I use:
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O %I \"%{Referer}i\" \"%{User-agent}i\""

Wayne Sallee
wa...@waynesallee.com

-------- Original Message --------
*Subject: *  Re: [Fail2ban-users] Custom date filter
*From: *     Nick Howitt <n...@howitts.co.uk>
*To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *        
*Date: *      2019-8-15  08:44 AM
I am making some progress, reading the strptime manual. I can do:
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z

It passes the test on the strptime man page so there is hope!

On 15/08/2019 12:23, Nick Howitt wrote:
Bump. Anyone, please?

On 13/08/2019 14:24, Nick Howitt wrote:
I am just upgrading from 0.9.7 to 0.10.4 and my apache access log filters are no longer working. I can fix by deleting the datepattern entry from /etc/fail2ban/filter.d/common.conf and /etc/fail2ban/filter.d/apache-common.conf but that seems to be the wrong way to go about it. If I delete the two entries I get on a sample log:

   [root@server ~]# fail2ban-regex /root/apache.log
   /etc/fail2ban/filter.d/apache-404.conf -vvv

   Running tests
   =============

   Use   failregex filter file : apache-404, basedir: /etc/fail2ban
   Use         log file : /root/apache.log
   Use         encoding : UTF-8


   Results
   =======

   Failregex: 1 total
   |-  #) [# of hits] regular _expression_
   |   1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458] )<HOST>
   |      77.247.109.232  Tue Aug 13 02:48:22 2019
   `-

   Ignoreregex: 0 total
   |-  #) [# of hits] regular _expression_
   |   1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu
   |   2) [0] \/clearos\/
   `-

   Date template hits:
   |- [# of hits] date format
   |  [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
   :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
   |  [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
   ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
   <snip>
   `-

   Lines: 1 lines, 0 ignored, 1 matched, 0 missed
   [processed in 0.03 sec]


The line being tested is:

   77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET
   //yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-" "Mozilla/5.0
   (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"


Based on this I've tried adding to my apache-404 filter:

   datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
   :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?


This is not working. I also tried simplifying the regex to:

   Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+


But this does not work either. I suspect I am doing something wrong. Can anyone help, please?



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to