Re: [Fail2ban-users] Custom date filter
I use: LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O %I \"%{Referer}i\" \"%{User-agent}i\"" Wayne Sallee wa...@waynesallee.com Original Message ---- *Subject: * Re: [Fail2ban-users] Custom date filter *From: * Nick Howitt *To: * Fail2ban-users *CC: * *Date: * 2019-8-15 08:44 AM I am making some progress, reading the strptime manual. I can do: datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z It passes the test on the strptime man page so there is hope! On 15/08/2019 12:23, Nick Howitt wrote: Bump. Anyone, please? On 13/08/2019 14:24, Nick Howitt wrote: I am just upgrading from 0.9.7 to 0.10.4 and my apache access log filters are no longer working. I can fix by deleting the datepattern entry from /etc/fail2ban/filter.d/common.conf and /etc/fail2ban/filter.d/apache-common.conf but that seems to be the wrong way to go about it. If I delete the two entries I get on a sample log: [root@server ~]# fail2ban-regex /root/apache.log /etc/fail2ban/filter.d/apache-404.conf -vvv Running tests = Use failregex filter file : apache-404, basedir: /etc/fail2ban Use log file : /root/apache.log Use encoding : UTF-8 Results === Failregex: 1 total |- #) [# of hits] regular _expression_ | 1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458] ) | 77.247.109.232 Tue Aug 13 02:48:22 2019 `- Ignoreregex: 0 total |- #) [# of hits] regular _expression_ | 1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu | 2) [0] \/clearos\/ `- Date template hits: |- [# of hits] date format | [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? | [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.03 sec] The line being tested is: 77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET //yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" Based on this I've tried adding to my apache-404 filter: datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? This is not working. I also tried simplifying the regex to: Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+ But this does not work either. I suspect I am doing something wrong. Can anyone help, please? ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] Custom date filter
I am making some progress, reading the strptime manual. I can do: datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z It passes the test on the strptime man page so there is hope! On 15/08/2019 12:23, Nick Howitt wrote: Bump. Anyone, please? On 13/08/2019 14:24, Nick Howitt wrote: I am just upgrading from 0.9.7 to 0.10.4 and my apache access log filters are no longer working. I can fix by deleting the datepattern entry from /etc/fail2ban/filter.d/common.conf and /etc/fail2ban/filter.d/apache-common.conf but that seems to be the wrong way to go about it. If I delete the two entries I get on a sample log: [root@server ~]# fail2ban-regex /root/apache.log /etc/fail2ban/filter.d/apache-404.conf -vvv Running tests = Use failregex filter file : apache-404, basedir: /etc/fail2ban Use log file : /root/apache.log Use encoding : UTF-8 Results === Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458] ) | 77.247.109.232 Tue Aug 13 02:48:22 2019 `- Ignoreregex: 0 total |- #) [# of hits] regular expression | 1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu | 2) [0] \/clearos\/ `- Date template hits: |- [# of hits] date format | [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? | [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.03 sec] The line being tested is: 77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET //yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" Based on this I've tried adding to my apache-404 filter: datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? This is not working. I also tried simplifying the regex to: Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+ But this does not work either. I suspect I am doing something wrong. Can anyone help, please? ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] Custom date filter
Bump. Anyone, please? On 13/08/2019 14:24, Nick Howitt wrote: I am just upgrading from 0.9.7 to 0.10.4 and my apache access log filters are no longer working. I can fix by deleting the datepattern entry from /etc/fail2ban/filter.d/common.conf and /etc/fail2ban/filter.d/apache-common.conf but that seems to be the wrong way to go about it. If I delete the two entries I get on a sample log: [root@server ~]# fail2ban-regex /root/apache.log /etc/fail2ban/filter.d/apache-404.conf -vvv Running tests = Use failregex filter file : apache-404, basedir: /etc/fail2ban Use log file : /root/apache.log Use encoding : UTF-8 Results === Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458] ) | 77.247.109.232 Tue Aug 13 02:48:22 2019 `- Ignoreregex: 0 total |- #) [# of hits] regular expression | 1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu | 2) [0] \/clearos\/ `- Date template hits: |- [# of hits] date format | [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? | [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.03 sec] The line being tested is: 77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET //yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" Based on this I've tried adding to my apache-404 filter: datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? This is not working. I also tried simplifying the regex to: Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+ But this does not work either. I suspect I am doing something wrong. Can anyone help, please? ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users