CentOS EPEL故障2无法处理tomcat的系统日志

我已经在CentOS 7.8上从EPEL安装了fail2ban 0.10.5-2.el7。我试图让它与systemd一起处理Tomcat日志（也是systemd）

在监狱里，我补充道：

[guacamole]
enabled = true
port     = http,https
backend = systemd

在filter.d/guacamole.conf中：

[Definition]
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=tomcat.service + _COMM=java

如果我将journalctl-u tomcat.service重定向到一个日志文件，并使用fail2ban regex处理它，那么它将以我希望的方式工作，找到它需要的所有行

% fail2ban-regex /tmp/j9 /etc/fail2ban/filter.d/guacamole.conf

Running tests
=============

Use   failregex filter file : guacamole, basedir: /etc/fail2ban
Use         log file : /tmp/j9
Use         encoding : UTF-8


Results
=======

Failregex: 47 total
|-  #) [# of hits] regular expression
|   1) [47] Authentication attempt from <HOST> for user "[^"]*" failed\.$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [570] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 571 lines, 0 ignored, 47 matched, 524 missed
[processed in 0.12 sec]

它马上回来，处理0行

Running tests
=============

Use   failregex filter file : guacamole, basedir: /etc/fail2ban
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : _SYSTEMD_UNIT=tomcat.service + _COMM=java


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Lines: 0 lines, 0 ignored, 0 matched, 0 missed
[processed in 0.00 sec]

我试图删除_COMM=java。这没什么区别

如果我完全忽略日志匹配行，它至少会处理日志中的所有行，但不会找到任何匹配项（尽管如我所述，它会处理日志文件的转储）：

要么这是一个bug，要么我遗漏了一个小细节

---

感谢您提供的帮助。

为确保过滤器定义已正确初始化，最好包含通用定义。因此，您的过滤器定义（/etc/fail2ban/filter.d/guacamole.conf）如下所示：

[INCLUDES]

before = common.conf

[Definition]

journalmatch = _SYSTEMD_UNIT='tomcat.service'

failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$

ignoreregex =

---

请记住在进行此类更改后重新启动fail2ban服务。

为确保过滤器定义已正确初始化，最好包含通用定义。因此，您的过滤器定义（/etc/fail2ban/filter.d/guacamole.conf）如下所示：

[INCLUDES]

before = common.conf

[Definition]

journalmatch = _SYSTEMD_UNIT='tomcat.service'

failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$

ignoreregex =

请记住在进行此类更改后重新启动fail2ban服务

Running tests
=============

Use   failregex filter file : guacamole, basedir: /etc/fail2ban
Use         systemd journal
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Lines: 202271 lines, 0 ignored, 0 matched, 202271 missed
[processed in 34.54 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 202271 lines

[INCLUDES]

before = common.conf

[Definition]

journalmatch = _SYSTEMD_UNIT='tomcat.service'

failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$

ignoreregex =

[guacamole]
enabled  = true
port     = http,https
maxretry = 3
findtime = 1h
bantime  = 1d

# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend = systemd