From ee497ff1cbc4ca555db819285f81892a5d5a0d00 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 17 Sep 2013 07:57:19 +1000 Subject: [PATCH] ENH: filter mysqld-auth can be a is a syslog based service so anchor it using syslog prefix --- ChangeLog | 1 + config/filter.d/mysqld-auth.conf | 5 +++-- testcases/files/logs/mysqld-auth | 5 +++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2001158b..de0d6517 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests and extra failure examples in sample logs * filter.d/apache-auth - added expressions for mod_authz, mod_auth and mod_auth_digest failures. + * filter.d/mysqld-auth.conf - mysql can use syslog Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/mysqld-auth.conf b/config/filter.d/mysqld-auth.conf index 197c8232..64dd16ed 100644 --- a/config/filter.d/mysqld-auth.conf +++ b/config/filter.d/mysqld-auth.conf @@ -13,7 +13,7 @@ before = common.conf [Definition] -#_daemon = mysqld +_daemon = mysqld # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The @@ -22,7 +22,8 @@ before = common.conf # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) -failregex = Access denied for user '\w+'@'' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ +# +failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/testcases/files/logs/mysqld-auth b/testcases/files/logs/mysqld-auth index 757ecb66..ce35d740 100644 --- a/testcases/files/logs/mysqld-auth +++ b/testcases/files/logs/mysqld-auth @@ -10,3 +10,8 @@ 130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO) # failJSON: { "time": "2013-03-24T19:01:40", "match": true , "host": "61.147.108.35" } 130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES) +# failJSON: { "time": "2013-09-16T21:30:26", "match": true , "host": "74.207.241.159" } +Sep 16 21:30:26 catinthehat mysqld: 130916 21:30:26 [Warning] Access denied for user 'hacker'@'74.207.241.159' (using password: YES) +# failJSON: { "time": "2013-09-16T21:30:32", "match": true , "host": "74.207.241.159" } +Sep 16 21:30:32 catinthehat mysqld: 130916 21:30:32 [Warning] Access denied for user 'hacker'@'74.207.241.159' (using password: NO) +