Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Can I parse the date not in the very beginning but in the middle of syslog? #2201
We will be very grateful, if your problem was described as completely as possible,
Fill out and check (
The application output the log to /var/log/syslog, so the log would have %(__prefix_path), and then following the application log with another time stamp. Is there a way I can use the application time stamp rather than the syslog timestamp? Or just skip the __prefix_path(Aug 14 20:23:28 hostname application: )
Steps to reproduce
Any additional information
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
Relevant parts of /var/log/fail2ban.log file:
preferably obtained while running fail2ban with
Relevant lines from monitored log files in question:
Yes you can...
Still don't know why you want to do that (both dates look equal).
syslog doesn't contain year
I see, so that is how fail2ban works.
so for this case, I would use
You are welcome.
current year used in this case, if date is past, otherwise (date in the future, so impossible) the last year used (fail2ban assumes the date is past).
this does not make sense -
-failregex = ^.+%(__prefix_line)sERROR\s+can not parse header when handling connection from <HOST>:\d+$ +failregex = ^\w+\s+\d+ \d+:\d+:\d+\s+%(__prefix_line)sERROR\s+can not parse header when handling connection from <HOST>:\d+$ datepattern = %%Y-%%m-%%d %%H:%%M:%%S
Or back to default pattern (so ignores second date via optional match of
-failregex = ^.+%(__prefix_line)sERROR\s+can not parse header when handling connection from <HOST>:\d+$ +failregex = ^\s*%(__prefix_line)s(?:\s*\d+-\d+-\d+ \d+:\d+:\d+\s+)?ERROR\s+can not parse header when handling connection from <HOST>:\d+$