Hi Luc, Thanks for trying 0.9.x out. Indeed, journalmatch is still missing for the majority of the filters and your contributions would be very welcome -- I am myself yet to deploy any systemd box/virtualbox for testing/using systemd -- so I do not even have any sample log files to adjust configuration. Would you be kind to send a PR with necessary changes at https://github.com/fail2ban/fail2ban/pulls
On Mon, 11 Aug 2014, Luc Maisonobe wrote: > Running tests > ============= > Use failregex file : /etc/fail2ban/filter.d/postfix.conf > Use journal match : _SYSTEMD_UNIT=postfix.service > Results > ======= > Failregex: 24 total > |- #) [# of hits] regular expression > | 1) [24] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] > )?(?:@vserver_\S+ > )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID > \d+ \S+\])?\s*NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ > `- > Ignoreregex: 0 total > Lines: 1529 lines, 0 ignored, 24 matched, 1505 missed > Missed line(s): too many to print. Use --print-all-missed to print all 1505 > lines > However, fail2ban-client reports 0 failed and it also does refer to > /var/log/mail.warn. >... > This leads me to think that the regular postfix jail also does not really > check > the systemd journal (only a manual check with fail2ban-regex with explicit > setting > of systemd-journal does) and in fact still relies on now freezed mail.warn > file. since systemd is not default, you would need to adjust yourself jail.conf (via customizations dumped into e.g. jail.d/systemd.conf) to set backend=systemd for those jails -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Research Scientist, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
