Update oracleims.conf to be 'less greedy'

This assumes that the protocol is always a string, which it always is, and that the other four fields in the "tr" are always numeric (which they always are). See port_access documentation at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
2014-06-09 18:44:27 -07:00 · 2014-06-09 18:44:27 -07:00 · 5165d2f6ea
parent c325e88634
commit 5165d2f6ea
1 changed files with 3 additions and 1 deletions
--- a/config/filter.d/oracleims.conf
+++ b/config/filter.d/oracleims.conf
@ -45,12 +45,14 @@ before = common.conf
 # mi="Bad password"
 # us="01ko8hqnoif09qx0np@imap.opus1.com"
 # di="535 5.7.8 Bad username or password (Authentication failed)."/>
+# Format is generally documented in the PORT_ACCESS mapping 
+# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
 #
 # All that would be on one line.
 # Note that you MUST have LOG_FORMAT=4 for this to work!
 #

-failregex = ^.*tr=".*\|.*\|\d+\|<HOST>\|\d+" .+ Bad username or password.*"/>$
+failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" .+ Bad username or password.*"/>$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.