Hello,
I've been using fail2ban for years now, and recently did a debian update.
It's been a while ago, but today I noticed that mail filters don't work
anymore.
I tried many different things, and in the end I noticed that the
`%(__prefix_line)s` syntax caused my filters to not catch anything - but
without that line I'm missing date and time information.
So I did a manual test for the log line with ` fail2ban-regex "Apr 10
22:36:36 hostname" "<HOST>"` and it worked. But my filters didnt even
report a date match at all.
So my file looked like
```
[INCLUDES]
before = common.conf
[Definition]
_daemon = ...
failregex = ^%(__prefix_line)s....$
ignoreregex = ...
```
The ignore regex worked all the time, but that didn't include prefix_lines.
So I was wondering why that happened and checked the `common.conf`
I found different sections and with some testing I found that
definitions under [lt_file] section was working for me.
I copied the datepattern and __prefix_line values into my filter.conf and
it worked!
So I removed it again and tested with "logtype = file" in different
sections of filter.conf and jail.local but nothing worked.
I current have
__prefix_line =
<__date_ambit>?\s*(?:<__bsd_syslog_verbose>\s+)?(?:<__hostname>\s+)?(?:<__kernel_prefix>\s+)?(?:<__vserver>\s+)?(?:<__daemon_combs_re>\s+)?(?:<__daemon_extra_re>\s+)?
datepattern = {^LN-BEG}
in my common.local and all my filters are working again.
I sadly don't know what I have missed, that my common.conf doesn't work as
expected.
The common.conf is in the filters.d folder, same with common.local.
I compared my jail.conf and with the jail.conf.dist but didn't notice any
difference.
I grabbed a fresh common.conf from github, without effect.
My fail2ban version is 0.10.2, using Debian 10.
Any idea what I've been missing?
Regards
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
