Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR]: GitLab, application_json.log, application.log (deprecated) #3566

Open
SDuesterhaupt opened this issue Aug 25, 2023 · 2 comments
Open

[FR]: GitLab, application_json.log, application.log (deprecated) #3566

SDuesterhaupt opened this issue Aug 25, 2023 · 2 comments
Labels
filter-request

Comments

@SDuesterhaupt
Copy link

SDuesterhaupt commented Aug 25, 2023
edited

GitLab marked the application.log as deprecated in GitLab 15.10 and introduced the application_json.log.

Please I need support to update the filter regular expression. That's definitely my weak side in Linux.

Thank you. I appreciate your work. :)

Environment:

  • Fail2Ban version : 1.0.2-7.el9
  • OS, including release name/version : Rocky Linux 9.2 (Blue Onyx)

Service, project or product which log or journal should be monitored

  • Name of filter or jail in Fail2Ban (if already exists) : gitlab
  • Service, project or product name, including release name/version : gitlab

Log or journal information

  • Log file name(s) : application_json.log

Any additional information

Relevant lines from monitored log files:

failures in sense of fail2ban filter (fail2ban must match):

{"severity":"INFO","time":"2023-08-25T11:25:19.979Z","correlation_id":"01H8P721YTW1YH5Q7YCSJPVJ5T","meta.caller_id":"SessionsController#new","meta.remote_ip":"x.x.x.x","meta.feature_category":"system_access","meta.client_id":"ip/x.x.x.x","message":"Failed Login: username=**** ip=x.x.x.x"}

legitimate messages (fail2ban should not consider as failures):

{"severity":"INFO","time":"2023-08-25T11:55:10.525Z","correlation_id":"01H8P8RPMVW53W0KWEN2H2DNF4","meta.caller_id":"SessionsController#create","meta.remote_ip":"x.x.x.x","meta.feature_category":"system_access","meta.user":"****","meta.user_id":2,"meta.client_id":"user/2","message":"Successful Login: username=**** ip=x.x.x.x method=standard admin=true"}
@sebres
Copy link
Contributor

sebres commented Aug 25, 2023

At the moment we don't have real JSON parsing in fail2ban (see #3526)...
However writing more or less good filter is possible, just would imply some restrictions (few tags before time, that are not remote_ip and message, the order of tags is important, etc):

[Definition]

_groupre = (?:"(?!(?:time|meta\.remote_ip|message)\b)\w[^"]+":(?:"[^"]+"|\w+)\s*[,\}]\s*)
datepattern = ^\{%(_groupre)s*"time":"%%Y-%%m-%%dT%%H:%%M:%%S\.%%f%%z"\s*,\s*
failregex = ^%(_groupre)s*"meta\.remote_ip":"<ADDR>"\s*,\s*%(_groupre)s*"message":"Failed Login: username=<F-USER>(?:\S*|[^"]*?)(?= ip=)</F-USER>

@sebres sebres mentioned this issue Jun 11, 2023
Open
@SDuesterhaupt
Copy link
Author

SDuesterhaupt commented Aug 26, 2023
edited

Excellent. The filter works as expected.

Thank you very much. From my point of view, this issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
filter-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @SDuesterhaupt