When I try to check my regex with fail2ban-regex
with the command below :
fail2ban-regex login-error.log "ip:<HOST>,.+description:Failed login in Phraseanet.*" --print-all-matched
It works and it’s my goal, for it to return the following text :
Running tests
=============
Use failregex line : ip:<HOST>,.+description:Failed login in Phraseanet.*
Use log file : /opt/solmani-logs-phraseanet/script/logs/login-error.log
Use encoding : UTF-8
Results
=======
Failregex: 22 total
|- #) [# of hits] regular expression
| 1) [22] ip:<HOST>,.+description:Failed login in Phraseanet.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [22] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 22 lines, 0 ignored, 22 matched, 0 missed
[processed in 0.03 sec]
|- Matched line(s):
| ip:47.64.104.56, username:admin@admin.fr, id:1, created:2022-09-01T14:15:46.000Z, description:Failed login in Phraseanet
| ip:47.64.104.56, username:user@domain.ch, id:3, created:2022-09-05T06:32:02.000Z, description:Failed login in Phraseanet
| ip:47.64.104.56, username:user@domain.ch, id:2, created:2022-09-02T09:13:25.000Z, description:Failed login in Phraseanet
| ip:47.64.104.56, username:user, id:4, created:2022-09-06T07:08:43.000Z, description:Failed login in Phraseanet
| ip:47.64.104.56, username:user, id:5, created:2022-09-06T07:09:02.000Z, description:Failed login in Phraseanet
But when I put my regex in my config file and try to check it with this command :
fail2ban-regex login-error.log /etc/fail2ban/filter.d/phraseanet.conf --print-all-matched
It doesn't work event tho it is the same regex as on the file. It return this :
Running tests
=============
Use failregex filter file : phraseanet, basedir: /etc/fail2ban
Use datepattern : {^LN-BEG} : Default Detectors
Use log file : /opt/solmani-logs-phraseanet/script/logs/login-error.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 22 lines, 0 ignored, 0 matched, 22 missed
[processed in 0.02 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 22 lines
This is my jail.local
##################### my config #####################
[phraseanet]
enabled = true
port = http,https
logpath = /opt/solmani-logs-phraseanet/script/logs/login-error.log
banaction = iptables-multiport-forward
filter = phraseanet
my config file phraseanet.conf
[INCLUDES]
before = common.conf
datepattern =
[Definition]
failregex = "ip:<HOST>.*description:Failed login in Phraseanet.*"
ignoreregex =
and some logs login-error.log
ip:47.64.104.56, username:admin@admin.fr, id:1, created:2022-09-01T14:15:46.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user@domain.ch, id:3, created:2022-09-05T06:32:02.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user@domain.ch, id:2, created:2022-09-02T09:13:25.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:4, created:2022-09-06T07:08:43.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:5, created:2022-09-06T07:09:02.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:6, created:2022-09-06T07:10:56.000Z, description:Failed login in Phraseanet
I can’t figure out why does it works with my regex but not with my file. I already have a custom config file for another log and it works well, but this one doesn’t.
The quotes are interpreted literally as part of your expression in your current configuration, your file should look like this:
[Definition]
failregex = ip:<HOST>,.+description:Failed login in Phraseanet.*
ignoreregex =