Dear David, Please, try this regex:
^HORDE: \[(horde|imp)\] FAILED LOGIN for \S+ to horde \(<HOST>\) \[.*\]$ You can test it like this: fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/horde.local --print-all-missed > /home/<your_username>/missed.txt or even like this: fail2ban-regex /var/log/auth.log '^HORDE: \[(horde|imp)\] FAILED LOGIN for \S+ to horde \(<HOST>\) \[.*\]$' --print-all-missed > /home/<your_username>/missed.txt Here you will find more info on how to test your regex with fail2ban-regex: http://manpages.ubuntu.com/manpages/bionic/man1/fail2ban-regex.1.html <http://manpages.ubuntu.com/manpages/bionic/man1/fail2ban-regex.1.html> Hope this helps. Regards, Denis Rasulev > On 10 Jun 2019, at 18:28, David Wells - Alfavinil S.A. <dwe...@alfavinil.com> > wrote: > > Good afternoon. > > I recently upgraded Horde webmail edition to 5.2.22 and the fail2ban > regex isn't matching the log line even though I'm testing the regex with > debbuex.com and it says it should match. I'm not very knowledgeable in > regular expressions and was hoping someone here could lend me a hand. > > The regex I came up with is "^ HORDE: \[(horde|imp)\] FAILED LOGIN for > \S+ to (horde|{[^}]+}) \(<HOST>\) (.*)$" > > A sample line to match is as follows " HORDE: [horde] FAILED LOGIN for > username to horde (127.0.0.1) [pid 2096 on line 199 of > "/var/www/horde/login.php"]" > > I replaced the real IP address with 127.0.0.1 for security purposes but > in the log file I have a real valid IP address. > > Thank you very much in advance, > David Wells. > > <dwells.vcf>_______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
