Failregex Syntax Question: Timestamp after IP address in Log #3036
Replies: 1 comment
-
Structured (JSON?) log-format is not yet supported natively by fail2ban (work in progress), however it is possible to write a filter for such simple structure, see #2932 (comment) for example. - {"name":"SERVICE", "hostname":"COMPUTER","pid":2232,"nodeId":1,"sessionId":9UoY61oMQo9",
+ {"name":"SERVICE", "hostname":"COMPUTER","pid":2232,"nodeId":1,"sessionId":"9UoY61oMQo9", If so (for the corrected message) your filter may look like this: [Definition]
datepattern = "time":"%%Y-%%m-%%dT%%H:%%M:%%S\.%%f%%z"(?:\s*[,}]\s*)?
_groupre = (?:"(?!(?:ip|reason|username)\b)\w+":(?:"[^"]+"|\w+)\s*[,\}]\s*)
failregex = ^\{\s*(?:%(_groupre)s*(?:"ip":"<ADDR>"|"reason":"Bad login attempt\b[^"]*"|"username":"<F-USER>[^"]*</F-USER>")\s*,\s*){3} If this (misleading) sessionId is not an error, you have to correct group-matching regex (to match/bypass such "incorrect" unpaired quote): - _groupre = (?:"(?!(?:ip|reason|username)\b)\w+":(?:"[^"]+"|\w+)\s*[,\}]\s*)
+ _groupre = (?:"(?!(?:ip|reason|username)\b)\w+":(?:"[^"]+"|[^,}]+)\s*[,\}]\s*) but it would be a bit "vulnerable" regex, let alone the RE-matching is not really suitable for structured log-format (like JSON) That all is valid for fail2ban >= 0.10 and may deviate for older versions. |
Beta Was this translation helpful? Give feedback.
-
Hello! I am a first-time fail2ban user and cannot find a failregex example online that matches the log entry I am keying in on in my filter. Any help writing the failregex line is appreciated. Below is the log entry I need to scan, as well as my unsuccessful attempt at a filter.
LOG:
FILTER ATTEMPT:
Beta Was this translation helpful? Give feedback.
All reactions