-1

Using the regex filter below:

[Definition]
failregex = ^<HOST>.*Priority: 0
ignoreregex =

Fail2Ban does not detect any of these log entries below.

Mon Apr  1 21:11:29 2024 [**] [1:1000002:1] SSH attempt [**] [Priority: 0] {TCP} 192.x.x.x:58867 -> 192.168.x.x:22
Mon Apr  1 21:11:29 2024 [**] [1:1000002:1] SSH attempt [**] [Priority: 0] {TCP} 192.x.x.x:58914 -> 192.168.x.x:22

But this same regex filter above, accurately detects the log lines below in Fail2Ban and the only difference in the log entries is the date format.

03/26-10:57:44.146011  [**] [1:1000002:1] SSH attempt [**] [Priority: 0] {TCP} 192.x.x.x:58867 -> 192.168.x.x:22
03/26-11:23:52.317989  [**] [1:1000002:1] SSH attempt [**] [Priority: 0] {TCP} 192.x.x.x:58914 -> 192.168.x.x:22

Please I need urgent help in getting this regex filter to work as it is for my project work and my timeline is so limited.

Improve this question
2
  • <HOST> is after Priority: 0 in your log file, regex should be Priority: 0.*<HOST>
    – Toto
    Commented Apr 2 at 8:06
  • 1
    Thank you. This has resolved it! Priority: 0.*<HOST>
    – nexdev
    Commented Apr 2 at 10:52

1 Answer 1

Reset to default
0

<HOST> is some predefined regex that should match a domain/IP.

Your regex attempts to match a domain then some characters then, literally, Priority: 0.

Your log file display <HOST> after the message Priority: 0, you have to put the <HOST> part after Priority: 0 in the regex.

It becomes:

Priority: 0.*<HOST>
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .