Getting a regex pattern to work with fail2ban

[ruirigel]

Having trouble getting a regex pattern to work with fail2ban. I'm trying to ban ip address from failed authentications on realvncserver and I'm not getting it to work. Some help would be welcome. Thank you.

the current filter:

[Definition]
failregex = AuthFailure
ignoreregex =

Log
2021-05-31T17:34:27.479Z servery vncserver-x11[340]: Connections: disconnected: 93.121.117.121::49826 (TCP) ([AuthFailure] The username was not recognized, or the password is incorrect)

[sebres]

You don't need filter for such simple stuff (can write failregex directly in jail):

[vncserver]
failregex = ^\s*\S+\s+\S+\[\d+\]: Connections: disconnected: <ADDR>::\d+ \(\S+\) \(\[AuthFailure\]
enabled = true

(this will work for fail2ban versions >= 0.10, for versions smaller than 0.10, replace <ADDR> with <HOST> and set usedns = no in jail, but I have no idea whether default datepattern of v.0.9 would find timestamp 2021-05-31T17:34:27.479Z, if not - specify custom datepattern in init section of filter).