Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Regex help?

See original GitHub issue

Having some difficulty getting this to work for successfulloginregex

      <LogFile>

        <Source>FTP</Source>
        <PathAndMask>C:/Program Files/FileZilla Server/Logs/filezilla-server.log</PathAndMask>
        <FailedLoginRegex>
          <![CDATA[
            (?<timestamp>\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d).+<<\s\[FTP\sSession\s.*\s(?<ipaddress>.+)]\s530\sLogin\sincorrect
          ]]>
        </FailedLoginRegex>
        <SuccessfulLoginRegex>
          <![CDATA[
            (?<timestamp>\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d).*\s(?<ipaddress>.+)\s(?<username>.+)]\s230
          ]]>
        </SuccessfulLoginRegex>
        <PlatformRegex>Windows</PlatformRegex>
        <PingInterval>10000</PingInterval>
        <MaxFileSize>0</MaxFileSize>
        <FailedLoginThreshold>0</FailedLoginThreshold>

      </LogFile>

I get this in logs

2022-04-17 00:08:57.1527|INFO|DigitalRuby.IPBanCore.Logger|Parsing as IP failed, checking dns '2022-04-17T04:08:49.329Z >> [FTP Session 39 123.123.123.123] PASS ****'
2022-04-17 00:08:57.1527|INFO|DigitalRuby.IPBanCore.Logger|Parsing as dns failed '2022-04-17T04:08:49.329Z >> [FTP Session 39 123.123.123.123] PASS ****'

2022-04-17T03:31:41.170Z << [FTP Session 38 123.123.123.123] 331 Please, specify the password.
2022-04-17T03:31:41.220Z >> [FTP Session 38 123.123.123.123] PASS ****
2022-04-17T03:31:41.283Z << [FTP Session 38 123.123.123.123 username] 230 Login successful.

Regex101 has highlighted the issue for me, it seems the regex engine used here is matching previous lines and not just single lines… how do I rectify this? I had to add more to the ‘failedloginregex’ to get this issue to go away, but I cannot seem to do anything to resolve this with successfulloginregex, any input is much appreciated

Issue Analytics

State:
Created a year ago
Comments:8 (5 by maintainers)

Top GitHub Comments

1reaction

jjxtracommented, Apr 17, 2022

I updated the recipe

0reactions

kimboslice99commented, Apr 25, 2022

@jjxtra Not sure if I should open a new issue, but how can I exclude IIS from event 4625 failed logins?

I have some sites with basic auth on IIS, but I’m using cloudflare’s proxy which uses CF-Connecting-IP header to log the real client IP address… I’ve tried changing the inbound header in IIS (url rewrite) like so

<set name="HTTP_X_REAL_IP" value="{HTTP_CF_CONNCTING_IP}" />

I’ve also tried X-Forwarded-For and X-Client-IP, but this doesn’t seem to work here, I suppose whats being logged in the event logger is before the URL rewrite can get to it, so I’d like to exclude IIS so I can use the log instead

Edit; would this be the right way to exclude IIS?

[^c:\\Windows\\System32\\inetsrv\\w3wp.exe]

Top Results From Across the Web

RegExr: Learn, Build, & Test RegEx

Regular expression tester with syntax highlighting, PHP / PCRE & JS Support, contextual help, cheat sheet, reference, and searchable community patterns.

Regular-Expressions.info - Regex Tutorial, Examples and ...

A regular expression (regex or regexp for short) is a special text string for describing a search pattern. You can think of regular...

regex101: build, test, and debug regex

Regular expression tester with syntax highlighting, explanation, cheat sheet for PHP/PCRE, Python, GO, JavaScript, Java, C#/.NET, Rust.

Syntax for Regular Expressions

Syntax for Regular Expressions ; $, (dollar) Matches the end of the line or string of text that the regular expression is searching....