Hi there (hope I have put a decent accurate title as this post), Just trying to go back through some old work with regex's really and was almost at the stage of wanting to pull my hair out thinking where to start with this one, I'll get right to it though, I have a lot of entries like this in my Centos 6 servers maillog file: Code: pop3-login: Disconnected (no auth attempts): rip=192.168.2.7, lip=192.168.0.6, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher What I wanted it to do is block just for arguments sake 192.168.2.7, I was just considering doing where I just literally put it all in and then use the following (replacing the two IP addresses with variability): Code: ^%(__prefix_line)spop3-login: Disconnected (no auth attempts): rip=<HOST>(?:, lip=\S+)?, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Is there any good way of checking if this actually would work, or any better way of writing this regex?
Or rather to correct myself something like: Code: (?:pop3|imap)-login: Disconnected (no auth attempts): rip=<HOST>(?:, lip=\S+)?, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
