We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Be aware I am using linuxserver docker image but since the filter is the same and probably pulled from here I decided to do the issue here.
Apr 28 13:11:39 localhost auth.info sshd[27366]: Failed password for REDACTED_USER from REDACTED_IP port 38066 ssh2
The text was updated successfully, but these errors were encountered:
The reason for that is unexpected prefix - auth.info between hostname and service name (localhost auth.info sshd) is normally not present in log.
auth.info
localhost auth.info sshd
Either you'd change the format if syslog or whatever, so it would not generate that (no idea where one can change it)...
Or you adjust the prefix-line (e. g. rewrite default hostname of common prefix-line), either in jail.local for sshd jail only:
jail.local
[sshd] filter = %(known/filter)s[__hostname="\S+(?: [a-z]+\.[a-z]+)?"]
Or in filter.d/common.local for all jails based on common-include:
filter.d/common.local
[DEFAULT] __hostname = \S+(?: [a-z]+\.[a-z]+)?
Sorry, something went wrong.
The reason for that is unexpected prefix - auth.info between hostname and service name (localhost auth.info sshd) is normally not present in log. Either you'd change the format if syslog or whatever, so it would not generate that (no idea where one can change it)... Or you adjust the prefix-line (e. g. rewrite default hostname of common prefix-line), either in jail.local for sshd jail only: [sshd] filter = %(known/filter)s[__hostname="\S+(?: [a-z]+\.[a-z]+)?"] Or in filter.d/common.local for all jails based on common-include: [DEFAULT] __hostname = \S+(?: [a-z]+\.[a-z]+)?
Hey!
I used your first method and it worked flawlessly, thank you so much.
For me this is fixed so I am going to close the issue.
No branches or pull requests
Be aware I am using linuxserver docker image but since the filter is the same and probably pulled from here I decided to do the issue here.
Environment:
NAME="Alpine Linux" VERSION_ID=3.19.1
Service, project or product which log or journal should be monitored
Log or journal information
Any additional information
Relevant lines from monitored log files:
failures in sense of fail2ban filter (fail2ban must match):
The text was updated successfully, but these errors were encountered: