Try the line in the filter like this:
x-event:publish c-ip:<HOST>
On Sun, 2015-05-17 at 15:01 +0100, Anthony Griffiths wrote:
> I'm running fail2ban-0.8.14-1.el6. on centos 6.6
>
> hi can some clever bod please help me debug a custom filter?
> the application is red5 media server and what I need is quite
> straightforward but I can't get past some errors.
> There's only one expression in the log file I want to watch for and that's
> this:
> "x-event:publish c-ip:xxx.xxx.xxx.xxx"
> this expression occurs only once in this typical log line:
> ~2015-05-17 13:31:22,096 [RTMPExecutor#U1UJYZQL0ISMR-1] INFO
> o.r.s.adapter.ApplicationAdapter - W3C x-category:stream
> x-event:publish
> c-ip:xxx.xxx.xxx.xxx-sname:44c13ddb-de6e-4e84-90a2-5cab442b573d
> x-name:livestream1~
>
> In jail.local I've added this entry:
>
> [red5]
>
> enabled = true
> filter = red5
> action = iptables[name=red5, port=1935, protocol=tcp]
> logpath = /path/to/red5.log
> maxretry = 1
> ignoreip = 123.456.789.10
>
> I've created a red5.conf file that contains this:
>
> ---------------------
> [INCLUDES]
>
> before =
>
> [Definition]
>
> _daemon = red5
>
> failregex = ^%(__prefix_line)s x-event:publish c-ip:<HOST>*$
>
> ignoreregex =
> ---------------------
>
> however fail2ban won't start and throws errors, I know I must have a
> wrong syntax somwhere in the failregex but I don't know where, I've
> tried several syntaxes but fail2ban still won't start and gives this
> error:
>
> # /etc/init.d/fail2ban start
> Starting fail2ban: ERROR Failed during configuration: Bad value substitution:
> section: [Definition]
> option : failregex
> key : __prefix_line
> rawval : x-event:publish c-ip:<HOST>$:
>
> Thanks for any help.
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
