Oh yeah definitely reduce the log level back down haha :-)
It can be useful sometimes, but yeah it logs a massive amount. Newer
versions of f2b have slightly better options - debug and heavydebug, I
think.
This is a bit puzzling. I'm fairly sure 0.8 used to log "found" lines
properly. But that might just be my memory being bad as usual.
I actually manually installed 0.10 cos it's quite a bit better, but I'm
sure I remember 0.8 doing this.
Hmm can I ask you to grep for "INFO" in fail2ban.log, so we can see if it's
actually logging f2b's info messages?
If there are no "INFO" messages logged, it might be worth looking at your
syslog config files, in case there's a fail2ban.info config line sending
info stuff to another log file.
As an aside, fail2ban logging is buggy even in 0.10. Sometimes it
completely stops logging but it tells you it's logging just fine - so I
have a cron job that sets logging to syslog then back to file, cos that's
the ONLY way to restart logging when it stops.
I'm hoping someone can step in and tell both of us whether 0.8 does or
doesn't log this detail. I might be completely wrong about f2b somehow
finding "duplicate" entries that aren't duplicates, I just know that's what
happened to me before. So all this work is about finding out what f2b is
"seeing".
It might well be that your issue is a true bug in f2b 0.8.
I hate to advise people to do this, but are you the sort of person who
enjoys playing around with Linux? F2b 0.10 is much better and more stable,
with slightly better options (and the DB purging works better - no one ever
spotted, but in version 0.8 the DB was never ever purged, because there
wasn't actually any code written to do it!) - but depending upon what
repos you use to install packages, you might have to manually install it.
You clearly know exactly what you're doing, which is the reason I'm
mentioning this - it's worth upgrading cos it might simply solve this
problem and run better. But because it doesn't seem to be included in any
packages, you won't be able to update it automatically. It can cause
problems, because you'll have to remove every file, cleanly run the
install, then put your config files back and debug them.
As well as running a grep for "INFO", you could check the actual live
config to see if it did what you expected it to do. I should've mentioned
this first - sometimes, odd things happen when it reads the config file but
because it's still ok, f2b doesn't tell you:
*fail2ban-client -d | grep dovecot-long*
This will give you the full failregex, ignoreregex, logpath etc, but it
will also give you the full text of your action emails, so you might get a
lot of info.
Sorry for making you go through all this. It might be a complete waste of
time, but I won't be embarrassed if someone comes along and tells you that
all you needed to do was change one "." in a file somewhere :-)
So, we've got: 1) grep for "INFO" in fail2ban.log (and zgrep for the older
ones just to see if things have changed), 2) grep the live config for
'dovecot-long' and 3) if there are no "INFO" lines in fail2ban.log, check
syslog/rsyslog conf files just in case there's a line there directing
fail2ban.filter/fail2ban.info to /var/log/messages or somewhere else. 4)
Actually you could always *grep --exclude-from=/var/log/fail2ban.log
fail2**ban.filter
/var/log/* *and see if there's any sign of the INFO/fail2ban.filter stuff.
Tony Collins
On 4 September 2017 at 10:13, chaouche yacine via Fail2ban-users <
fail2ban-users@lists.sourceforge.net> wrote:
> On Monday, September 4, 2017 9:34 AM, Tony Collins <t...@evilplan.org.uk>
> wrote:
>
> > Hi - ah, I think Fail2Ban isn't logging enough information [...]
> > You can check by running fail2ban-client get loglevel[...]
>
>
> root@messagerie[10.10.10.19] ~ # fail2ban-client get loglevel
> Current logging level is INFO
> root@messagerie[10.10.10.19] ~ # zgrep -i found /var/log/fail2ban.log*
> root@messagerie[10.10.10.19] ~ #
>
> Let's see if the setting is overriden somewhere ?
>
> root@messagerie[10.10.10.19] ~ # grep loglevel -r /etc/fail2ban/
> /etc/fail2ban/fail2ban.conf:# loglevel = 4
> /etc/fail2ban/fail2ban.conf:# Option: loglevel
> /etc/fail2ban/fail2ban.conf:# loglevel = 3 changé à 4
> /etc/fail2ban/fail2ban.conf:# loglevel remis à 4.
> /etc/fail2ban/fail2ban.conf:loglevel = 3
> /etc/fail2ban/filter.d/freeswitch.conf:# -- this requires a high enough
> loglevel on your logs to save these messages.
> /etc/fail2ban/jail.conf:# Make sure that your loglevel specified in
> fail2ban.conf/.local
> /etc/fail2ban/fail2ban.conf~:# loglevel = 4
> /etc/fail2ban/fail2ban.conf~:# Option: loglevel
> /etc/fail2ban/fail2ban.conf~:# loglevel = 3 changé à 4
> /etc/fail2ban/fail2ban.conf~:loglevel = 4
> /etc/fail2ban/jail.conf~:# Make sure that your loglevel specified in
> fail2ban.conf/.local
> root@messagerie[10.10.10.19] ~ #
>
> There's only one entry that isn't commented, and that's loglevel = 3.
> Besides, changing the loglevel in jail.local seems to get ignored.
>
> Maybe the version of f2b I'm using is too old ?
>
> root@messagerie[10.10.10.19] ~ # fail2ban-client --version
> Fail2Ban v0.8.13
> [...]
> root@messagerie[10.10.10.19] ~ #
>
> In any case, I decided to increment the loglevel to 4 and see if that
> helps, but I don't think this was a good idea :
>
> 2017-09-04 10:06:54,887 fail2ban.filter.datedetector[10631]: DEBUG
> Matched time template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,887 fail2ban.filter.datedetector[10631]: DEBUG Got
> time using template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,888 fail2ban.filter.datedetector[10631]: DEBUG Got
> time using template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,888 fail2ban.filter.datedetector[10631]: DEBUG Got
> time using template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG
> Matched time template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG
> Matched time template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG
> Matched time template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got
> time using template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got
> time using template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got
> time using template MONTH Day Hour:Minute:Second
> 2017-09-04 10:06:54,891 fail2ban.filter.datedetector[10631]: DEBUG
> Matched time template MONTH Day Hour:Minute:Second
>
> Look at the timestamps :) I would need 10 billion terrabytes of disk space
> to log every milisecond of activity.
>
> > I'm not sure if I'm sending this to the right address - I got two copies
> of your reply[...]
>
> I made a reply to all, which sent a mail to your personal addresse plus a
> copy to the mailing list.
>
> Yassine.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
