Le 11/08/2014 19:16, Yaroslav Halchenko a écrit :> Hi Luc, Hi Yaroslav,
> > Thanks for trying 0.9.x out. Indeed, journalmatch is still missing for > the majority of the filters and your contributions would be very welcome > -- I am myself yet to deploy any systemd box/virtualbox for > testing/using systemd -- so I do not even have any sample log files to > adjust configuration. Would you be kind to send a PR with necessary > changes at > https://github.com/fail2ban/fail2ban/pulls I have sent a very small pull request as you suggested. It is a small one as it only adds the journalmatch decalration to postfix-sasl.conf. With this fix, running fail2ban-regex with the systemd-journal option doesn't trigger an error anymore, and it does report some old matches. Perhaps the fail2ban-regex program should report a more explicit error if used with systemd-journal for a jail not configured to used systemd? > > > On Mon, 11 Aug 2014, Luc Maisonobe wrote: >> Running tests >> ============= > >> Use failregex file : /etc/fail2ban/filter.d/postfix.conf >> Use journal match : _SYSTEMD_UNIT=postfix.service > > >> Results >> ======= > >> Failregex: 24 total >> |- #) [# of hits] regular expression >> | 1) [24] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ >> `- > >> Ignoreregex: 0 total > >> Lines: 1529 lines, 0 ignored, 24 matched, 1505 missed >> Missed line(s): too many to print. Use --print-all-missed to print all 1505 lines > > >> However, fail2ban-client reports 0 failed and it also does refer to /var/log/mail.warn. >> ... >> This leads me to think that the regular postfix jail also does not really check >> the systemd journal (only a manual check with fail2ban-regex with explicit setting >> of systemd-journal does) and in fact still relies on now freezed mail.warn file. > > since systemd is not default, you would need to adjust yourself > jail.conf (via customizations dumped into e.g. jail.d/systemd.conf) to > set backend=systemd for those jails Thanks, I thought not specifying resulted in the auto choice which would loop and finally try systemd. Now I have explicitly added it to my jail.d/jail.local file for dovecot, postfix and postfix-sasl as you suggested. Indeed, this solved the fail2ban-client report. One or two hours after having made both changes (adding journalmatch and adding backend), here is what fail2ban-clients reports: root@b3:~# fail2ban-client status postfix Status for the jail: postfix |- Filter | |- Currently failed: 1 | |- Total failed: 3 | `- Journal matches: _SYSTEMD_UNIT=postfix.service `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: root@b3:~# fail2ban-client status postfix-sasl Status for the jail: postfix-sasl |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=postfix.service `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: root@b3:~# So both jail now know they should look into systemd journal, and in fact the postfix jail already matched some errors. I am now waiting for the first bans, I guess they would come soon. best regards, Luc > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
