CentOS EPEL故障2无法处理tomcat的系统日志
我已经在CentOS 7.8上从EPEL安装了fail2ban 0.10.5-2.el7。我试图让它与systemd一起处理Tomcat日志(也是systemd) 在监狱里,我补充道:CentOS EPEL故障2无法处理tomcat的系统日志,centos,fail2ban,epel,Centos,Fail2ban,Epel,我已经在CentOS 7.8上从EPEL安装了fail2ban 0.10.5-2.el7。我试图让它与systemd一起处理Tomcat日志(也是systemd) 在监狱里,我补充道: [guacamole] enabled = true port = http,https backend = systemd 在filter.d/guacamole.conf中: [Definition] failregex = Authentication attempt from <HOST&
[guacamole]
enabled = true
port = http,https
backend = systemd
在filter.d/guacamole.conf中:
[Definition]
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=tomcat.service + _COMM=java
如果我将journalctl-u tomcat.service重定向到一个日志文件,并使用fail2ban regex处理它,那么它将以我希望的方式工作,找到它需要的所有行
% fail2ban-regex /tmp/j9 /etc/fail2ban/filter.d/guacamole.conf
Running tests
=============
Use failregex filter file : guacamole, basedir: /etc/fail2ban
Use log file : /tmp/j9
Use encoding : UTF-8
Results
=======
Failregex: 47 total
|- #) [# of hits] regular expression
| 1) [47] Authentication attempt from <HOST> for user "[^"]*" failed\.$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [570] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 571 lines, 0 ignored, 47 matched, 524 missed
[processed in 0.12 sec]
它马上回来,处理0行
Running tests
=============
Use failregex filter file : guacamole, basedir: /etc/fail2ban
Use systemd journal
Use encoding : UTF-8
Use journal match : _SYSTEMD_UNIT=tomcat.service + _COMM=java
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Lines: 0 lines, 0 ignored, 0 matched, 0 missed
[processed in 0.00 sec]
我试图删除_COMM=java。这没什么区别
如果我完全忽略日志匹配行,它至少会处理日志中的所有行,但不会找到任何匹配项(尽管如我所述,它会处理日志文件的转储):
要么这是一个bug,要么我遗漏了一个小细节
感谢您提供的帮助。为确保过滤器定义已正确初始化,最好包含通用定义。因此,您的过滤器定义(/etc/fail2ban/filter.d/guacamole.conf)如下所示:
[INCLUDES]
before = common.conf
[Definition]
journalmatch = _SYSTEMD_UNIT='tomcat.service'
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
请记住在进行此类更改后重新启动fail2ban服务。为确保过滤器定义已正确初始化,最好包含通用定义。因此,您的过滤器定义(/etc/fail2ban/filter.d/guacamole.conf)如下所示:
[INCLUDES]
before = common.conf
[Definition]
journalmatch = _SYSTEMD_UNIT='tomcat.service'
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
请记住在进行此类更改后重新启动fail2ban服务
Running tests
=============
Use failregex filter file : guacamole, basedir: /etc/fail2ban
Use systemd journal
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Lines: 202271 lines, 0 ignored, 0 matched, 202271 missed
[processed in 34.54 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 202271 lines
[INCLUDES]
before = common.conf
[Definition]
journalmatch = _SYSTEMD_UNIT='tomcat.service'
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
[guacamole]
enabled = true
port = http,https
maxretry = 3
findtime = 1h
bantime = 1d
# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend = systemd