Re: [Fail2ban-users] fail2ban-regex output

Mon, 18 Sep 2017 02:57:02 -0700 

On Sun, Sep 17, 2017 at 08:00:22PM +0100, Stroller wrote:




Date template hits:
|- [# of hits] date format
|  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-



What does this mean, please?

The number of hits in square brackets makes sense, I guess, but I can't relate the date 
part to the dates in the logs, which are in the format "Sep 17 15:28:03 hostname 
sshd[4768]: Invalid user test3 from 92.222.84.103 port 60987"



The "date format" looks like it uses regex-like syntax. The blocks 
wrapped in (?:....)? are optional non-capturing groups (the second 
question-mark means "zero or one instances of the previous block", while 
the question-mark-colon at the start of the block says "this is a group, 
but don't save the contents to a variable")



So the date format can be read as "Optional (day-name and 
space), month, space, day-of-the-month, space, 24-hour-format-hours, 
colon, minutes, colon, seconds, optional (decimal-point and 
microseconds), optional (space and year)".



This matches the first part of your log line. The optional leading 
day-name is not there, then everything matches up to the seconds. There 
are no microseconds and, while there is a trailing space, the "year" 
matcher is probably numbers-only so won't match " hostname".




Thanks in advance for any help,

Stroller.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
For more information, please reread.



Attachment:
signature.asc

Description: PGP signature


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to