Fail2ban is a great tool on top of a good iptable restrictions. Since I run it on some projects I am woundering is it possible to look for lines that mention " UNREACHABLE! " like this in my voip system logs
[2015-07-14 21:58:16] NOTICE[31870] chan_sip.c: Peer 'o1234_1' is now Reachable. (30ms / 2000ms) [2015-07-16 02:58:30] NOTICE[31870] chan_sip.c: Peer 'o1234_10' is now UNREACHABLE! Last qualify: 47 [2015-07-16 02:58:40] NOTICE[31870] chan_sip.c: Peer 'o1234_10' is now Reachable. (17ms / 2000ms) [2015-07-16 03:59:45] NOTICE[31870] chan_sip.c: Peer 'o1234_10' is now UNREACHABLE! Last qualify: 18 [2015-07-16 03:59:58] NOTICE[31870] chan_sip.c: Peer 'o1234_1' is now UNREACHABLE! Last qualify: 18 [2015-07-16 04:02:00] NOTICE[31870] chan_sip.c: Peer 'o1234_1' is now Reachable. (30ms / 2000ms) then email me the unreachable line [2015-07-16 03:59:58] NOTICE[31870] chan_sip.c: Peer 'o1234_1' is now UNREACHABLE! Last qualify: 18 and of course not block any ip address. I figure its running in the background anyway how would I go about doing this? I also thought some times I get high lag and it does not go unreachable would there be a way to do a if greater then milliseconds from the logs also example [2015-04-27 23:45:25] NOTICE[20748] chan_sip.c: Peer '2003' is now Lagged. (20020ms / 2000ms) [2015-04-28 00:59:08] NOTICE[25115] chan_sip.c: Peer '2003' is now Lagged. (5785ms / 2000ms) [2015-04-29 19:58:31] NOTICE[30843] chan_sip.c: Peer '2003' is now Lagged. (20019ms / 2000ms) [2015-04-29 20:10:11] NOTICE[30843] chan_sip.c: Peer '2003' is now Lagged. (20023ms / 2000ms) I guess I could just do a messaged search for is not lagged. make a filer called asterisklagged or something I know this will not work figure someone would know though so I attempt below. [INCLUDES] before = common.conf [Definition] _daemon = asterisk __pid_re = (?:\[\d+\]) log_prefix= (?:NOTICE)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s is now Lagged. '[^']*')$ ignoreregex = [asterisk-Lagged enabled = true filter = asterisklagged action = sendmail-whois[name=ASTERISK, [email protected]] logpath = /var/log/asterisk/messages maxretry = 99999999 Interested to see what some of your comments are. -- Its going to be ok. ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
