You need to specify <host> somewhere in your regex, but make sure it
does not pick up your internal IP. Perhaps something like:
.*\[<HOST>\]:\d+ \[.*EXIMSPAMASSASSINEXCESSIVEFAIL2BAN
On 02/12/2021 13:56, Steve Charmer wrote:
Hello,
I am running Fail2Ban Version 0.9.3 on Ubuntu 16.04.5 LTS (LOL)
In EXIM, I have an ACL write a string into exim's mainlog when an email
has an excessively high spam score.
I want to write a failregex to find the host info of a log line like this:
2021-12-01 16:01:00 [19572] 1msWip-00055g-03
H=(mta.emails.nationalgridus.com <http://mta.emails.nationalgridus.com>)
[13.111.106.205]:42333 I=[10.10.10.0]:25 Warning:
EXIMSPAMASSASSINEXCESSIVEFAIL2BAN
tI tried this failregex, but testing it does not get any hits
failregex = ^%(pid)s \w+ %(host_info)sEXIMSPAMASSASSINEXCESSIVEFAIL2BAN$
Which to me, reads as :
find the processid and a single space
then any word (for the "H=(mta.emails..." string )
then the host_info and a single space
then the text string written by EXIM4's ACL at the end of the line (no
space after that in my text editor)
I also tried this website to generate a regex
https://regex-generator.olafneumann.org/?sampleText=Warning%3A%20EXIMSPAMASSASSINEXCESSIVEFAIL2BAN
<https://regex-generator.olafneumann.org/?sampleText=Warning%3A%20EXIMSPAMASSASSINEXCESSIVEFAIL2BAN>
but I cannot figure it out :(
I appreciate any tips, suggestions, corrections, thank you.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
