On 08/05/2021 02:44, Dan Egli wrote:
Okay, I'm ready to scream here. No matter what pattern I try, if it's in
a file for fail2ban, the regex is missed. BUT if I take the EXACT SAME
REGEX and use it on the command line, it matches every time!! What's the
deal? Here's an example.
Log is 500 lines of messages like this:
07-May-2021 19:16:03.867 security: info: client @0x7fc7b804cd38
192.169.102.84#12001 (pizzaseo.com): query (cache)
'pizzaseo.com/RRSIG/IN' denied
So I start with a VERY basic patern that I would not want to use in
production but is good for illustrating the point: .*<HOST>#.*
So, I run it on the command line:
# fail2ban-regex test.log ".*<HOST>#.*"
Running tests
=============
Use failregex line : .*<HOST>#.*
Use log file : test.log
Use encoding : UTF-8
Results
=======
Failregex: 500 total
|- #) [# of hits] regular expression
| 1) [500] .*<HOST>#.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [500] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 500 lines, 0 ignored, 500 matched, 0 missed
[processed in 0.06 sec]
Okay. So now let's throw it into an EXTREMELY SIMPLE config file:
[Definition]
failrexex = ".*<HOST>#.*"
ignoreregex =
Result: # fail2ban-regex test.log $PWD/test.conf
Running tests
=============
Use failregex file : /root/test.conf
Use log file : test.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [500] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 500 lines, 0 ignored, 0 matched, 500 missed
[processed in 0.03 sec]
Missed line(s): too many to print. Use --print-all-missed to print all
500 lines
So, WHAT IS GOING ON?? I also tried without the quotes, and with the #
escaped by a \, no effect on any variant. Misses all 500 lines when the
test comes from a file vs. straight off the command line. Help?!
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Looking at the output, I think you've quoted the regex in your
/root/test.conf as the "failrexex =" line is different in your two
tests. Remove the quoting.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
