Hello team! I'm using Fail2Ban to process Asterisk log files (filter.d/Asterisk). I found some "skipped" activity and I beleive following rule does not match, any hints on what might be wrong? (I'm not regex expert by any means, but to me it looks like it should work...) Log entry:
[2015-05-05 10:39:29] SECURITY[2635] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="2015-05-05T10:39:29.396-0500",Severity="Error",Service="SIP",EventVersion="2",AccountID="011972592249482",SessionID="0x7f4b8000a2a8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/195.154.150.102/5070",Challenge="6c8c1b82",ReceivedChallenge="6c8c1b82",ReceivedHash="12143a9e0583447febc67fb28cbdf433" I saved it into single 'testlog' file. Now, I beleive it should match but it doesn't (regex between '' is straight from filter.d/Asterisk filter which I beleive should work) [root@localhost fail2ban]# fail2ban-regex testlog '^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$' Running tests ============= Use failregex line : ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Securit... Use log file : testlog Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)? `- Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.00 sec] |- Missed line(s): | [2015-05-05 10:39:29] SECURITY[2635] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="2015-05-05T10:39:29.396-0500",Severity="Error",Service="SIP",EventVersion="2",AccountID="011972592249482",SessionID="0x7f4b8000a2a8",LocalAddress="IPV4/UDP/23.114.87.129/5060",RemoteAddress="IPV4/UDP/195.154.150.102/5070",Challenge="6c8c1b82",ReceivedChallenge="6c8c1b82",ReceivedHash="12143a9e0583447febc67fb28cbdf433" `- ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
