New Zoneminder filter not working
johnnny1337 opened this issue · 1 comments
johnnny1337 commented
Hi,
I am trying to use a new filter for Zoneminder and have done it like this:
[zoneminder]
enabled = true
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
# Modified for php based logins
port = http,https,30001,30002,30003,30004,30005,30006,30007,30008,30009,30010,30011,30012,30013,30014,30015,30016,30017,30018,30019
logpath = /var/log/zm/web_php.log
#%(apache_error_log)s
filter =
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+
datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f)
When I test the filter I get this:
docker exec -t fail2ban fail2ban-regex -v /var/log/zm/web_php.log zoneminder --print-all-matched
Running tests
=============
Use failregex filter file : zoneminder, basedir: /etc/fail2ban
Use datepattern : ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
Use log file : /var/log/zm/web_php.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] ^\s*web_php\[\d+\]\.ERR\[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3749] ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
`-
Lines: 3749 lines, 0 ignored, 0 matched, 3749 missed
[processed in 0.19 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 3749 lines
And when running this it seems to work:
docker exec -t fail2ban fail2ban-regex -vv -d '^%m/%d/%y %H:%M:%S(?:\.%f)' '02/26/20 11:00:10.720338 web_php[1698].ERR [192.168.0.100] [Could not retrieve user testuser details] at includes/auth.php line 278' '^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+'
Running tests
=============
Use datepattern : ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
Use failregex line : ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not ...
Use single line : 02/26/20 11:00:10.720338 web_php[1698].ERR [192.16...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+
| 192.168.0.100 Wed Feb 26 11:00:10 2020
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]
It seems to work for others not running in docker, see here:
fail2ban/fail2ban#2643
Am I missing something obvious?
Thank you!
crazy-max commented
@jonrub I need a proper bug report to help you. Thanks.