-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option not exposed for systemd namespaces #2910
Comments
incorrect (missed the point), saved for the record...
Well, this is not a parameter of systemd backend (see #1523 for possible options), but rather of its filter. To add it in filter you have to do it like described in #2793 (comment) or even try this (without to overwrite it completely, but rather to extend current parameter [sshd]
filter = sshd[journalmatch="<known/journalmatch> + _NAMESPACE=auth"] or you could rewrite/extend it in [Definition]
journalmatch = <known/journalmatch> + _NAMESPACE=auth so you don't really need your |
I know it's not a parameter to the backend, my point is rather that it needs to be. The underlying The obvious (and extremely simple) way to get this done is to add a couple of lines to the |
Sorry, misunderstood you.
Sure, and since the implementation will be backwards compatible, it is simple enough... |
Should be fixed in 164105f now for 0.10 branch. |
That was super-fast. Thanks! (Will let you know if there are issues, but it's such a simple fix I can't imagine how.) |
@sebres , actually just thought of things you might want to add (but I leave it totally up to you):
In any case, could you correct the label on this issue? It might make it easier to locate. (I know I would personally be more likely to skip over any issues tagged Thanks again! |
Well, I would be careful with flags like that, especially by default (too often seen issues like "too many open files" errors, so for instance #2444 did it even more strict (I'm still not in mode to loosen that). As for the docu, it must be extended yet, sure... |
Environment:
HEAD
and confirmed issue not resolved.python3-systemd
package and theHEAD
from its' git repo.The issue:
This is an extension of #2793, but I am unable to use systemd namespaces as suggested in that issue. Namely, adding
_NAMESPACE=whatever
to the filter does not work.Steps to reproduce
Best I can tell, this is an issue with
systemd-python
. In narrowing down the issue after appending tojournalmatch
didn't work, I ran the following:It produced no output, whereas I definitely have hundreds of messages.
Apparently, this feature has only been available for a few months in a recent change to the
systemd-python
package.Installing that latest code and then running:
I can see it works perfectly.
Looking into this further, it seems the solution should be as simple as to add
backend = systemd[namespace="auth"]
to the config.The only thing preventing that, however, seems to be that the current
FilterSystemd._getJournalArgs
method does not recognize/extract this argument. If it did so, in theory, everything would work.Expected behavior
fail2ban would construct
journal.Reader
here with thenamespace
parameter passed on in thejrnlargs
dict.Observed behavior
namespace
parameter was not extracted byFilterSystemd._getJournalArgs
and thus not passed to the constructor forjournal.Reader
. Instead it was passed onto the superclass' (JournalFilter
) constructor, generating the error:Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
In
filters.d/sshd-custom.conf
:In
jails.d/ssh.conf
:Relevant parts of /var/log/fail2ban.log file:
See above
Relevant lines from monitored log files in question:
N/A
The text was updated successfully, but these errors were encountered: