backend systemd sets logtype to journal automatically;

sshd-journal: new test covering sshd journal logging format (matches short prefix-line simulating output of formatJournalEntry); samplestestcase-factory extended with new option `fileOptions` to set common filter/test options for whole test-file
fail2ban · Mar 29, 2019 · ec681a3 · ec681a3
1 parent e268bf9
commit ec681a3
Show file tree

Hide file tree

Showing 5 changed files with 381 additions and 13 deletions.
diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf
@@ -36,7 +36,7 @@ __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_r
 
 # Some messages have a kernel prefix with a timestamp
 # EXAMPLES: kernel: [769570.846956]
-__kernel_prefix = kernel: \[ *\d+\.\d+\]
+__kernel_prefix = kernel:\s?\[ *\d+\.\d+\]:?
 
 __hostname = \S+
 
@@ -63,7 +63,8 @@ __prefix_line = <__prefix_line_<logtype>>
 __prefix_line_file = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?
 
 # Common (short) line prefix for logtype "journal" (corresponds output of formatJournalEntry):
-__prefix_line_journal = \s*(?:%(__hostname)s\s+)?(?:%(_daemon)s%(__pid_re)s?:?\s+)?(?:%(__kernel_prefix)s\s+)?
+__prefix_line_short = \s*(?:%(__hostname)s\s+)?(?:%(_daemon)s%(__pid_re)s?:?\s+)?(?:%(__kernel_prefix)s\s+)?
+__prefix_line_journal = %(__prefix_line_short)s
 
 # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
 # pam_ldap

diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py
@@ -88,6 +88,7 @@ def _glob(path):
 
 	def getOptions(self):
 		opts1st = [["bool", "enabled", False],
+				["string", "backend", "auto"],
 				["string", "filter", ""]]
 		opts = [["bool", "enabled", False],
 				["string", "backend", "auto"],
@@ -128,6 +129,9 @@ def getOptions(self):
 				filterName, filterOpt = extractOptions(flt)
 				if not filterName:
 					raise JailDefError("Invalid filter definition %r" % flt)
+				if not filterOpt.get('logtype'):
+					filterOpt['logtype'] = ['file','journal'][
+						int(self.__opts.get('backend', '').startswith("systemd"))]
 				self.__filter = FilterReader(
 					filterName, self.__name, filterOpt, 
 					share_config=self.share_config, basedir=self.getBaseDir())
@@ -223,7 +227,7 @@ def convert(self, allow_no_files=False):
 			stream.extend(self.__filter.convert())
 		for opt, value in self.__opts.iteritems():
 			if opt == "logpath":
-				if self.__opts.get('backend', None).startswith("systemd"): continue
+				if self.__opts.get('backend', '').startswith("systemd"): continue
 				found_files = 0
 				for path in value.split("\n"):
 					path = path.rsplit(" ", 1)

diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
@@ -344,3 +344,5 @@ Nov 26 13:03:39 srv sshd[14738]: fatal: Unable to negotiate with 192.0.2.5 port
 
 # failJSON: { "time": "2004-11-26T16:47:51", "match": true , "host": "192.0.2.6", "desc": "Disconnected during preauth phase (in extra/aggressive mode)" }
 Nov 26 16:47:51 srv sshd[19320]: Disconnected from authenticating user root 192.0.2.6 port 33553 [preauth]
+
+# addFILE: "sshd-journal"