Hi guys!

I am building a cPanel plugin that allow a customer define from which country a user can enter to the following services:

- cPanel / Webmail
- FTP
- SFTP, SSH

I built a daemon that monitor the logs in real time to find the first successful access from X IP, check the country and deny or allow the access to the service.

I finished the plugin and it work fine but I have a problem checking the first successful access from X IP to cPanel / Webmail.

With FTP and SSH is really simple, using "grep" with the log and I can locate the first access, for example for ssh:

Code:
 tail -F /var/log/secure | grep "Accepted"
And I obtain:

Code:
May 21 09:11:04 server sshd[233588]: Accepted password for USER from IP port 4970 ssh2
But this is difficult with cPanel / Webmail access, I can not filter the first successful access after login. I want to minimize the number of checkings for reduce the resource usage of this daemon.

I am using:

Code:
tail -F /usr/local/cpanel/logs/access_log 
| egrep --line-buffered  "HTTP\/1.(1|0)\" 200 0" 
| egrep -v --line-buffered "127.0.0.1|root" 
| egrep --line-buffered -v ".jpg|.gif|.css|.js|.png|.ico"
I think I cover all possible attempts to access, but I have too many duplicate records for the same IP.

I want to avoid making further checks if the user already agreed and passed the first check. But without relying on a database or similar, I'd do the same as for other services, filtering logs.

Any ideas to reduce the number of records to verify?

P.S: I hope I explained well, sorry for my bad English

Thanks!