I am Struggling with setting-up a ban rule for use with SoftEtherVPN

[Myron-S]

fail2ban 0.11.2

I think an example will help explain what I'm trying, and failing, to do.

2022-01-22 03:33:42.527 On the TCP Listener (Port 443), a Client (IP address 34.223.110.145, Host name "ec2-34-223-110-145.us-west-2.compute.amazonaws.com", Port number 33236) has connected.
2022-01-22 03:33:42.527 For the client (IP address: 34.223.110.145, host name: "ec2-34-223-110-145.us-west-2.compute.amazonaws.com", port number: 33236), connection "CID-24" has been created.
2022-01-22 03:33:43.154 SSL communication for connection "CID-24" has been started. The encryption algorithm name is "TLS_AES_256_GCM_SHA384".
2022-01-22 03:33:53.608 Connection "CID-24" terminated by the cause "A client which is non-SoftEther VPN software has connected to the port." (code 5)
2022-01-22 03:33:53.608 Connection "CID-24" has been terminated.

In the example the SoftEther VPN server assigns CID-24 to the session and the lines may not appear in as shown in the example.

I am absolutely stuck on how to create a filter to do the following . . . .

When the error at 2022-01-22 03:33:53.608 is encountered, I wish to ban IP 34.223.110.145.
Where I'm stuck at is the line with the termination cause does not have the IP address, but has the session ID.

So how can I create a filter what will remember CID-24 has been assigned to a connection initiated by 34.223.110.145 and at 2022-01-22 03:33:53.608 ban 34.223.110.145?

I've been trying to learn how to do this for the best part of two months now and finally have admitted defeat. :-(

Can anyone help me with this?

[sebres]

Hmm... Such a wordy log, but logging of IP by the failure seems to be seemingly too much...

Anyway, this is a filter example that will cache CID-24 as ID for the IP and match terminated by the cause as a failure:

[Definition]

failregex = ^\s*For the client \(IP address: <ADDR>, host name: "[^"]*", port number: \d+\), connection "<F-MLFID>[^"]+</F-MLFID>" has been <F-NOFAIL>create$
            ^\s*Connection "<F-MLFID>[^"]+</F-MLFID>" terminated by the cause
            ^\s*Connection "<F-MLFID>[^"]+</F-MLFID>" has been <F-MLFFORGET><F-NOFAIL>terminated</F-NOFAIL></F-MLFFORGET>

[Myron-S]

Thanks for the information. I am struggling to find the documentation to learn how to do this for myself. Can you signpost me to the documentation? I have no clue how to cache stuff and use it later, or even how this caching works.

[sebres]

Can you signpost me to the documentation?

Man pages?
Although they may be a bit wretched, so examples in other filters may provide a clue.

I have no clue how to cache stuff and use it later, or even how this caching works

The cache of multi-line ID? It was introduced in #1698 and a part of documentation (I still have to sync with man or wiki) provided here - #2519 (comment)

[Myron-S]

Right. I didn't know jail.conf has it's own man page and thank-you for pointing me as well to the bits that has still got to be put into the official man page