Re: [Fail2ban-users] "Dangling" symlink to log file path that contains wildcard (*) causes fail2ban not to ban

[Ben J. <be...@in...>]

On 9/28/2013 10:27 PM, Yaroslav Halchenko wrote:
> ok -- as a workaround we could indeed simply not add dandling links.
> Here is the PR: https://github.com/fail2ban/fail2ban/pull/369
> 
> 
> On Fri, 27 Sep 2013, Ben Johnson wrote:
> 
>> Hi, everyone!
> 
>> Recently, I noticed that fail2ban stopped banning IP addresses (this was
>> after a system reboot).
> 
>> I examined the log at /var/log/fail2ban.log and find:
> 
>> fail2ban.comm   : WARNING Command ['set', 'apache-badbots',
>> 'addlogpath', '/var/log/ispconfig/httpd/example.com/access.log'] has
>> failed. Received IOError(2, 'No such file or directory')
> 
>> I know why the log file doesn't exist (there's a "dangling" symlink that
>> points to a file that doesn't exist, which is actually expected in this
>> case), and that's not my concern.
> 
>> I'm just wondering if this type of error is "fatal"? It doesn't seem so,
>> because the fail2ban daemon does "start" and continues to run in the
>> background, but I see no evidence that fail2ban does any banning. And
>> the contents of the fail2ban log do not grow after the above error.
> 
>> I created an empty file so that the above-mentioned symlink points to a
>> real (though empty) log file, and the error disappears. Then I see the
>> fail2ban log filling-up, and everything is back to normal.
> 
>> If this error does actually cause fail2ban not to function at all, then
>> might I suggest skipping non-existing log files that are added via
>> "globbing" (using an asterisk (*) in the log path within the jail
>> definition) when the files don't exist?
> 
>> If this type of skipping already happens, then is it possible that the
>> "dangling" symlink pointing to a non-existent file is a different
>> situation that requires different handling?
> 
>> Thanks for any help here,
> 
>> -Ben

Yaroslav and oldbrad,

Yaroslav, thanks for implementing the workaround so quickly. I really
appreciate it.

oldbrad, I also appreciate your reply and assistance. But rather than
bore you with a lengthy explanation for the dangling symlink, I will say
only that it "happens for a good reason" and is expected in my
particular use-case.

Ultimately, dangling symlinks in the logpath directive are an occurrence
for which fail2ban should account, regardless of how they came to be.
(The authors/maintainers agree, given that the behavior has been addressed.)

Thanks again, to both of you!

-Ben