New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Date pattern addition in filter file #2150
Comments
Your pattern could be for example '^[%d-%b-%Y_%H:%M:%S,%f]'. Note, in the config-files, you should specify it with dual percent-character, like: datepattern = ^\[%%d-%%b-%%Y_%%H:%%M:%%S,%%f\] PoC: $ fail2ban-regex -v -d '^\[%d-%b-%Y_%H:%M:%S,%f\]' "$str" 'from ip : <HOST>'
Running tests
=============
Use datepattern : ^\[Day-MON-Year_24hour:Minute:Second,Microseconds\]
Use failregex line : from ip : <HOST>
Use single line : [06-Jun-2018_17:07:42,500] [INFO] [mithi.mcs.auth....
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] from ip : <HOST>
| 192.168.0.124 Wed Jun 06 17:07:42 2018
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] ^\[Day-MON-Year_24hour:Minute:Second,Microseconds\]
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec] Also note that fail2ban cuts out the date-time matching datepattern from the string before search the match for failregex.
Bonus answer - read the manual, for example start with Regular Expression Syntax :: Python documentation. |
That worked well, thank you Sir
|
Something like So you should just use more precise pattern: >>> import re
>>> cr = re.compile(r"\S+\. Return Code : (?!114)\d+\.")
>>> print(bool(cr.match("something. Return Code : 108.")))
True
>>> print(bool(cr.match("something. Return Code : 114.")))
False And last but not least, don't use catch-alls and try to anchor regex (at least from one side, e. g. from begin |
How do I implement it in fail regex? I have provided a working regex for all numbers in my previous comment, I want to implement one which ignores 114 in the failregex itself. Thanks for your time and help :) |
Sorry, no time ATM to make your regex fully correct. And I do not make fast and dirty solutions on principle. |
Here you are: ^\s*\[\S+\]\s+\[[^\]]+\]\s+-\s+<Authentication for user : \S+[^:]* for service : \S+ from ip : <HOST> finished with status : Failure\.\s+(?:[^.]+\.)* Return Code : (?!114)\d+\. But, a bit more precise possible filter will look like: [Definition]
# services (smtp,imap,etc,...):
_services = (?:\S+)
# all errors (not-precise):
#_errors = (?:[^.]+\.)*
# only expected errors (more precise), example:
#_errors = (?:unknown status|authenication error|something else)\.
_errors = (?:unknown status)\.
# return-codes (any excepting 114):
_ret_codes = (?!114)\d+
failregex = ^\s*\[\S+\]\s+\[[^\]]+\]\s+-\s+<Authentication for user : \S+[^:]* for service : %(_services)s from ip : <HOST> finished with status : Failure\.\s+%(_errors)s Return Code : %(_ret_codes)s\.
[Init]
datepattern = ^\[%%d-%%b-%%Y_%%H:%%M:%%S,%%f\] You've 3 additional interpolation-variables (starting with underscore) to control what exactly should be banned. |
The failregex is now able to do the work of ignoreregex within itself !! |
Environment:
Fill out and check (
[x]
) the boxes which apply. If your Fail2Ban version is outdated,and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from
The issue:
datepattern for a tomcat log is not according to the standard of any dates
Hence, the filter catches the required string from the log but unable to look for the date time
Summary here
The date pattern mentioned in the tomcat logs is: (/var/log/tomcat2/catalina.out)
Steps to reproduce
filter created to capture the above log:
Expected behavior
Observed behavior
Any additional information
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
Added jail in jail.local
Relevant parts of /var/log/fail2ban.log file:
preferably obtained while running fail2ban with
loglevel = 4
Relevant lines from monitored log files in question:
The log lines that I am working on are: (lines that needs to be captured)
The main focus of this question is how do I parse the date pattern ?
Bonus question would be how do I capture all the above logs in one single filter (something that I am currently working on (ports : smtp,pop3,imap))
The text was updated successfully, but these errors were encountered: