Re: [Fail2ban-users] Regexps do not match

Mon, 22 Feb 2016 00:34:24 -0800 

Hi Yaroslav, all.

On 2016-02-22 01:08 , Yaroslav Halchenko wrote:
> On Sun, 21 Feb 2016, Ralf G. R. Bergs wrote:
>
>> Hi guys,
>> I'm using Debian stable and can't get fail2ban working properly... :-(
>> The loglines I want to catch look like this:
>>> 2016-02-20T16:38:57.744887+00:00 hostname sshd[25454]: Invalid user
>>> hugo from 2001:123:4567:2c1:fc53:64af:4c60:aa36
> There is no IPv6 support yet in Fail2Ban, so nothing would match
>
Good to know (although a bit disappointing that no IPv6 support yet...)

But still not even IPv4 addresses are matched...

Here's a copy of my original message:
> The loglines I want to catch look like this:
>> 2016-02-20T16:38:57.744887+00:00 hostname sshd[25454]: Invalid user
>> hugo from 2001:123:4567:2c1:fc53:64af:4c60:aa36
> So I put the following into common.local to overwrite the two macros in
> common.conf:
>> [DEFAULT]
>> # 2016-02-21T20:37:22.417208+00:00
>> __timestamp_re = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}
>> # 2016-02-21T20:37:22.417208+00:00 hostname sshd[28085]:
>> __prefix_line =
>> %(__timestamp_re)s\s+%(__hostname)s\s+%(__daemon_combs_re)s:\s+
> Still:
>> # fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
>>
>> Running tests
>> =============
>>
>> Use   failregex file : /etc/fail2ban/filter.d/sshd.conf
>> Use         log file : /var/log/auth.log
>>
>>
>> Results
>> =======
>>
>> Failregex: 0 total
>>
>> Ignoreregex: 0 total
>>
>> Date template hits:
>> |- [# of hits] date format
>> |  [44538] ISO 8601
>> `-
>>
>> Lines: 44538 lines, 0 ignored, 0 matched, 44538 missed
>> Missed line(s): too many to print.  Use --print-all-missed to print
>> all 44538 lines
> Any idea why my regexp is not working?
Can you please help me finding out how to get this working? Is my
approach correct (assuming the inheritance as described above)?

Kind regards,

Ralf




------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to