You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Running tests
=============
Use failregex filter file : nginx-http-auth-journald, basedir: /etc/fail2ban
Use systemd journal
Use encoding : UTF-8
Use journal match : _SYSTEMD_UNIT=nginx.service + _COMM=nginx
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]
|- Missed line(s):
| 2024-02-25T19:10:12.440842+01:00 localhost nginx[10528]: 2024/02/25 19:10:12 [alert] 10528#10528: detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
`-
vs.
journalctl -fu nginx.service
Feb 25 19:10:12 localhost systemd[1]: Starting A high performance web server and a reverse proxy server...
Feb 25 19:10:12 localhost nginx[10528]: 2024/02/25 19:10:12 [alert] 10528#10528: detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Feb 25 19:10:12 localhost systemd[1]: Started A high performance web server and a reverse proxy server.
Feb 25 19:10:21 localhost nginx[10533]: localhost nginx: 37.48.9.235 - - [25/Feb/2024:19:10:21 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2 Mobile/15E148 Safari/605.1.15"
Feb 25 19:10:26 localhost nginx[10533]: rker process: pam_unix(nginx:auth): check pass; user unknown
Feb 25 19:10:26 localhost nginx[10533]: rker process: pam_unix(nginx:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=37.48.9.235
Feb 25 19:10:29 localhost nginx[10533]: localhost nginx: 37.48.9.235 - \xF0\x9F\x90\xAE\xF0\x9F\x90\xBC\xF0\x9F\x90\xBC [25/Feb/2024:19:10:26 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2 Mobile/15E148 Safari/605.1.15"
Feb 25 19:10:47 localhost nginx[10533]: rker process: pam_unix(nginx:auth): check pass; user unknown
Feb 25 19:10:47 localhost nginx[10533]: rker process: pam_unix(nginx:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=37.48.9.235
Feb 25 19:10:49 localhost nginx[10533]: 2024/02/25 19:10:47 [error] 10533#10533: *3 PAM: user '🐮🐼🐼' - not authenticated: User not known to the underlying authentication module, client: 37.48.9.235, server: localhost, request: "GET / HTTP/1.1", host: "localhost"
Feb 25 19:10:49 localhost nginx[10533]: localhost nginx: 37.48.9.235 - \xF0\x9F\x90\xAE\xF0\x9F\x90\xBC\xF0\x9F\x90\xBC [25/Feb/2024:19:10:47 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2 Mobile/15E148 Safari/605.1.15"
Feb 25 19:11:05 localhost nginx[10533]: rker process: pam_unix(nginx:auth): check pass; user unknown
Feb 25 19:11:05 localhost nginx[10533]: rker process: pam_unix(nginx:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=37.48.9.235
Feb 25 19:11:06 localhost nginx[10533]: 2024/02/25 19:11:05 [error] 10533#10533: *4 PAM: user '🐮🐼🐼' - not authenticated: User not known to the underlying authentication module, client: 37.48.9.235, server: localhost, request: "GET / HTTP/1.1", host: "localhost"
Feb 25 19:11:06 localhost nginx[10533]: localhost nginx: 37.48.9.235 - \xF0\x9F\x90\xAE\xF0\x9F\x90\xBC\xF0\x9F\x90\xBC [25/Feb/2024:19:11:05 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2 Mobile/15E148 Safari/605.1.15"
Feb 25 19:11:06 localhost nginx[10533]: localhost nginx: 37.48.9.235 - - [25/Feb/2024:19:11:06 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2 Mobile/15E148 Safari/605.1.15"
and then see which lines it would find in journal (and match the filter).
After all set proper journalflags (or journalpath or journalfiles) to backend in jail:
Why systemd-journald (with d at end)? As the man-pages and fail2ban-regex --help says, correct would be systemd-journal (without d).
Probably copy-paste mistake, sorry. The command ran. But thank you for guidance. I will have a look on it. I suspected that there is some attribute which I am missing but I wasn't able to discover it.
Hello,
maybe I am stupid, but I have already burned 5hours debugging this. Lets take nginx as example.
fail2ban-regex --print-all-missed --print-all-ignored --print-all-matched --journalmatch='_SYSTEMD_UNIT=nginx.service + _COMM=nginx' systemd-journald nginx-http-auth-journald
vs.
journalctl -fu nginx.service
Configuration details
/etc/nginx/nginx.conf
/usr/lib/systemd/system/nginx.service
The text was updated successfully, but these errors were encountered: