Hi guys,
I'm using Debian stable and can't get fail2ban working properly... :-(
The loglines I want to catch look like this:
> 2016-02-20T16:38:57.744887+00:00 hostname sshd[25454]: Invalid user
> hugo from 2001:123:4567:2c1:fc53:64af:4c60:aa36
So I put the following into common.local to overwrite the two macros in
common.conf:
> [DEFAULT]
> # 2016-02-21T20:37:22.417208+00:00
> __timestamp_re = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}
> # 2016-02-21T20:37:22.417208+00:00 hostname sshd[28085]:
> __prefix_line =
> %(__timestamp_re)s\s+%(__hostname)s\s+%(__daemon_combs_re)s:\s+
Still:
> # fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
>
> Running tests
> =============
>
> Use failregex file : /etc/fail2ban/filter.d/sshd.conf
> Use log file : /var/log/auth.log
>
>
> Results
> =======
>
> Failregex: 0 total
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [44538] ISO 8601
> `-
>
> Lines: 44538 lines, 0 ignored, 0 matched, 44538 missed
> Missed line(s): too many to print. Use --print-all-missed to print
> all 44538 lines
Any idea why my regexp is not working?
Thanks in advance for your help.
Kind regards,
Ralf
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
