I suspect the problem is a "ghost in the machine" because:
Fail2ban logwatch is working fine because under some circumstances. ie.
It can be made to report when detail is set to Medium or High.
The perl script /usr/share/logwatch/scripts/services/fail2ban, the code
that filters logs according detail level, has not changed since 2013.
Therefore it is more or less obvious that something has changed in the
log report format, or somewhere, which now breaks that script in the
case detail level set to Low. Perhaps the fact that I am not using
SYSLOG also has a bearing.
Under other circumstances my next move would be to have a go at
debugging that script. Unfortunately perl is not the easiest stuff to
debug and I'm getting a little old for deep and obscure debugging.
Did somebody change the log file format?
Would a perl literate like to advise me how to go about debugging the
script? I might be old and slow now, but I used to be quite good at it.
On Mon, 2015-10-12 at 08:46 -0500, Harrison Johnson wrote:
> Charles,
> I forget stuff all the time, I seem to remember a discussion about log
> rotation that is nearly what you describe you might want to look in
> the archives. It may also have been on the Postgres forums, I don't
> remember which. For me it was an update in Fedora 21 that just
> uninstalled rsyslog for some unknown reason, but I do remember a
> discussion about either Fail2ban or Postgres on using syslog needing
> to be restarted after log rotation to use the new file.
>
>
> On Mon, 2015-10-12 at 14:15 +0100, Charles Bradshaw wrote:
> > Good question. My fail2ban messages are configured to go
> > to /var/log/fail2ban.log
> >
> > I suspect your previous reply about modifications
> > to /usr/share/logwatch/default.conf/services/fail2ban.conf etc.
> > are not correct under my circumstances!
> >
> > I should have said I have a modified /var/fail2ban/fail2ban.conf, as
> > follows:
> > # logtarget = SYSLOG
> > logtarget = /var/log/fail2ban.log
> >
> > Also I have the file /etc/logrotate.d/fail2ban containing:
> > /var/log/fail2ban.log {
> > missingok
> > notifempty
> > size 30k
> > create 0600 root root
> > postrotate
> > /usr/bin/fail2ban-client set logtarget /var/log/fail2ban.log
> > 2> /dev/null || true
> > endscript
> > }
> >
> > The original contained:
> > postrotate
> > /usr/bin/fail2ban-client set logtarget SYSLOG 2> /dev/null ||
> > true
> >
> > Perhaps I should have said I'm also receiving email from Anacron
> > containing this cryptic message:
> > /etc/cron.daily/logrotate:
> >
> > Current logging target is:
> > `- /var/log/fail2ban.log
> >
> > This is new and I presume it is from the fail2ban-client set logtarget
> > during log rotation. Although I don't think the message is send every
> > day. Perhaps only when fail2ban.log exceeds 30K.
> >
> > Thanks for your help. You will excuse an old man for forgetting what I
> > have done in the past to tweak f2b.
> >
> > On Fri, 2015-10-09 at 10:02 -0500, Harrison Johnson wrote:
> > > Are you sending fail2ban messages to a fail2ban logfile in
> > > the /var/log? Or are the messages going into the journal?
> > > On Thu, 2015-10-08 at 12:59 +0100, Charles Bradshaw wrote:
> > > > Hi All,
> > > >
> > > > I'm running a regularly updated version of CentOS and fail2ban as below.
> > > >
> > > > # cat /etc/redhat-release
> > > > CentOS release 6.7 (Final)
> > > >
> > > > # fail2ban-server -V
> > > > Fail2Ban v0.9.2
> > > > ...
> > > >
> > > > Following a recent update I no longer see any fail2ban logwatch reports.
> > > > I used to get daily summary reports of the number of bans for each jail.
> > > >
> > > > My logwatch detail is set to low and if I run from the command line:
> > > > # logwatch --print --detail Low --service fail2ban --range today
> > > > nothing reported.
> > > >
> > > > detail Medium and High produce similar verbose reports:
> > > > # logwatch --print --detail Medium --service fail2ban --range today
> > > >
> > > > ################### Logwatch 7.3.6 (05/19/07) ####################
> > > > Processing Initiated: Thu Oct 8 12:56:11 2015
> > > > Date Range Processed: today
> > > > ( 2015-Oct-08 )
> > > > Period is day.
> > > > Detail Level of Output: 5
> > > > Type of Output: unformatted
> > > > Logfiles for Host: dell2600-1.bradcan.homelinux.com
> > > > ##################################################################
> > > >
> > > > --------------------- fail2ban-messages Begin ------------------------
> > > >
> > > > **Unmatched Entries**
> > > > 2015-10-08 00:05:52,019 fail2ban.filter [3890]: INFO
> > > > [forum-noregister] Found 219.132.8.150
> > > > ... and lots more
> > > >
> > > >
> > > > Obviously fail2ban is still running fine and I see root emails for those
> > > > jails for which detail reports are enabled. Some of my jails result in
> > > > hundreds of bans per day, these don't email and I would like to
> > > > re-instate the logwatch reports.
> > > >
> > > > Does anybody know what changed, and perhaps more importantly, how to fix
> > > > the reports?
> > > >
> > > > Thanks in advance.
> > > >
> > > > ------------------------------------------------------------------------------
> > > > _______________________________________________
> > > > Fail2ban-users mailing list
> > > > [email protected]
> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> > >
> > > ------------------------------------------------------------------------------
> > > _______________________________________________
> > > Fail2ban-users mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Fail2ban-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
