The trick is in the syntax...
throttle threshold 4:60
Example:
watchfor /.*/ and /$ssh_regex/
echo
throttle threshold 4:60
exec "iptables -I INPUT 1 -s $1 -p tcp --dport 22 -j droplog"
TaO
Kelly Brown wrote:
> Hello all:
>
> I'm trying to set up some swatch alerts that use throttling. I can
> not get it to work.
>
> perlcode my $sa_regex = 'smtp1\.corp.* Service unavailable';
> watchfor /$sa_regex/
> echo
> throttle 0:10:00,use=$sa_regex
>
> I've also tried this: throttle threshold=5:120,repeat=no
>
> It also does not work. I get an alert for every message.
>
> I've read in various places that Throttle.pm is broken and in other
> places that it was fixed. I'm running 3.1.1-2 from a debian package.
>
> Does anybody know if this thing is supposed to work? I don't want to
> keep banging my head on it if it's known not to work.
>
> Thx
> -K
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>LogAnalysis mailing list
>LogAnalysis@private
>http://lists.shmoo.com/mailman/listinfo/loganalysis
>
>
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sat Mar 25 2006 - 19:37:20 PST