Hello Tim. Multiline is what I need. I've managed to put together a failregex line that seems to match all three lines. I only need the first and the third line. the second line is holds no useful information, but I need a regex that matches that block of text to be able to capture the IP address and and the error message stating that a non-SoftEthernet protocol was detected.
I'm trying, but not sure, if this will work . . . IP address: <HOST>.*\n.*\n.*A client which is non-SoftEther VPN software has connected to the port\..*\n . . . with multiline=3 being used. I opted not to try to match the (Code 5) text. On Thu, 26 Aug 2021 at 20:46, Tim Boneko via Fail2ban-users < fail2ban-users@lists.sourceforge.net> wrote: > Hello Myron, hello list! > > Am Donnerstag, dem 26.08.2021 um 19:24 +0100 schrieb Myron: > > > > 2021-08-26 01:28:41.847 Connection "CID-584" terminated by the cause > > "A client which is non-SoftEther VPN software has connected to the > > port." (code 5). > > 2021-08-26 01:28:41.857 Connection "CID-584" has been terminated. > > > Matching against that (code 5) string would be the easy part; () would > have to be escaped with \ like this: \(code 5 \) > > The trickier part is the missing IP address in the affected line. The > log looks pretty verbose to me. Is it possible to configure the > logging? > If not, i'm lost for ideas right now. I guess you aren't the first to > block hosts based on more than 1 log line. I guess "multiline" is what > you are looking for. > Cheers, > > tim > > _______________________________________________ > > Fail2ban-users mailing list > > Fail2ban-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
