When I try to check my regex with fail2ban-regex with the command below :

fail2ban-regex login-error.log "ip:<HOST>,. description:Failed login in Phraseanet.*" --print-all-matched

It works and it’s my goal, for it to return the following text :

Running tests
=============

Use   failregex line : ip:<HOST>,. description:Failed login in Phraseanet.*
Use         log file : /opt/solmani-logs-phraseanet/script/logs/login-error.log
Use         encoding : UTF-8


Results
=======

Failregex: 22 total
|-  #) [# of hits] regular expression
|   1) [22] ip:<HOST>,. description:Failed login in Phraseanet.*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [22] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 22 lines, 0 ignored, 22 matched, 0 missed
[processed in 0.03 sec]

|- Matched line(s):
|  ip:47.64.104.56, username:[email protected], id:1, created:2022-09-01T14:15:46.000Z, description:Failed login in Phraseanet
|  ip:47.64.104.56, username:[email protected], id:3, created:2022-09-05T06:32:02.000Z, description:Failed login in Phraseanet
|  ip:47.64.104.56, username:[email protected], id:2, created:2022-09-02T09:13:25.000Z, description:Failed login in Phraseanet
|  ip:47.64.104.56, username:user, id:4, created:2022-09-06T07:08:43.000Z, description:Failed login in Phraseanet
|  ip:47.64.104.56, username:user, id:5, created:2022-09-06T07:09:02.000Z, description:Failed login in Phraseanet

But when I put my regex in my config file and try to check it with this command :

fail2ban-regex login-error.log /etc/fail2ban/filter.d/phraseanet.conf --print-all-matched

It doesn't work event tho it is the same regex as on the file. It return this :

Running tests
=============

Use   failregex filter file : phraseanet, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : /opt/solmani-logs-phraseanet/script/logs/login-error.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 22 lines, 0 ignored, 0 matched, 22 missed
[processed in 0.02 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 22 lines

This is my jail.local

##################### my config #####################
[phraseanet]
enabled = true
port = http,https
logpath = /opt/solmani-logs-phraseanet/script/logs/login-error.log
banaction = iptables-multiport-forward
filter = phraseanet

my config file phraseanet.conf

[INCLUDES]
before = common.conf
datepattern =

[Definition]
failregex = "ip:<HOST>.*description:Failed login in Phraseanet.*"
ignoreregex =

and some logs login-error.log

ip:47.64.104.56, username:[email protected], id:1, created:2022-09-01T14:15:46.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:[email protected], id:3, created:2022-09-05T06:32:02.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:[email protected], id:2, created:2022-09-02T09:13:25.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:4, created:2022-09-06T07:08:43.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:5, created:2022-09-06T07:09:02.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:6, created:2022-09-06T07:10:56.000Z, description:Failed login in Phraseanet

I can’t figure out why does it works with my regex but not with my file. I already have a custom config file for another log and it works well, but this one doesn’t.

CodePudding user response：

The quotes are interpreted literally as part of your expression in your current configuration, your file should look like this:

[Definition]
failregex = ip:<HOST>,. description:Failed login in Phraseanet.*
ignoreregex =