regexfail2ban

Fail2ban regex match but not my file config


When I try to check my regex with fail2ban-regex with the command below :

fail2ban-regex login-error.log "ip:<HOST>,.+description:Failed login in Phraseanet.*" --print-all-matched

It works and it’s my goal, for it to return the following text :

Running tests
=============

Use   failregex line : ip:<HOST>,.+description:Failed login in Phraseanet.*
Use         log file : /opt/solmani-logs-phraseanet/script/logs/login-error.log
Use         encoding : UTF-8


Results
=======

Failregex: 22 total
|-  #) [# of hits] regular expression
|   1) [22] ip:<HOST>,.+description:Failed login in Phraseanet.*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [22] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 22 lines, 0 ignored, 22 matched, 0 missed
[processed in 0.03 sec]

|- Matched line(s):
|  ip:47.64.104.56, username:admin@admin.fr, id:1, created:2022-09-01T14:15:46.000Z, description:Failed login in Phraseanet
|  ip:47.64.104.56, username:user@domain.ch, id:3, created:2022-09-05T06:32:02.000Z, description:Failed login in Phraseanet
|  ip:47.64.104.56, username:user@domain.ch, id:2, created:2022-09-02T09:13:25.000Z, description:Failed login in Phraseanet
|  ip:47.64.104.56, username:user, id:4, created:2022-09-06T07:08:43.000Z, description:Failed login in Phraseanet
|  ip:47.64.104.56, username:user, id:5, created:2022-09-06T07:09:02.000Z, description:Failed login in Phraseanet

But when I put my regex in my config file and try to check it with this command :

fail2ban-regex login-error.log /etc/fail2ban/filter.d/phraseanet.conf --print-all-matched

It doesn't work event tho it is the same regex as on the file. It return this :

Running tests
=============

Use   failregex filter file : phraseanet, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : /opt/solmani-logs-phraseanet/script/logs/login-error.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 22 lines, 0 ignored, 0 matched, 22 missed
[processed in 0.02 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 22 lines

This is my jail.local

##################### my config #####################
[phraseanet]
enabled = true
port = http,https
logpath = /opt/solmani-logs-phraseanet/script/logs/login-error.log
banaction = iptables-multiport-forward
filter = phraseanet

my config file phraseanet.conf

[INCLUDES]
before = common.conf
datepattern =

[Definition]
failregex = "ip:<HOST>.*description:Failed login in Phraseanet.*"
ignoreregex =

and some logs login-error.log

ip:47.64.104.56, username:admin@admin.fr, id:1, created:2022-09-01T14:15:46.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user@domain.ch, id:3, created:2022-09-05T06:32:02.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user@domain.ch, id:2, created:2022-09-02T09:13:25.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:4, created:2022-09-06T07:08:43.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:5, created:2022-09-06T07:09:02.000Z, description:Failed login in Phraseanet
ip:47.64.104.56, username:user, id:6, created:2022-09-06T07:10:56.000Z, description:Failed login in Phraseanet

I can’t figure out why does it works with my regex but not with my file. I already have a custom config file for another log and it works well, but this one doesn’t.


Solution

  • The quotes are interpreted literally as part of your expression in your current configuration, your file should look like this:

    [Definition]
    failregex = ip:<HOST>,.+description:Failed login in Phraseanet.*
    ignoreregex =