I'm trying to math strings in /var/log/secure with regex to get if there is a ssh authentication failure.
If there is an authentication failure it will look like this in the log file:
Oct 31 07:52:41 logserver sshd[17041]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
I tried do something like this:
"\\<sshd[^:]*: pam_unix(sshd:auth): authentication failure; ./* \\>"
But it dosen't not work. I'd appreciate if some could help me with regular expressions.
This is on a CentOS 7 machine and the regex is for collectd's plugin tail.
In the collectd .conf you could likely use one of the following:
<Plugin "tail">
<File "/var/log/secure">
...
<Match>
Option 1:
Regex "authentication failure"
Option 2:
Regex "sshd:auth[^:]*: authentication failure;"
Option 3:
Regex "authentication failure|authentication|failure"
Where option 1 and 2 should be the most precise for matching, and option 3 more generalized. Option 1 finds the exact phrase authentication failure, Option 2 finds the exact phrase along with (sshd:auth): preceding it, and Option 3 finds the exact phrase or "authentication" or "failure".
</Match>
</File>
</Plugin>