-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fail2ban v0.10.5 does not interact well with rsyslog (centos) #2704
Comments
Hmm... I don't see what exactly can cause this... possibly excepting f3dbc9d, but fail2ban main (server) thread was called Where the process can obtain name I would like to know how fail2ban-server is started (e. g. service, unit- or init-script) and how the start parameters for logging do look. |
service file is vanilla from centos 7 /etc/systemd/system/multi-user.target.wants/fail2ban.service
This is our local fail2ban logging configuration /etc/fail2ban/fail2ban.local
edit : sorry for multiples edits... |
One thing around SYSLOG that was changed is 1bf6636 (see #1980), and I'm not sure it'd really affect that... and this was released already in 0.10.2. I see also ` character at end of Since python 3.3 sysloghandler got an attribute (ident) to specify the program logging identifier (which we current still don't use if I remember correctly). Without this it is normally argv[0], so I'd rather expect |
` character at end of ExecStart is indeed an edit artifact. sorry about that. Previous "working" version of fail2ban was fail2ban-0.9.7-1.el7.noarch Not sure if it helps, but this is the kind of log that we have now : where before, when it was working it was : |
OK. Anyway I cannot reproduce it on my debians. Here are several possibilities you could try:
[Service]
SyslogIdentifier=fail2ban
Could you please check what would happen using this setting: logtarget = SYSLOG[facility=user]
# logtarget = SYSLOG[format="%(name)s[%(process)d]: %(levelname)s %(message)s"]
logtarget = SYSLOG[format="fail2ban %(name)s[%(process)d]: %(levelname)s %(message)s"]
hdlr = logging.handlers.SysLogHandler(
self.__syslogSocket, facility=facility)
+ hdlr.ident = 'fail2ban' I don't think it'd help (related to python source code it would be similar to variant 3), but... |
Before change this is the content from 'journalctl' :
After change this is the content from 'journalctl' :
In both cases, the 2 last lines containing fail2ban.actions will be logged on /var/log/messages with 'f2b/server' tag replaced by 'journal':
These are my conclusions, fell free to correct me if I'm wrong :
My supposition : is this plausible? |
Yes, because fail2ban-client & fail2ban-server are the caller inside systemd unit, so the output of them is logged from systemd in journal with the process name.
It looks like SyslogIdentifier would affect the stdout/stderr only.
I don't know, looks indeed strange (at least I did not find that in journal docu's). Since the fix 3f48907, it is reverted to Also I don't know how your supposition is plausible, because I cannot reproduce it at all (and don't have centos ready to hand to test that there). |
So I assume it is solved (looks anyway as 3rd party issue to me). |
Hello,
centos : 7.7.1908
fail2ban : v0.10.5
rsyslogd : 8.24.0-41.el7_7.2
We use SYSLOG to manage logs (send to distant log server and then write to locally to /var/log/fail2ban.log)
Since updating fail2ban, rsyslog is not able to parse fail2ban logs (this is true with dozens of differents installations)
Upon close investigation, we found that the rsyslog expression
if $programname contains 'fail2ban' then /var/log/fail2ban.log
is not working anymore. Where rsyslog should read 'fail2ban', instead the value in log is 'journal' .
This is weird...
If we use the following rsyslog configuration
if $programname contains 'journal' then /var/log/fail2ban.log
everything works as expected, but I'm guessing that 'journal' is not (and should not be) fail2ban programname.
Is this a bug, or am I missing something?
The text was updated successfully, but these errors were encountered: