On Sun, 11 Oct 2020 at 21:10, Dan Egli <[email protected]> wrote:
>
> On 10/9/2020 6:56 AM, J. Smith wrote:
>
> Is there a way to limit the log listings in the email notifications to the
> last “n” number of entries in the log? The “sendmail-whois-lines.conf” file
> uses “grep –m” to limit the number of entries but it does so starting from
> the beginning of the log, As a result you may receive lines from a past
> brute force attack and not the current lines that created the present ban.
>
>
> Can you use tail? i.e. grep -m <regex> | tail -n <# of returns>
Is OP is using an old version of fail2ban? v0.10.2 allows you to show
only the last n lines from the log by specifying grepmax:
# sed -n '30,35p' /etc/fail2ban/action.d/sendmail-whois-lines.conf
Here is more information about <ip> :\n
`/usr/bin/whois <ip> || echo missing whois program`\n\n
Lines containing failures of <ip>\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
# grep -hEr "^_?grep(limit|_logs).*=" /etc/fail2ban
_grep_logs = logpath="<logpath>"; grep <grepopts> -E
%(_grep_logs_args)s $logpath | <greplimit>
_grep_logs_args = "(^|[^0-9a-fA-F:])$(echo '<ip>' | sed
's/\./\\./g')([^0-9a-fA-F:]|$)"
greplimit = tail -n <grepmax>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
