[Check_mk (english)] logwatch expression

BiloxiGeek · October 10, 2014, 10:53am

Just noticed that fail2ban appears to be writing it's logfile a bit differently and it broke the logwatch pattern.

I get notices about failed login attempts from /var/log/secure, fail2ban does it's thing and adds an iptables rule to block the offending ip. But I don't get a matching log hit from /var/log/fail2ban.log

In the log I get entries like this:
2014-10-09 06:43:45,410 fail2ban.actions[7661]: WARNING [ssh-iptables] Ban 192.168.1.134
2014-10-10 06:43:45,410 fail2ban.actions[7661]: WARNING [ssh-iptables] Unban 192.168.1.134

They used to look like this:
2014-07-27 00:24:48,418 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.239
2014-07-28 00:24:48,866 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.239

Fail2ban is now including the pid of it's process in the log file.

Here's what I've tried to do in logwatch.cfg, but it still doesn't throw a warning on new ban or unban entries. How do I tweak this to get a match?

# Fail2ban log
/var/log/fail2ban.log
W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Ban
W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Unban

Riccardo_Murri · October 10, 2014, 11:39am

IIRC, logwatch expressions are regexps, not glob patterns.

Hence you would need something like:

W fail2ban\.actions\[[0-9]+\]\: WARNING \[ssh\-iptables\] Ban
W fail2ban\.actions\[[0-9]+\]\: WARNING \[ssh\-iptables\] Unban

You can probably make the [pid] part optional so to match both
old-style and new-style logs:

W fail2ban\.actions(\[[0-9]+\])?\: WARNING \[ssh\-iptables\] Ban
W fail2ban\.actions(\[[0-9]+\])?\: WARNING \[ssh\-iptables\] Unban

Kind regards,
Riccardo

···

On 10 October 2014 12:53, <sberg@mississippi.com> wrote:

Here's what I've tried to do in logwatch.cfg, but it still doesn't throw a warning on new ban or unban entries. How do I tweak this to get a match?

# Fail2ban log
/var/log/fail2ban.log
W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Ban
W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Unban

--
Riccardo Murri
http://www.s3it.uzh.ch/about/team/

S3IT: Services and Support for Science IT
University of Zurich
Winterthurerstrasse 190, CH-8057 Zürich (Switzerland)
Tel: +41 44 635 4222
Fax: +41 44 635 6888

MarsellusWallace · October 10, 2014, 11:42am

Hi Steve,

you need real regex on Unix systems, so '.*' instead of just '*'.

HTH,
Marcel

···

2014-10-10 12:53 GMT+02:00 <sberg@mississippi.com>:

Just noticed that fail2ban appears to be writing it's logfile a bit differently and it broke the logwatch pattern.

I get notices about failed login attempts from /var/log/secure, fail2ban does it's thing and adds an iptables rule to block the offending ip. But I don't get a matching log hit from /var/log/fail2ban.log

In the log I get entries like this:
2014-10-09 06:43:45,410 fail2ban.actions[7661]: WARNING [ssh-iptables] Ban 192.168.1.134
2014-10-10 06:43:45,410 fail2ban.actions[7661]: WARNING [ssh-iptables] Unban 192.168.1.134

They used to look like this:
2014-07-27 00:24:48,418 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.239
2014-07-28 00:24:48,866 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.239

Fail2ban is now including the pid of it's process in the log file.

Here's what I've tried to do in logwatch.cfg, but it still doesn't throw a warning on new ban or unban entries. How do I tweak this to get a match?

# Fail2ban log
/var/log/fail2ban.log
W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Ban
W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Unban

_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

MarsellusWallace · October 10, 2014, 11:45am

Just an additional question...

Why not just matching 'WARNING.*(Ban|Unban)$' or even 'WARNING'?

Regards,
Marcel

···

2014-10-10 13:42 GMT+02:00 Marcel Schulte <schulte.marcel@gmail.com>:

Hi Steve,

you need real regex on Unix systems, so '.*' instead of just '*'.

HTH,
Marcel

2014-10-10 12:53 GMT+02:00 <sberg@mississippi.com>:

Just noticed that fail2ban appears to be writing it's logfile a bit differently and it broke the logwatch pattern.

I get notices about failed login attempts from /var/log/secure, fail2ban does it's thing and adds an iptables rule to block the offending ip. But I don't get a matching log hit from /var/log/fail2ban.log

In the log I get entries like this:
2014-10-09 06:43:45,410 fail2ban.actions[7661]: WARNING [ssh-iptables] Ban 192.168.1.134
2014-10-10 06:43:45,410 fail2ban.actions[7661]: WARNING [ssh-iptables] Unban 192.168.1.134

They used to look like this:
2014-07-27 00:24:48,418 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.239
2014-07-28 00:24:48,866 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.239

Fail2ban is now including the pid of it's process in the log file.

Here's what I've tried to do in logwatch.cfg, but it still doesn't throw a warning on new ban or unban entries. How do I tweak this to get a match?

# Fail2ban log
/var/log/fail2ban.log
W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Ban
W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Unban

_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en