Re: [Fail2ban-users] Custom date filter
I use:
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O %I \"%{Referer}i\"
\"%{User-agent}i\""
Wayne Sallee
wa...@waynesallee.com
Original Message ----
*Subject: * Re: [Fail2ban-users] Custom date filter
*From: * Nick Howitt
*To: * Fail2ban-users
*CC: *
*Date: * 2019-8-15 08:44 AM
I am
making some progress, reading the strptime manual. I can do:
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z
It passes the test on the strptime man page so there is hope!
On 15/08/2019 12:23, Nick Howitt wrote:
Bump. Anyone, please?
On 13/08/2019 14:24, Nick Howitt wrote:
I am just upgrading from 0.9.7 to 0.10.4
and my apache access log filters are no longer working. I can
fix by deleting the datepattern entry from
/etc/fail2ban/filter.d/common.conf and
/etc/fail2ban/filter.d/apache-common.conf but that seems to be
the wrong way to go about it. If I delete the two entries I
get on a sample log:
[root@server ~]# fail2ban-regex /root/apache.log
/etc/fail2ban/filter.d/apache-404.conf -vvv
Running tests
=
Use failregex filter file : apache-404, basedir:
/etc/fail2ban
Use log file : /root/apache.log
Use encoding : UTF-8
Results
===
Failregex: 1 total
|- #) [# of hits] regular _expression_
| 1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458]
)
| 77.247.109.232 Tue Aug 13 02:48:22 2019
`-
Ignoreregex: 0 total
|- #) [# of hits] regular _expression_
| 1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu
| 2) [0] \/clearos\/
`-
Date template hits:
|- [# of hits] date format
| [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0]
{^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone
offset)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.03 sec]
The line being tested is:
77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET
//yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-"
"Mozilla/5.0
(Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101
Firefox/56.0"
Based on this I've tried adding to my apache-404 filter:
datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
This is not working. I also tried simplifying the regex to:
Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+
But this does not work either. I suspect I am doing something
wrong. Can anyone help, please?
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] Custom date filter
I am making some progress, reading the strptime manual. I can do:
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z
It passes the test on the strptime man page so there is hope!
On 15/08/2019 12:23, Nick Howitt wrote:
Bump. Anyone, please?
On 13/08/2019 14:24, Nick Howitt wrote:
I am just upgrading from 0.9.7 to 0.10.4 and my apache access log
filters are no longer working. I can fix by deleting the datepattern
entry from /etc/fail2ban/filter.d/common.conf and
/etc/fail2ban/filter.d/apache-common.conf but that seems to be the
wrong way to go about it. If I delete the two entries I get on a
sample log:
[root@server ~]# fail2ban-regex /root/apache.log
/etc/fail2ban/filter.d/apache-404.conf -vvv
Running tests
=
Use failregex filter file : apache-404, basedir: /etc/fail2ban
Use log file : /root/apache.log
Use encoding : UTF-8
Results
===
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458] )
| 77.247.109.232 Tue Aug 13 02:48:22 2019
`-
Ignoreregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu
| 2) [0] \/clearos\/
`-
Date template hits:
|- [# of hits] date format
| [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.03 sec]
The line being tested is:
77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET
//yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-" "Mozilla/5.0
(Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
Based on this I've tried adding to my apache-404 filter:
datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
This is not working. I also tried simplifying the regex to:
Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+
But this does not work either. I suspect I am doing something wrong.
Can anyone help, please?
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] Custom date filter
Bump. Anyone, please?
On 13/08/2019 14:24, Nick Howitt wrote:
I am just upgrading from 0.9.7 to 0.10.4 and my apache access log
filters are no longer working. I can fix by deleting the datepattern
entry from /etc/fail2ban/filter.d/common.conf and
/etc/fail2ban/filter.d/apache-common.conf but that seems to be the
wrong way to go about it. If I delete the two entries I get on a
sample log:
[root@server ~]# fail2ban-regex /root/apache.log
/etc/fail2ban/filter.d/apache-404.conf -vvv
Running tests
=
Use failregex filter file : apache-404, basedir: /etc/fail2ban
Use log file : /root/apache.log
Use encoding : UTF-8
Results
===
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458] )
| 77.247.109.232 Tue Aug 13 02:48:22 2019
`-
Ignoreregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu
| 2) [0] \/clearos\/
`-
Date template hits:
|- [# of hits] date format
| [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.03 sec]
The line being tested is:
77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET
//yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-" "Mozilla/5.0
(Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
Based on this I've tried adding to my apache-404 filter:
datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
This is not working. I also tried simplifying the regex to:
Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+
But this does not work either. I suspect I am doing something wrong.
Can anyone help, please?
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
