On Apr 9, 2022, at 11:47 PM, Warren Young <fail2ban2...@tangentsoft.com> wrote: > > I’m in the process of writing an article about this, which gives more context > on the problem: > > > https://tangentsoft.com/mikrotik/wiki?name=Using%20fail2ban%20with%20Remote%20syslog
I managed to solve the problem with multiple hosts without hard-coding anything or multiple jails on my own. There turned out to be several layers to the problem: 1. I assumed fail2ban would remove the sender’s hostname and the syslog tags from the log line, as it does with the timestamp, but no, it is in fact available to the failregex. 2. I couldn’t find any documentation on how to pass a captured piece of the regex from the filter to the action. Only with a lot of web searching did I come up with the <F-VAR>regex</F-VAR> syntax. Shouldn’t that be in the manual? 3. I had a fair bit of trouble pinning the regex to the start of the log line since fail2ban includes the space between the timestamp and the sender’s host name. I had to put ^\s? at the beginning to pin the regex and then eat the space. Regardless, it’s now working as intended, both on macOS and on CentOS. > The article currently talks about macOS and Homebrew, but due to a problem I > found getting fail2ban to run there Just FYI, this problem was solved by the Homebrew package maintainer. There was an incompatibility with Python 3.10. _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
