Trying to figure out why <HOST> doesn't match any host.

[chrisinametalcan]

Hello, I am sure this is user incompetence, but while trying to get fail2ban to work with a log file I'm finding that it's failing to match anything at all. This is what I'm finding at the moment, I've cut down the log to just the time and host to remove any complications:

failregex = ^<HOST>$

2021-10-25 20:10:57,201 fail2ban.filter [19479]: TRACE Working on line '[25/Oct/2021:20:10:57 +0800] 1.2.3.4\n'
2021-10-25 20:10:57,201 fail2ban.datedetector [19479]: HEAVY try to match time for line: [25/Oct/2021:20:10:57 +0800] 1.2.3.4
2021-10-25 20:10:57,201 fail2ban.datedetector [19479]: HEAVY try to match last anchored template #00 ...
2021-10-25 20:10:57,201 fail2ban.datedetector [19479]: #06-Lev. matched last time template #00
2021-10-25 20:10:57,202 fail2ban.datedetector [19479]: #06-Lev. got time 1635163857.000000 for '25/Oct/2021:20:10:57 +0800' using template {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2021-10-25 20:10:57,202 fail2ban.filter [19479]: HEAVY Looking for match of [('[', '25/Oct/2021:20:10:57 +0800', '] 1.2.3.4')]
2021-10-25 20:10:57,202 fail2ban.filter [19479]: HEAVY Looking for failregex 0 - '^(?:\\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\\]?|(?P<dns>[\\w\\-.^_]*\\w))$'

fail2ban-regex works without any problem and picks up the matching lines from the logs but when it's live it fails to make any matches.

I'd appreciate being told what I've screwed up here!

[sebres]

I've cut down the log to just the time and host to remove any complications
[25/Oct/2021:20:10:57 +0800] 1.2.3.4

You don't... Your log contains a timestamp enclosed in square brackets followed by space and IP address.
But your regex is searching for exact match of IP address only (anchored from both sides due to ^ and $).
Fail2ban would cut out the part with datetime matched the datepattern before it'd apply failregex, so it's attempting to match [] 1.2.3.4 with ^<HOST>$ what would not find anything.
For this "cutted down" log format the anchored RE would be something like ^\[\]\s+<HOST>$.
One could use ^(?:\[\])?\s*<HOST>$ to be compatible to jornals with different timestamp formats (without brackets) or even without timestamp at all.

[chrisinametalcan]

Thank you, I knew this was down to my understanding somehow! I was assuming that the timestamp prefilter was removing the brackets around the timestamp and the trailing space too.