Trying to figure out why <HOST> doesn't match any host. #3137
-
Hello, I am sure this is user incompetence, but while trying to get fail2ban to work with a log file I'm finding that it's failing to match anything at all. This is what I'm finding at the moment, I've cut down the log to just the time and host to remove any complications:
fail2ban-regex works without any problem and picks up the matching lines from the logs but when it's live it fails to make any matches. I'd appreciate being told what I've screwed up here! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
You don't... Your log contains a timestamp enclosed in square brackets followed by space and IP address. |
Beta Was this translation helpful? Give feedback.
You don't... Your log contains a timestamp enclosed in square brackets followed by space and IP address.
But your regex is searching for exact match of IP address only (anchored from both sides due to
^
and$
).Fail2ban would cut out the part with datetime matched the datepattern before it'd apply
failregex
, so it's attempting to match[] 1.2.3.4
with^<HOST>$
what would not find anything.For this "cutted down" log format the anchored RE would be something like
^\[\]\s+<HOST>$
.One could use
^(?:\[\])?\s*<HOST>$
to be compatible to jornals with different timestamp formats (w…