Re: [Fail2ban-users] Custom date filter

[Wayne Sallee]

I use: LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O %I \"%{Referer}i\" \"%{User-agent}i\"" Wayne Sallee wa...@waynesallee.com -------- Original Message -------- *Subject: *  Re: [Fail2ban-users] Custom date filter *From: *     Nick Howitt <n...@howitts.co.uk> *To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net> *CC: *         *Date: *      2019-8-15  08:44 AM I am making some progress, reading the strptime manual. I can do: datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z It passes the test on the strptime man page so there is hope! On 15/08/2019 12:23, Nick Howitt wrote: Bump. Anyone, please? On 13/08/2019 14:24, Nick Howitt wrote: I am just upgrading from 0.9.7 to 0.10.4 and my apache access log filters are no longer working. I can fix by deleting the datepattern entry from /etc/fail2ban/filter.d/common.conf and /etc/fail2ban/filter.d/apache-common.conf but that seems to be the wrong way to go about it. If I delete the two entries I get on a sample log:    [root@server ~]# fail2ban-regex /root/apache.log    /etc/fail2ban/filter.d/apache-404.conf -vvv    Running tests    =============    Use   failregex filter file : apache-404, basedir: /etc/fail2ban    Use         log file : /root/apache.log    Use         encoding : UTF-8    Results    =======    Failregex: 1 total    |-  #) [# of hits] regular _expression_    |   1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458] )<HOST>    |      77.247.109.232  Tue Aug 13 02:48:22 2019    `-    Ignoreregex: 0 total    |-  #) [# of hits] regular _expression_    |   1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu    |   2) [0] \/clearos\/    `-    Date template hits:    |- [# of hits] date format    |  [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[    :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?    |  [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|    ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?    <snip>    `-    Lines: 1 lines, 0 ignored, 1 matched, 0 missed    [processed in 0.03 sec] The line being tested is:    77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET    //yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-" "Mozilla/5.0    (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" Based on this I've tried adding to my apache-404 filter:    datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[    :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? This is not working. I also tried simplifying the regex to:    Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+ But this does not work either. I suspect I am doing something wrong. Can anyone help, please? _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users