I notice on some of my fail2ban installations that logwatch will report on lines such as this:


2012-02-04 07:37:06,580 fail2ban.jail   : INFO   Jail 'ssh-tcpwrapper' uses Gamin


.. show up in the “**Unmatched Entries**” section.


In /etc/logwatch/scripts/services/fail2ban I see this at around line 60..:


while (defined(my $ThisLine = <STDIN>)) {

    if ( $Debug >= 5 ) {

        print STDERR "DEBUG($DebugCounter): $ThisLine";




    if ( ($ThisLine =~ /..,... DEBUG: /) or

         ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban

         ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or

         ($ThisLine =~ /INFO\s+Log rotation detected for/) or

>>       ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller)/) or     <<

         ($ThisLine =~ /INFO\s+Changed logging target to/) or

         ($ThisLine =~ /INFO\s+Creating new jail/) or

>>       ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban    <<

         ($ThisLine =~ /..,... WARNING: Verbose level is /) or

         ($ThisLine =~ /..,... WARNING: Restoring firewall rules/)



        if ( $Debug >= 6 ) {

            print STDERR "DEBUG($DebugCounter): line ignored\n";


Since the second >> bolded << line above expects the line to have Gamin appear after only whitespace after the word INFO, it’s clearly not the place to try to match and ignore a line saying that “Jail ‘<name>’ uses Gamin”.

The first >> bolded << line, however, might be the right place. I’m trying this – change that line from:


   ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller)/) or




   ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller|uses Gamin)/) or



If I’ve got this right, could I please propose that this be added to the next release?



Speaking of releases…. I’m really confused about something.


I’ve installed fail2ban, always from RPMs, always from EPEL, on some RHEL 4 systems, some RHEL 5 systems, and several CentOS 5 systems.

RHEL5: package fail2ban-0.8.4-23.el5

RHEL4: package fail2ban-0.8.4-23.el4

CentOS5: package fail2ban-0.8.4-23.el5


One one of the RHEL4 systems, the fail2ban package installation added these files:





However on the RHEL5 systems and on the CentOS5 systems nothing was added to logwatch to allow it to report on fail2ban.



What is the *right* way to get logwatch config files added to a system to allow logwatch to report on fail2ban?

Are the logwatch config files included anywhere in the fail2ban source distributions?