From: Yaroslav H. <li...@on...> - 2008-04-28 16:10:40
|
since -regex worked fine, it seems you created proper regex. and I guess you restarted fail2ban after that modification, right? I am not sure how it could fail... may be .pyc's should be rebuilt? are you running Debian based OS? then do sudo pycentral bcremove fail2ban sudo pycentral bccompile fail2ban On Sat, 26 Apr 2008, kLe wrote: > Hi everybody, > I recently moved from syslog to rsyslog and now fail2ban seems to be > unable to recognize correct date. > This is an example of the date format: > 2008-04-25T04:15:21.356588+02:00 > I tried adding this to datedetector.py: > # RFC 3339 > template = DateStrptime() > template.setName("RFC 3339") > template.setRegex("\d{4}-\S{2}-\d{2}T\d{2}:\d{2}:\d{2}") > template.setPattern("%Y-%m-%dT%H:%M:%S") > self.__templates.append(template) > but it doesn't work. > However the regex is succesful: > fail2ban-regex /var/log/sshd.log /etc/fail2ban/filter.d/sshd.conf > gives > Date template hits: > 865 hit(s): Month Day Hour:Minute:Second > 0 hit(s): Weekday Month Day Hour:Minute:Second Year > 0 hit(s): Weekday Month Day Hour:Minute:Second > 0 hit(s): Year/Month/Day Hour:Minute:Second > 0 hit(s): Day/Month/Year:Hour:Minute:Second > 0 hit(s): Year-Month-Day Hour:Minute:Second > 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] > 6399 hit(s): RFC 3339 > 0 hit(s): TAI64N > 0 hit(s): Epoch > But only the addresses match by old-style timestamp are reported: > Addresses found: > [1] > [2] > 218.28.8.210 (Mon Apr 21 06:25:18 2008) > 218.28.8.210 (Mon Apr 21 06:25:23 2008) > 66.114.252.200 (Mon Apr 21 15:57:48 2008) > 66.114.252.200 (Mon Apr 21 15:57:52 2008) > 192.168.0.140 (Mon Apr 21 16:30:30 2008) > 75.126.234.107 (Mon Apr 21 17:41:25 2008) > 75.126.234.107 (Mon Apr 21 17:41:30 2008) > 193.220.92.114 (Mon Apr 21 17:41:36 2008) > 193.220.92.114 (Mon Apr 21 17:42:09 2008) > 199.232.78.179 (Tue Apr 22 10:38:26 2008) > 199.232.78.179 (Tue Apr 22 10:38:30 2008) > 192.168.0.140 (Tue Apr 22 17:16:45 2008) > 192.168.0.140 (Tue Apr 22 17:17:01 2008) > 192.168.0.140 (Tue Apr 22 17:17:24 2008) > 196.12.44.213 (Tue Apr 22 22:48:41 2008) > 196.12.44.213 (Tue Apr 22 22:48:45 2008) > 161.142.92.16 (Wed Apr 23 01:32:37 2008) > 161.142.92.16 (Wed Apr 23 01:32:42 2008) > [3] > [4] > 218.28.8.210 (Mon Apr 21 06:25:16 2008) > 218.28.8.210 (Mon Apr 21 06:25:21 2008) > 66.114.252.200 (Mon Apr 21 15:57:46 2008) > 75.126.234.107 (Mon Apr 21 17:41:24 2008) > 193.220.92.114 (Mon Apr 21 17:42:07 2008) > 199.232.78.179 (Tue Apr 22 10:38:24 2008) > 199.232.78.179 (Tue Apr 22 10:38:27 2008) > 196.12.44.213 (Tue Apr 22 22:48:43 2008) > 161.142.92.16 (Wed Apr 23 01:32:35 2008) > 161.142.92.16 (Wed Apr 23 01:32:40 2008) > [5] > [6] > [7] > [8] > [9] > What am I doing wrong? > Thanks for your patience! ;) > Luca > (I've already tried to write a message to this list.. But I fear it got > lost.. :( ) > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |