When I try to check my regex with fail2ban-regex
with the command below :
fail2ban-regex login-error.log "ip:<HOST>,. description:Failed login in Phraseanet.*" --print-all-matched
It works and it’s my goal, for it to return the following text :
Running tests
=============
Use failregex line : ip:<HOST>,. description:Failed login in Phraseanet.*
Use log file : /opt/solmani-logs-phraseanet/script/logs/login-error.log
Use encoding : UTF-8
Results
=======
Failregex: 22 total
|- #) [# of hits] regular expression
| 1) [22] ip:<HOST>,. description:Failed login in Phraseanet.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [22] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 22 lines, 0 ignored, 22 matched, 0 missed
[processed in 0.03 sec]
|- Matched line(s):
| ip:47.64.104.56, username:[email protected], id:1, created:2022-09-01T14:15:46.000Z, description:Failed login in Phraseanet
| ip:47.64.104.56, username:[email protected], id:3, created:2022-09-05T06:32:02.000Z, description:Failed login in Phraseanet
| ip:47.64.104.56, username:[email protected], id:2, created:2022-09-02T09:13:25.000Z, description:Failed login in Phraseanet
| ip:47.64.104.56, username:user, id:4, created:2022-09-06T07:08:43.000Z, description:Failed login in Phraseanet
| ip:47.64.104.56, username:user, id:5, created:2022-09-06T07:09:02.000Z, description:Failed login in Phraseanet
But when I put my regex in my config file and try to check it with this command :
fail2ban-regex login-error.log /etc/fail2ban/filter.d/phraseanet.conf --print-all-matched
It doesn't work event tho it is the same regex as on the file. It return this :
Running tests
=============
Use failregex filter file : phraseanet, basedir: /etc/fail2ban
Use datepattern : {^LN-BEG} : Default Detectors
Use log file : /opt/solmani-logs-phraseanet/script/logs/login-error.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 22 lines, 0 ignored, 0 matched, 22 missed
[processed in 0.02 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 22 lines
This is my jail.local
##################### my config #####################
[phraseanet]
enabled = true
port = http,https
logpath = /opt/solmani-logs-phraseanet/script/logs/login-error.log
banaction = iptables-multiport-forward
filter = phraseanet
my config file phraseanet.conf
[INCLUDES]
before = common.conf
datepattern =
[Definition]
failregex = "ip:<HOST>.*description:Failed login in Phraseanet.*"
ignoreregex =
and some logs login-error.log
ip:47.64.104.56, username:[email protected], id:1, created:2022-09-01T14:15:46.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:[email protected], id:3, created:2022-09-05T06:32:02.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:[email protected], id:2, created:2022-09-02T09:13:25.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:4, created:2022-09-06T07:08:43.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:5, created:2022-09-06T07:09:02.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:6, created:2022-09-06T07:10:56.000Z, description:Failed login in Phraseanet
I can’t figure out why does it works with my regex but not with my file. I already have a custom config file for another log and it works well, but this one doesn’t.
CodePudding user response:
The quotes are interpreted literally as part of your expression in your current configuration, your file should look like this:
[Definition]
failregex = ip:<HOST>,. description:Failed login in Phraseanet.*
ignoreregex =