Fail2ban regex matching on testing sites, but not fail2ban itself

fail2banregex

Hi so I'm trying to match the following log line:

E/Sun, 04 Mar 2018 21:40:32 +0100: Error logging in from RemoteIP: 1.2.3.4

And after many hours I've finally got a regex that works on debuggerex, regextester, etc. But I cannot for the life of me get fail2ban to match it.

My regex in fail2ban is as follows:

^E\/(Mon|Tue|Wed|Thu|Fri|Sat|Sun), ([0-1][0-9]) (\w\w\w) (\d\d\d\d) (00|[0-9]|1[0-9]|2[0-3]):([0-9]|[0-5][0-9]):([0-9]|[0-5][0-9]) (\+[0-9][0-9][0-9][0-9]): Error logging in from RemoteIP: <HOST>$

Am I missing something basic here or what?

Best Answer

Because i cannot spot your problem, here is the general method of fixing a fail2ban match regex.

  1. Verify your have a file that does contain the desired match, e.g. /var/log/foo.log
  2. Call fail2ban-regex /var/log/foo.log 'substring of regex'
  3. If it does not match, remove a few words from your regex and go to 2.
  4. If it does match, append a few words of your original regex and go to 2, or:
  5. If from 3. and 4. you have pinpointed which word is wrong, fix it.
  6. If after the fix, the full regex still does not match, repeat the whole process with the fixed regex.
Related Topic