Help needed with fail2ban-regex guacamole docker logs

[4Syno]

General Information:
Distribution: Ubuntu 18.04
Fail2Ban v0.10.2

Environment:

Fill out and check ([x]) the boxes which apply. If your Fail2Ban version is outdated,
and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from

• Fail2Ban version (including any possible distribution suffixes):
• OS, including release name/version:
• Fail2Ban installed via OS/distribution mechanisms
• You have not applied any additional foreign patches to the codebase
• Some customizations were done to the configuration (provide details below is so)

my problem:

Dear sebres,
I leand a lot the last 3 days about shell scripting :)
But regex syntax is really strange stuff; I don't understand how it works.

There are view limitations now with this WAF product and I need to activate my good old guacamole containers.
This is how the log looks like:

{"log":"12:59:14.168 [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:14.168982605Z"}
{"log":"12:59:15.477 [http-nio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:15.477692225Z"}

Step1;Starting simple - Helpful: #2645 (comment)

Works!

fail2ban-regex -v \
'19:48:16.995 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user "dfg" failed.' \
'\b[Aa]uthentication attempt from \[<HOST>(?:,[^\]]*)?\] (?:for user (?:"[^"]*" )?)?failed\.\s*$' 

Step2; Add datepattern; Helpful #2592 (comment)

Failed :(

fail2ban-regex -v \
--datepattern='^\{"log":"%%H:%%M:%%S\.%%f+\s+' \
'"log":"19:48:16.995 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user "dfg" failed."' \
'\b[Aa]uthentication attempt from \[<HOST>(?:,[^\]]*)?\] (?:for user (?:"[^"]*" )?)?failed\.\s*$' 

And using the full log string incl. „n","stream":"stdout","time":"2020-11-22T11:59:15.477692225Z"“ Step1 also return NULL matches.
Could you please help me here a second time?

[sebres]

You have to escape % as %% in config files only (e. g. in filter or jail), in command line it must be still single character, so

-fail2ban-regex -v --datepattern='^\{"log":"%%H:%%M:%%S\.%%f+\s+' ...
+fail2ban-regex -v --datepattern='^\{"log":"%H:%M:%S\.%f+\s+' ...

as for RE, your (second) variant would not work (also with correct datepattern), because your message does not end with failed. (due to end-anchor $ in failed\.\s*$), so the regex can be applied to the content of value in "log":"value" but not to whole message, which looks json similar and contains more data, enclosed in some structure and escaped differently (e. g. note backslash in for user \"...).

I would do something like this:

$ msg='{"log":"12:59:14.168 [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:14.168982605Z"}'
$ dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%z"\}$'
$ re='^\{"log"\s*:\s*"\S+\s+\[[^\]]+\]\s+WARN\s+\S+\s+-\s+[Aa]uthentication attempt from \[<ADDR>(?:,[^\]]*)?\] (?:for user (?:\\"<F-USER>[^"]*</F-USER>\\" )?)?failed\.'

$ fail2ban-regex -v --datepattern="$dp" "$msg" "$re"
...
Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^\{"log"\s*:\s*"\S+\s+\[[^\]]+\]\s+WARN\s+\S+\s+-\s+[Aa]uthentication attempt from \[<ADDR>(?:,[^\]]*)?\] (?:for user (?:\\"<F-USER>[^"]*</F-USER>\\" )?)?failed\.
|      192.168.8.5  Sun Nov 22 12:59:14 2020
`-
...
Date template hits:
|- [# of hits] date format
|  [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

# newer version can output found failure data (rows):
$ fail2ban-regex -o row --datepattern="$dp" "$msg" "$re"
['192.168.8.5', 1606046354,   {'ip6': None, 'user': 'admin', 'ip4': '192.168.8.5'}],

This is more distinctive, anchored from start, and using datepattern for more precise timestamp with date (in UTC, at end of log).
Also note that fail2ban cuts a part of message matching datepattern out before the search for failregex starting.

[sebres]

A slight error has crept in above (I updated the message) - to recognize Z (sign for GMT), one should use zone offset token (%z) instead of zone name token %Z):

-dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%Z"\}$'
+dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%z"\}$'
...
-|      192.168.8.5  Sun Nov 22 11:59:14 2020
+|      192.168.8.5  Sun Nov 22 12:59:14 2020
...
-|  [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone name"\}$
+|  [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$

[4Syno]

Thank you!
Got it up and running with your help, really awesome!

Add your advice:
fail2ban.datedetector [20911]: INFO date pattern ',"time"\\s*:\\s*"%Y-%m-%dT%H:%M:%S\\.%f\\d*%z"\\}$': ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$

One last question; I want to reduce coming workload for fail2ban.filter :)
I thought its a good idea to define the logpath best I can. ( Container Update ( id changes etc. Is not the case here)

From logpath = /media/data/docker/containers/*/*-json.log to
logpath = /media/data/docker/containers/5e2543bbe77a52ff310073fdfb4183fa3fda6a3dd98294b48a081517baa20eb4/5e2543bbe77a52ff310073fdfb4183fa3fda6a3dd98294b48a081517baa20eb4-json.log \

This runs in an error;
[15943]: ERROR NOK: ("File option must be 'head' or 'tail'",)

Something I can do ?

[sebres]

I want to reduce coming workload for fail2ban.filter
I thought its a good idea to define the logpath best I can.

Not really. Because currently fail2ban doing the glob interpolation and search only once by start-up (there is an issue #1379 and a lot of some experimental branches which are not yet merged in core).
So your attempt changing nothing.

Something I can do ?

yes, remove trailing backslash \ after .log :)
(optional) second parameter on every logpath can be either head or tail.

[4Syno]

Once again: Thank you!
Das Bier geht auf mich!

[sebres]

Thank you!!! Appreciated!
(wenn es das Bier sein sollte, lass ich es mir schmecken... aber ich befürchte, situationsbedingt, es wird eher irgendein Buch, oder eben zwei;)
Nochmals danke!