Home / server / Questions / 746339
Accepted
Felix Jen
Asked: 2016-01-02 22:34:49 +0800 CST

Fail2Ban regex to match these lines?

  • 772

I've been trying to get fail2ban to work with the Xeams email spam filter. But, I can't figure out what possible regex I should use to match the logs. The logs are in this format.

61.240.144.65   1451702136946   5
185.130.5.240   1451702444872   5
192.237.159.38  1451705774912   5
185.130.5.240   1451712868825   5

Each section of the log is separated by a Tab (I think), with the first part being the host IP. I have no idea what the other sections do.

I've tried the following regex but it doesn't work according to fail2ban-regex.

<HOST>      1451.*  .*

As well as:

<HOST>      .*  .*

I honestly have no idea what to do to match these logs.

regex

1 Answers

  1. Best Answer

    The problem you are having is that fail2ban expects the line to contain a valid timestamp and your log lines do not meet that criteria as they start with a <HOST>.

    In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex. If the failregex is anchored with a leading ^, then the anchor refers to the start of the remainder of the line, after the timestamp and intervening whitespace

    You will need to provide fail2ban with a log file that meets it's input requirements.

    • 2