Log is 500 lines of messages like this:07-May-2021 19:16:03.867 security: info: client @0x7fc7b804cd38 192.169.102.84#12001 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
So I start with a VERY basic patern that I would not want to use in production but is good for illustrating the point: .*<HOST>#.*
So, I run it on the command line: # fail2ban-regex test.log ".*<HOST>#.*" Running tests ============= Use failregex line : .*<HOST>#.* Use log file : test.log Use encoding : UTF-8 Results ======= Failregex: 500 total |- #) [# of hits] regular expression | 1) [500] .*<HOST>#.* `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format| [500] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`- Lines: 500 lines, 0 ignored, 500 matched, 0 missed [processed in 0.06 sec] Okay. So now let's throw it into an EXTREMELY SIMPLE config file: [Definition] failrexex = ".*<HOST>#.*" ignoreregex = Result: # fail2ban-regex test.log $PWD/test.conf Running tests ============= Use failregex file : /root/test.conf Use log file : test.log Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format| [500] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`- Lines: 500 lines, 0 ignored, 0 matched, 500 missed [processed in 0.03 sec]Missed line(s): too many to print. Use --print-all-missed to print all 500 lines
So, WHAT IS GOING ON?? I also tried without the quotes, and with the # escaped by a \, no effect on any variant. Misses all 500 lines when the test comes from a file vs. straight off the command line. Help?!
-- Dan Egli From my Test Server
OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
