Zoneminder recently released a new version 1.34 and the method for authentication changed and is now logged differently.

Well I'm not sure... perhaps it simply depends on deployment (or selected authentication) backend.
Anyway it can be still the same for other distributions (or php? procedures).
Duno.

The current zoneminder.conf no longer works.
fail2ban-regex "02/26/20 11:00:10.720338 1.2.3.4" "<HOST>"

It looks now, that the log-entry has also different format of timestamp (that fail2ban doesn't provide as standard datepattern at the moment), so it will never match without it.

This would be correct datepattern and failregex:

$ fail2ban-regex -vv -d '^%m/%d/%y %H:%M:%S(?:\.%f)' \
  '02/26/20 11:00:10.720338 web_php[1698].ERR [192.168.0.100] [Could not retrieve user testuser details] at includes/auth.php line 278' \
  '^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[Could not retrieve user \S+ details\]'
...
Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[Could not retrieve user \S+ details\]
|      192.168.0.100  Wed Feb 26 11:00:10 2020
`-
...
Date template hits:
|- [# of hits] date format
|  [1] ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

For your 0.9th version the filter may look like:

[Definition]
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[Could not retrieve user \S+ details\]
[Init]
datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f)

Newer versions can specify both directly in jail.local:

[zoneminder]
filter =
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[Could not retrieve user \S+ details\]
datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f)

Just the message Could not retrieve user ... looks like only one possible message (where user is simply not available), so I guess for failed logins of legitimate users it looks differently, something like Login denied for user ... or similar.
In this case use OR-combined RE like this - (?:Could not retrieve user|Login denied for user).

Ah, great point. I would need to count as a failure the not found user and:
02/27/20 09:14:33.603985 web_php[1864].ERR [192.168.0.100] [Login denied for user "admin"] at includes/auth.php line 278
Two separate failregx's?

No, I don't think so, it is enough to anchor it to begin only:

failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+
datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f)

Well I'm not sure...

ZM has gone from http auth to bcrypt.
The new log to watch is /var/log/zm/web_php.log

No, I don't think so, it is enough to anchor it to begin only:

stand by; reading again.... missed the -or- :/
That seems to work well. I'll test in the RW.

Newer versions can specify both directly in jail.local:

So your say'n I can remove the old zoneminder.conf and just put it in the jail.local for 0.10.2, right?
Or, does setting filter= not load the zoneminder.conf?

So your say'n I can remove the old zoneminder.conf and just put it in the jail.local for 0.10.2, right?

You don't need to remove something. And yes you can put it directly in jail (since 0.10 the datepattern is available as parameter of jail too).

Or, does setting filter= not load the zoneminder.conf?

Exactly, it will cause that jail doesn't have filter.

Works great with:

sudo fail2ban-regex -v /var/log/zm/web_php.log /etc/fail2ban/filter.d/zoneminder.conf 

Running tests
=============

Use   failregex filter file : zoneminder, basedir: /etc/fail2ban
Use      datepattern : ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
Use         log file : /var/log/zm/web_php.log
Use         encoding : UTF-8


Results
=======

Failregex: 24 total
|-  #) [# of hits] regular expression
|   1) [24] ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+
|      192.168.0.100  Wed Feb 26 11:00:10 2020
|      192.168.0.100  Thu Feb 27 09:14:33 2020
|      192.168.0.100  Thu Feb 27 09:59:00 2020
|      192.168.0.100  Thu Feb 27 09:59:10 2020
|      192.168.0.100  Thu Feb 27 09:59:20 2020
|      192.168.0.100  Thu Feb 27 09:59:25 2020
|      192.168.0.100  Thu Feb 27 09:59:32 2020
|      192.168.0.100  Thu Feb 27 09:59:55 2020
|      192.168.0.100  Thu Feb 27 10:06:21 2020
|      192.168.0.100  Thu Feb 27 10:06:26 2020
|      192.168.0.100  Thu Feb 27 10:06:34 2020
|      192.168.0.100  Thu Feb 27 10:06:39 2020
|      192.168.0.100  Thu Feb 27 10:06:44 2020
|      192.168.0.100  Thu Feb 27 10:06:51 2020
|      192.168.0.100  Thu Feb 27 10:11:13 2020
|      192.168.0.100  Thu Feb 27 10:11:22 2020
|      192.168.0.100  Thu Feb 27 10:11:26 2020
|      192.168.0.100  Thu Feb 27 10:11:32 2020
|      192.168.0.100  Thu Feb 27 10:11:38 2020
|      192.168.0.100  Thu Feb 27 10:11:42 2020
|      192.168.0.100  Thu Feb 27 10:11:46 2020
|      192.168.0.100  Thu Feb 27 10:12:11 2020
|      192.168.0.100  Thu Feb 27 10:12:16 2020
|      192.168.0.100  Thu Feb 27 10:12:19 2020
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [25] ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
`-

Lines: 25 lines, 0 ignored, 24 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  02/27/20 10:11:51.464819 web_php[1867].ERR [192.168.0.100] [ZoneMinder is not configured properly: php's date.timezone -0800 does not match the system timezone +0000! Please check Options->System->Timezone.] at includes/functions.php line 2399
`-

However after forcing failed attempts:

sudo fail2ban-client -v status zoneminder
 Loading configs for fail2ban under /etc/fail2ban 
   Loading files: ['/etc/fail2ban/fail2ban.conf']
   Loading files: ['/etc/fail2ban/fail2ban.conf']
 Using socket file /var/run/fail2ban/fail2ban.sock
 Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
Status for the jail: zoneminder
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/zm/web_php.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

In jail.local
findtime = 10m maxretry = 3
I tried with the the setting in both the jail.local and the .conf file. These are the results of the .conf file configuration.
What am I missing?

However after forcing failed attempts

What is your point?
You may why you don't see new attempts?
If so, I don't know - it said in both tries 25 lines, so it looks like your "forced attempts" don't logged (or logged elsewhere but not in file you're trying to parse).

In jail.local
I tried with the the setting in both the jail.local and the .conf file.

Unfortunately fail2ban-regex can work with filter only (it does not consider jail parameters at all), you have to specify failregex and datepattern manually).

My bad, pasted wrong content :/ edited post.

I don't know you timezone, but times you see in output of fail2ban-regex look obsolete to me.

And may be the missed line said exactly what you miss:
02/27/20 10:11:51.464819 web_php[1867].ERR [192.168.0.100] [ZoneMinder is not configured properly: php's date.timezone -0800 does not match the system timezone +0000! Please check Options->System->Timezone.] at includes/functions.php line 2399
This wrong timezone can cause that fail2ban ignores the messages as too old.
See our wiki or #2557 (comment) for similar issue.

Better try to correct the zone (either in service or in your system) - so you've same time in log and fail2ban (system) at end.

Yeah, caught that. fixed. Starting new tests.

Quick side question, are the ports definitions read from the /etc/services file?

are the ports definitions read from the /etc/services file?

It depends on which banaction is used (fail2ban supply it to the action as it is specified without internal modifications). Most of default actions (like iptables, nftables etc) will check that against etc/services so it will work as is. Otherwise you'll catch an error 💥 (and a lot of already banned messages) in fail2ban.log.

I'm just using default actions. getting closer....
Found this in the fail2ban.log:
2020-02-27 13:28:51,212 fail2ban.actions [3840]: ERROR Failed to start jail 'zoneminder' action 'iptables-multiport': Error starting action Jail('zoneminder')/iptables-multiport

I've used /etc/services to define all the ports used by zoneminder for it's multi-port feature.

zmweb           30001/tcp
zmweb           30001/udp
zmweb           30002/tcp
zmweb           30002/udp
zmweb           30003/tcp
zmweb           30003/udp
zmweb           30004/tcp
zmweb           30004/udp
zmweb           30005/tcp
zmweb           30005/udp
zmweb           30006/tcp
zmweb           30006/udp
zmweb           30007/tcp
zmweb           30007/udp
zmweb           30008/tcp
zmweb           30008/udp
zmweb           30009/tcp
zmweb           30009/udp

And in jail.conf

[zoneminder]
enabled = true
port    = http,https,zmweb
logpath = /var/log/zm/web_php.log

Is this even gonna work?

Found this in the fail2ban.log:
2020-02-27 13:28:51,212 fail2ban.actions [3840]: ERROR Failed to start jail 'zoneminder' action 'iptables-multiport': Error starting action Jail('zoneminder')/iptables-multiport

This is just a first message, which shall be followed by command line (that could explain what is wrong there, as well as an output of command execution (failed message, that could point what exactly is wrong).

For example if multiport does not supported by your kernel, no matter how you supply the ports via aliases or numeric - it will fail, so you have to use other action (like iptables-allports) in this case.

Welp, that's the limit of my understanding. I'm using a stock UB18.04.4 LTS server. I'm not the guy who modifies his kernel. Now my Chevy is another story ;)
That said, what I pasted was the end of the log (while tail'ing) after running fail2ban in the forground and requesting a fail2ban-client reload in another terminal. I don't know if that eliminates any failure points.

f2b-screen-out.txt

That's the full screen out.

I started out trying to have f2b read the new zoneminder logs, but now I'm not sure what's up.

I'm going to try the obvious and just list each port individually... linear, I know, but trouble shooting.

Well, this is embarrassing....

bantime = 1hr doesn't work

multiport works fine. spec'ing ports in /.../services works fine. new zoneminder filter works fine.
Thanks for your time and patients.

f2b-screen-out.txt
That's the full screen out.

No, it is not. As I requested more information, I was still speaking about fail2ban.log.
Also if you starting fail2ban in foreground more it will log into fail2ban.log yet (default), you have to specify --logtarget STDOUT to see messages in console.

bantime = 1hr doesn't work

Sure it does not. See man page JAIL.CONF(5) for TIME ABBREVIATION FORMAT.
There are following abbreviation tokens allowed for hour: h, ho, hou, hour, hours and hh.
BTW, hr is totally unknown abbreviation to me.

multiport works fine. spec'ing ports in /.../services works fine. new zoneminder filter works fine.

Ok, so it's time to make a PR for new filter zoneminder-bcrypt.conf (or zoneminder-php.conf)... :)

Thanks @sebres ! zoneminder-php.conf seems to make more sense since we're looking at the php log.

I am having some trouble to get this working. I should say that I am runnung Fail2ban in Crazymax docker but there seems to be a regex problem for me?

Just realized my problem only was occuring in docker container. It is working when Fail2ban is installed on the server itself.

This PR may resolve this issue #2984

Starting with ZM 1.36.20 the time stamp within the logs reflects the time zone as set within ZM and so can have many different variations.

To solve this with a Regex is beyond my knowledge, can someone here help resolve this?

Example of the new log time stamp from 1.36.20

7/17/22, 3:01:03 PM GMT+1.400029 web_php[281296].ERR [192.168.0.3] [Could not retrieve user test details] at /usr/share/zoneminder/www/includes/auth.php line 312

Example of the log time stamp from 1.36.19

07/02/22 13:14:52.114080 web_php[3628].ERR [192.168.0.3] [Could not retrieve user test details] at /usr/share/zoneminder/www/includes/auth.php line 312

if the TZ (GMT+1) is your system time zone (note the sommer saving time) you don't need to parse it at all, it is enough to specify the datepattern matching new date-format:

datepattern = ^%%m/%%d/%%y, %%I:%%M:%%S %%p \S+\.%%f
              ^%%m/%%d/%%y %%H:%%M:%%S\.%%f

(it'd parse both formats)

$ fail2ban-regex -v -d '^%m/%d/%y, %H:%M:%S %p \S+' '7/17/22, 3:01:03 PM GMT+1.400029 web_php[281296].ERR [192.168.0.3] [Could not retrieve user test details] at /usr/share/zoneminder/www/includes/auth.php line 312' '^\s*web_php\[\d+\]\.ERR \[<ADDR>\] \[Could not retrieve user\b'

Running tests
=============

Use      datepattern : ^%m/%d/%y, %H:%M:%S %p \S+ : ^Month/Day/Year2, 24hour:Minute:Second AMPM \S+
Use   failregex line : ^\s*web_php\[\d+\]\.ERR \[<ADDR>\] \[Could not ret...
Use      single line : 7/17/22, 3:01:03 PM GMT+1.400029 web_php[281296].E...


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^\s*web_php\[\d+\]\.ERR \[<ADDR>\] \[Could not retrieve user\b
|      192.168.0.3  Sun Jul 17 03:01:03 2022
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] ^Month/Day/Year2, 24hour:Minute:Second AMPM \S+
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

Thank you,

So for my understanding Fail2ban is using the Python strftime() function?

I was getting a little confused with the missing leading zero in the month "7" instead of "07" and passing the string %%-m as this is the function to ignore the leading zero, so I assume this isnt a requirement.

Also I noted you have passed the %p Locale’s AM or PM,
I had tried this with no luck but you have also passed /S+ so I assume this is just ignoring the time zone and Summer time saving and jumping direct to the .%%f value?

So for my understanding Fail2ban is using the Python strftime() function?

fail2ban uses its own processing (a bit modified strftime.TimeRE with more optimal patterns), where pattern will be converted to regex firstly.

I was getting a little confused with the missing leading zero in the month "7" instead of "07" and passing the string %%-m as this is the function to ignore the leading zero, so I assume this isnt a requirement.

It can recognize both 7 and 07 if it is not ambiguous (clearly isolated with some separator like here /, so a regex would surely capture the group matching month), otherwise you can surely use %Exm (where 0 will be mandatory).

But also python's %m can match both:

$ python -c 'from datetime import datetime; print(datetime.strptime("7/19/22", "%m/%d/%y").isoformat())'
2022-07-19T00:00:00

You can try fail2ban-regex --VD to see the resulting RE which would match the datepattern.

But possibly it would be better to use %I instead of %H for the first pattern (with %p)... I fixed it in comment above.

I had tried this with no luck

It is impossible to say what was wrong without to known what exactly you were trying.

but you have also passed /S+ so I assume this is just ignoring the time zone and Summer time saving and jumping direct to the .%%f value?

Yes, but both are not really mandatory (just if they are missing in pattern, it would match to PM only and you would need to match them in failregex, because fail2ban only cut the part of line matching the datepattern out).

Ah the ever changing zoneminder....
Did you get a date pattern that work?

I'm not getting matches with the above formats. My fail2ban log is as follows:

2023-01-02 17:43:34,839 fail2ban.server         [2022509]: INFO    --------------------------------------------------
2023-01-02 17:43:34,839 fail2ban.server         [2022509]: INFO    Starting Fail2ban v0.11.2
2023-01-02 17:43:34,840 fail2ban.observer       [2022509]: INFO    Observer start...
2023-01-02 17:43:34,843 fail2ban.database       [2022509]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-01-02 17:43:34,844 fail2ban.jail           [2022509]: INFO    Creating new jail 'sshd'
2023-01-02 17:43:34,854 fail2ban.jail           [2022509]: INFO    Jail 'sshd' uses pyinotify {}
2023-01-02 17:43:34,856 fail2ban.jail           [2022509]: INFO    Initiated 'pyinotify' backend
2023-01-02 17:43:34,858 fail2ban.filter         [2022509]: INFO      maxLines: 1
2023-01-02 17:43:34,874 fail2ban.filter         [2022509]: INFO      maxRetry: 5
2023-01-02 17:43:34,874 fail2ban.filter         [2022509]: INFO      findtime: 600
2023-01-02 17:43:34,874 fail2ban.actions        [2022509]: INFO      banTime: 600
2023-01-02 17:43:34,874 fail2ban.jail           [2022509]: INFO    Set banTime.increment = True
2023-01-02 17:43:34,874 fail2ban.filter         [2022509]: INFO      encoding: UTF-8
2023-01-02 17:43:34,874 fail2ban.filter         [2022509]: INFO    Added logfile: '/var/log/auth.log' (pos = 461161, hash = 5e1a57ddf453c7bfbeceac5bd592b0210bb4d206)
2023-01-02 17:43:34,875 fail2ban.jail           [2022509]: INFO    Creating new jail 'zoneminder'
2023-01-02 17:43:34,875 fail2ban.jail           [2022509]: INFO    Jail 'zoneminder' uses pyinotify {}
2023-01-02 17:43:34,876 fail2ban.jail           [2022509]: INFO    Initiated 'pyinotify' backend
2023-01-02 17:43:34,877 fail2ban.datedetector   [2022509]: INFO      date pattern `'^%m/%d/%y, %I:%M:%S %p \\S+\\.%f'`: `^Month/Day/Year2, 12hour:Minute:Second AMPM \S+\.Microseconds`
2023-01-02 17:43:34,877 fail2ban.datedetector   [2022509]: INFO      date pattern `'^%m/%d/%y %H:%M:%S\\.%f'`: `^Month/Day/Year2 24hour:Minute:Second\.Microseconds`
2023-01-02 17:43:34,877 fail2ban.filter         [2022509]: INFO      maxRetry: 5
2023-01-02 17:43:34,877 fail2ban.filter         [2022509]: INFO      findtime: 600
2023-01-02 17:43:34,877 fail2ban.actions        [2022509]: INFO      banTime: 600
2023-01-02 17:43:34,877 fail2ban.jail           [2022509]: INFO    Set banTime.increment = True
2023-01-02 17:43:34,877 fail2ban.filter         [2022509]: INFO      encoding: UTF-8
2023-01-02 17:43:34,877 fail2ban.filter         [2022509]: INFO    Added logfile: '/var/log/zm/web_php.log' (pos = 43696, hash = 2ed4bc9ad77912dacae9a4e1ab4cae80c65c64cd)
2023-01-02 17:43:34,880 fail2ban.jail           [2022509]: INFO    Jail 'sshd' started
2023-01-02 17:43:34,880 fail2ban.jail           [2022509]: INFO    Jail 'zoneminder' started

A failed login in web_php.log looks like this
1/2/23, 5:15:02 PM PST.675811 web_php[2019673].ERR [50.53.24.51] [Could not retrieve user pickle details] at includes/auth.php line 322

And a regx test looks like this

sudo fail2ban-regex -vv -d '^%%m/%%d/%%y, %%I:%%M:%%S %%p \S+\.%%f' '1/2/23, 5:15:02 PM PST.675811 web_php[2019673].ERR [50.53.24.51] [Could not retrieve user pickle details] at includes/auth.php line 322
'  '^\s*web_php\[\d+\]\.ERR \[<HOST>\]\s*includes\/auth\.php'

Running tests
=============

Use      datepattern : ^%%m/%%d/%%y, %%I:%%M:%%S %%p \S+\.%%f : ^%m/%d/%y, %I:%M:%S %p \S+\.%f
Use   failregex line : ^\s*web_php\[\d+\]\.ERR \[<HOST>\]\s*includes\/aut...
Use      multi line : 2 line(s)
|  1: 1/2/23, 5:15:02 PM PST.675811 web_php[2019673].ERR...
|  2: 
`-


Results
=======

Failregex: 0 total
|-  #) [# of hits] regular expression
|   1) [0] ^\s*web_php\[\d+\]\.ERR \[<HOST>\]\s*includes\/auth\.php
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [0] ^%m/%d/%y, %I:%M:%S %p \S+\.%f
`-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  1/2/23, 5:15:02 PM PST.675811 web_php[2019673].ERR [50.53.24.51] [Could not retrieve user pickle details] at includes/auth.php line 322
`-`

After running the regex test the fail2ban log complains of a timezone error in jail (jail.local I presume)

2023-01-02 18:02:29,514 fail2ban.filter         [2023175]: WARNING [sshd] Simulate NOW in operation since found time has too large deviation 1672740149.0 ~ 1672711349.5142846 +/- 60
2023-01-02 18:02:29,515 fail2ban.filter         [2023175]: WARNING [sshd] Please check jail has possibly a timezone issue. Line with odd timestamp: Jan  3 02:02:29 zm sudo:  zmadmin : TTY=pts/0 ; PWD=/home/zmadmin ; USER=root ; COMMAND=/usr/bin/fail2ban-regex -vv -d ^%%m/%%d/%%y, %%I:%%M:%%S %%p \S+\.%%f /var/log/zm/web_php.log ^\s*web_php\[\d+\]\.ERR \[<HOST>\]\s*includes\/auth\.php

I'm running php 8.1; date.timezone = America/Los_Angeles
System timezone is the same.

What am I missing?

What am I missing?

fail2ban-regex doesn't expect escape of % as dual percent %% like in config files, thus use something like:

# with failregex:
fail2ban-regex -d '^%m/%d/%y, %I:%M:%S %p %Z\.%f' "$log_or_msg" '^\s*web_php\[\d+\]\.ERR \[<ADDR>\] \[(?:Could not retrieve user|Login denied for user) \S+'
# with filter and modified prefregex:
fail2ban-regex -d '^%m/%d/%y, %I:%M:%S %p %Z\.%f' "$log_or_msg" 'zoneminder[prefregex="^\s*web_php\[\d+\]\.(?:ERR|WAR) \[<ADDR>\] <F-CONTENT>\[(?:Login denied|Could not retrieve).*</F-CONTENT>$"]'

As for filter or jail, I'd use something like this:

[zoneminder]
...
datepattern = ^%%m/%%d/%%y, %%I:%%M:%%S %%p %%Z\.%%f
# failregex = ^\s*web_php\[\d+\]\.ERR \[<ADDR>\] \[(?:Could not retrieve user|Login denied for user) \S+
prefregex = ^\s*web_php\[\d+\]\.(?:ERR|WAR) \[<ADDR>\] <F-CONTENT>\[(?:Login denied|Could not retrieve).*</F-CONTENT>$

WARNING [sshd] Simulate NOW in operation since found ...

This has nothing to do with the subject - as one can guess this is something about wrong timezone logged by zmadmin (for sudo ...), and captured by sshd filter - the logged time in auth.log is Jan 3 02:02:29, although fail2ban shows 2023-01-02 18:02:29 in fail2ban.log as time the message was found.
And since by default fail2ban always assumes system TZ by date time conversion, both deviate by exactly 8 hours, what looks like a pretty TZ issue to me:

To "fix" that, either correct the time zone of logging service (e. g. restart syslog after TZ change) or of related whatever service made log entry with wrong time or system time zone fail2ban is running.
Alternatively set something like logtimezone = UTC for sshd jail (bad idea if several services write to auth.log, monitoring by sshd jail).
Or configure logging to always write TZ within timestamp in log (so fail2ban can detect it with some default datepattern). Just I don't think it is good idea to write timestamps into same logfile with different timezones.

@sebres I found the matching date pattern finally....

datepattern = ^%%m/%%d/%%y, %%I:%%M:%%S %%p.%%Z\.%%f

I guess the dot-token in %%p.%%Z is misleading - in RE it matches ANY single char, thus:

• either escape it with backslash as %%p\.%%Z to match the dot character
• or if it is for example a space, replace it with space as %%p %%Z