I notice on some of my fail2ban installations that logwatch will report on lines such as this:

 

2012-02-04 07:37:06,580 fail2ban.jail   : INFO   Jail 'ssh-tcpwrapper' uses Gamin

 

.. show up in the “**Unmatched Entries**” section.

 

In /etc/logwatch/scripts/services/fail2ban I see this at around line 60..:

 

while (defined(my $ThisLine = <STDIN>)) {

    if ( $Debug >= 5 ) {

        print STDERR "DEBUG($DebugCounter): $ThisLine";

        $DebugCounter++;

    }

    chomp($ThisLine);

    if ( ($ThisLine =~ /..,... DEBUG: /) or

         ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban

         ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or

         ($ThisLine =~ /INFO\s+Log rotation detected for/) or

>>       ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller)/) or     <<

         ($ThisLine =~ /INFO\s+Changed logging target to/) or

         ($ThisLine =~ /INFO\s+Creating new jail/) or

>>       ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban    <<

         ($ThisLine =~ /..,... WARNING: Verbose level is /) or

         ($ThisLine =~ /..,... WARNING: Restoring firewall rules/)

       )

    {  

        if ( $Debug >= 6 ) {

            print STDERR "DEBUG($DebugCounter): line ignored\n";

 

Since the second >> bolded << line above expects the line to have Gamin appear after only whitespace after the word INFO, it’s clearly not the place to try to match and ignore a line saying that “Jail ‘<name>’ uses Gamin”.

The first >> bolded << line, however, might be the right place. I’m trying this – change that line from:

 

   ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller)/) or

 

to:

 

   ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller|uses Gamin)/) or

 

 

If I’ve got this right, could I please propose that this be added to the next release?

 

 

Speaking of releases…. I’m really confused about something.

 

I’ve installed fail2ban, always from RPMs, always from EPEL, on some RHEL 4 systems, some RHEL 5 systems, and several CentOS 5 systems.

RHEL5: package fail2ban-0.8.4-23.el5

RHEL4: package fail2ban-0.8.4-23.el4

CentOS5: package fail2ban-0.8.4-23.el5

 

One one of the RHEL4 systems, the fail2ban package installation added these files:

/usr/share/logwatch/scripts/services/fail2ban

/usr/share/logwatch/default.conf/logfiles/fail2ban.conf

/usr/share/logwatch/default.conf/services/fail2ban.con

 

However on the RHEL5 systems and on the CentOS5 systems nothing was added to logwatch to allow it to report on fail2ban.

 

 

What is the *right* way to get logwatch config files added to a system to allow logwatch to report on fail2ban?

Are the logwatch config files included anywhere in the fail2ban source distributions?

 

Thanks,

Jay