Jim Miller

Asked: 2017-04-20 10:26:56 +0800 CST2017-04-20 10:26:56 +0800 CST 2017-04-20 10:26:56 +0800 CST

Can you change the fail2ban log message?

772

I have fail2ban running on a centos 6.8 server; all's well. I've written a simple filter to watch for script kiddies, such as:

[Definition]
failregex = <HOST> .*GET \/admin/config.php
        <HOST> .*GET \/blog\/
        <HOST> .*GET \/backup.sql.gz
        <HOST> .*GET \/backup.sql.bz2
        ...

This works fine, and produces messages in /var/log/fail2ban.log like:

2017-04-19 11:12:40,333 fail2ban.filter         [7181]: INFO    [poison-attempts] Found 156.205.xxx.xxx
2017-04-19 11:12:40,900 fail2ban.actions        [7181]: NOTICE  [poison-attempts] Ban 156.205.xxx.xxx

So: Is it possible to change those log messages so that they include the pattern that caused the rule to fire? Perhaps something like:

2017-04-19 11:12:40,333 fail2ban.filter         [7181]: INFO    [poison-attempts] Found 156.205.xxx.xxx requesting /backup.sql.gz

or something similar? Not a big deal, but it'd be kinda nice. Thanks!

Web Analytics Made Easy - Statcounter