Okay, but how?
Thats working (but i get the IP not the user)
failregex = ^.*\[(?:::f{4,6}:)?(?P<host>\S+)\],
sasl.*sasl_username=(?P<USER>\S+)$
That's not working (no match)
failregex = ^.*\[(?:::f{4,6}:)?(?P<user>\S+)\],
sasl.*sasl_username=(?P<host>\S+)$
that one does not work too (no match)
failregex = ^.*\[(?:::f{4,6}:)?(?P<user>\S+)\], sasl.*sasl_username=<HOST>$
Example Logline:
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: C247D2B:
client=exchange1.fhstp.local[10.0.1.5], sasl_method=LOGIN,
sasl_username=exchangemailer
-----Ursprüngliche Nachricht-----
Von: Y. [mailto:f2b...@yalis.fr]
Gesendet: Donnerstag, 20. April 2017 15:53
An: Hochreiter Martin <martin.hochrei...@fhstp.ac.at>;
fail2ban-users@lists.sourceforge.net
Betreff: Re: [Fail2ban-users] Configure fail2ban to count usernames
You can't. Fail2ban can only use <HOST>. However, you can make <HOST> match the
user ;-) But it's one or the other, because you only have 1 variable to play
with.
Le 20/04/2017 à 15:44, Hochreiter Martin a écrit :
> I try it with a separate post:
>
> I built a filter to extract <HOST> and <USER> out of the postfix SASL
> logs . How can I configure fail2ban to count the USER logins (not the IP)?
>
> Regards
>
> Martin
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
