I'm running debian testing (lenny/sid) and after the mod I reloaded the daemon.
I also tried to rebuild the pycs (thanks to your tip), but nothing changed.

I think that the problem is in the setPattern section: the regex is going fine but data aquisition isn't.

template.setRegex("\d{4}-\S{2}-\d{2}T\d{2}:\d{2}:\d{2}")
template.setPattern("%Y-%m-%dT%H:%M:%S")

Maybe I should explain the program that 'day' and 'hour' are merged together by a 'T' char, that works as a separator, but I have no ideas on how to fix it!

Thanks again for your time..

Luca


Yaroslav Halchenko ha scritto:
since -regex worked fine, it seems you created proper regex. and I guess
you restarted fail2ban after that modification, right? I am not sure how
it could fail... may be .pyc's should be rebuilt? are you running Debian
based OS? then do
sudo pycentral bcremove fail2ban
sudo pycentral bccompile fail2ban

On Sat, 26 Apr 2008, kLe wrote:

  
´╗┐Hi everybody,
    

  
I recently moved from syslog to rsyslog and now fail2ban seems to be
unable to recognize correct date.
This is an example of the date format:
    

  
2008-04-25T04:15:21.356588+02:00
    

  
I tried adding this to datedetector.py:
    

  
# RFC 3339
template = DateStrptime()
template.setName("RFC 3339")
template.setRegex("\d{4}-\S{2}-\d{2}T\d{2}:\d{2}:\d{2}")
template.setPattern("%Y-%m-%dT%H:%M:%S")
self.__templates.append(template)
    

  
but it doesn't work.
However the regex is succesful:
    

  
fail2ban-regex /var/log/sshd.log /etc/fail2ban/filter.d/sshd.conf
    

  
gives
    

  
Date template hits:
865 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
6399 hit(s): RFC 3339
0 hit(s): TAI64N
0 hit(s): Epoch
    

  
But only the addresses match by old-style timestamp are reported:
    

  
Addresses found:
[1]
[2]
    218.28.8.210 (Mon Apr 21 06:25:18 2008)
    218.28.8.210 (Mon Apr 21 06:25:23 2008)
    66.114.252.200 (Mon Apr 21 15:57:48 2008)
    66.114.252.200 (Mon Apr 21 15:57:52 2008)
    192.168.0.140 (Mon Apr 21 16:30:30 2008)
    75.126.234.107 (Mon Apr 21 17:41:25 2008)
    75.126.234.107 (Mon Apr 21 17:41:30 2008)
    193.220.92.114 (Mon Apr 21 17:41:36 2008)
    193.220.92.114 (Mon Apr 21 17:42:09 2008)
    199.232.78.179 (Tue Apr 22 10:38:26 2008)
    199.232.78.179 (Tue Apr 22 10:38:30 2008)
    192.168.0.140 (Tue Apr 22 17:16:45 2008)
    192.168.0.140 (Tue Apr 22 17:17:01 2008)
    192.168.0.140 (Tue Apr 22 17:17:24 2008)
    196.12.44.213 (Tue Apr 22 22:48:41 2008)
    196.12.44.213 (Tue Apr 22 22:48:45 2008)
    161.142.92.16 (Wed Apr 23 01:32:37 2008)
    161.142.92.16 (Wed Apr 23 01:32:42 2008)
[3]
[4]
    218.28.8.210 (Mon Apr 21 06:25:16 2008)
    218.28.8.210 (Mon Apr 21 06:25:21 2008)
    66.114.252.200 (Mon Apr 21 15:57:46 2008)
    75.126.234.107 (Mon Apr 21 17:41:24 2008)
    193.220.92.114 (Mon Apr 21 17:42:07 2008)
    199.232.78.179 (Tue Apr 22 10:38:24 2008)
    199.232.78.179 (Tue Apr 22 10:38:27 2008)
    196.12.44.213 (Tue Apr 22 22:48:43 2008)
    161.142.92.16 (Wed Apr 23 01:32:35 2008)
    161.142.92.16 (Wed Apr 23 01:32:40 2008)
[5]
[6]
[7]
[8]
[9]
    

  
What am I doing wrong?
    

  
Thanks for your patience! ;)
    

  
Luca