Re: [Fail2ban-users] [Asterisk+fail2ban v1.0.2] fail2ban-regex matches but daemon does not

Tue, 17 Feb 2026 05:13:50 -0800 

Hi,
I just figured it out while reading a message on this list :) I had color coding enabled in Asterisk. This added extra characters in the actual log line. I figured this out using: fail2ban-regex -lHEAVYDEBUG systemd-journal[journalflags=1] asterisk[logtype=journal] 

Met vriendelijke groet,
Pieter Hensen


On 2/17/26 13:40, Pieter Hensen wrote:

Hi,


I've been trying this for HOURS and just can't figure out what is 
going wrong... I am running Asterisk (in a Docker container) and it is 
logging to journald. Fail2ban is running on the host machine but this 
does not really matter for the problem I am having.



I am able to match a single log line (that I just copy/paste from 
journalctl) using fail2ban-regex -vv but not using journald directly. 
But if I take the Prefregex line that is output by fail2ban-regex, 
paste it in regex101.com (https://regex101.com/r/XuydiL/1) and also 
include some log lines, they do match!


So this gives a match:


fail2ban-regex -vv "Feb 17 11:28:49 s1 asterisk[584]: [Feb 17 
11:28:49] NOTICE[169]: res_pjsip/pjsip_distributor.c:673 
log_failed_request: Request 'REGISTER' from 
'<sip:[email protected]>' failed for '94.23.150.225:51825' (callid: 
1052582086-1967824972-593464062) - Failed to authenticate" 
asterisk[logtype=journal]


This does not work:

fail2ban-regex systemd-journal[journalflags=1] asterisk

Running tests
=============

Use   failregex filter file : asterisk, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : CONTAINER_NAME=asterisk


Results
=======

Prefregex: 0 total

|  ^\s*(?:\S+\s+)?(?:asterisk(?:\s*\[\d+\])?:?\s+)?(?:kernel:\s?\[ 
*\d+\.\d+\]:?\s+)?(?:\[[^\]]+\]\s+)?(?:NOTICE|SECURITY|WARNING)(?:\s*\[\d+\]):?(?:\[C-[\da-f]*\])?:? 
[^:]+:\d*(?:(?: in)? [^:]+:)? (?P<content>.+)$

`-

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 7655 lines, 0 ignored, 0 matched, 7655 missed


I've attached some more lines from my journal.



_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to