials. I
have a few questions and sample problem. I hope someone can help.
First off, when a rule is entered as such:
pattern=[INFO] (.+)@domain.com is now logged in
does sec look for any match within the string or must it match the
string perfectly?
the reason I'm asking is I have logs files that look like this in
/var/log/messages:
Mar 3 18:36:43 who pure-ftpd: ([email protected]) [INFO]
[email protected] is now logged in
Mar 3 18:33:37 who pure-ftpd:
([email protected]@546.45.55.321) [NOTICE]
/home/domain/public_html/admin-backup//Client-contacts.xls
downloaded (10112 bytes, 116344.81KB/sec)
and i want alerts sent to me via email when either 1) someone ftp to the
account, or 2) downloads a file via ftp.
and I have two separate .cfg files that I want to match on (although I'm
struggling to find out how I can have one .cfg file for two separate
rules -- haven't figured out how to do that yet). Anyway, the rules.cfg
file has:
type=Single
ptype=RegExp
pattern=(admin-backup)@domain.com is now logged in
desc=successful FTP login for account $1
action=pipe '$0' /bin/mail -s "$1 logged in! " [email protected]
and rules-download.cfg has:
type=Single
ptype=RegExp
pattern=[NOTICE](.) downloaded
desc=successful FTP download
action=pipe '$0' /bin/mail -s "FTP download!" [email protected]
Although these rules do indeed send emails, an email is sent saying
someone has logged in when they are downloading, and that is not the
intent, despite having [NOTICE] as the pattern in the rules-download.cfg
file.
I can't seem to stop the rules.cfg pattern from triggering the
rules-download.cfg intent.
Any help in understanding much appreciated.
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
