#63 kernel timestamps defeat common prefix regexps

open
nobody
None
5
2011-09-25
2011-09-25
Adam Spiers
No

On Fedora 15, some of my syslog messages contain kernel timestamps, such as:

Sep 25 12:51:01 myhost kernel: [773577.436184] sshd[25551]: Invalid user pgsql from 91.203.223.206
Sep 25 13:01:01 myhost kernel: [774178.096112] run-parts(/etc/cron.hourly)[26252]: finished mcelog.cron

The definition of __prefix_line in filter.d/common.conf fails to recognise these. Here is a patch:

https://github.com/aspiers/Fail2Ban/commit/bdbb36434647a7c34b084ff7bf4f8ab31f846d3e

Discussion