RFE: fail2ban-regex systemd-journal seek to cursor/datetime #2529
Labels
Comments
|
Since fail2ban-regex already accepts certain journal parameters, it could indeed be extended relative simple, something like: # scan journal from yesterday:
fail2ban-regex 'systemd-journal[from=1d]' sshd |
|
Oh! That looks much better than hard-coding a log-backend specific argument. So the backend argument parsing has to change a bit somewhere around here .. probably best to simply pluck the from= / to= (or since= / until= if we want to use systemd/journald terminology) kwargs, so they won't interfere when passed to journal.Reader (as that class doesn't support them), and then simply apply the filters after self.__journal got initialized. |
|
exactly... the additional issue is - test & coverage :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I'm currently using fail2ban 0.10.2 on Ubuntu Eoan, trying to set up a Recidive jail, and while testing/debugging the regex due to a rather large journal I tried to see if there was any way to get fail2ban-regex to start the journal reader from a fixed date or at least a journal cursor entry.
So this is a request for enhancement to provide such functionality. The systemd Python API has the required method(s):
https://www.freedesktop.org/software/systemd/python-systemd/journal.html#systemd.journal.Reader.seek_realtime
https://www.freedesktop.org/software/systemd/python-systemd/journal.html#systemd.journal.Reader.seek_cursor
Getting the cursor for a log entry via journalctl is easy, it's just
journalctl -o json <plus any filters>, but of course just adding the ability to use a datetime would be even easier.Thanks for considering!
The text was updated successfully, but these errors were encountered: