[Fail2ban-users] Fail2ban on a log with no date timestamp

Bruno Queiros Thu, 02 Jun 2016 03:44:50 -0700

Is it possible to have fail2ban work on a log that has no timestamp?

I have read in the documentation and it doesn't seem to be possible, but i
was wondering if it's possible to set some workaround (maybe on the ignore
or fail regex).


Here is my example, i am trying to monitor mysql slow.log, yet this log
does not produce a timestamp, example of an entry in slow log:

# Time: 130323 8:41:20
# User@Host: username[username] @ database-1234.prod.hosting.acquia.com
[127.0.0.1]
# Thread_id: 738333 Schema: databasename Last_errno: 0 Killed: 0
# Query_time: 1.459942 Lock_time: 0.000000 Rows_sent: 0 Rows_examined: 0
Rows_affected: 1 Rows_read: 0
# Bytes_sent: 11 Tmp_tables: 0 Tmp_disk_tables: 0 Tmp_table_sizes: 0
# InnoDB_trx_id: 14AE3A4
use databasename;
SET timestamp=1364028080;
INSERT INTO semaphore (name, value, expire) VALUES ('variable_init',
'2082304334514d6aaf7a92c8.53638468', '1364028080.4921');


Testing with fail2ban-regex (this test has nothing to do with the entry
above)

With date it matches:

fail2ban-regex -v '2016-05-31 07:08:33,628 SELECT * FROM table WHERE ip =
'5.5.5.5' AND port = '5071';' 'SELECT \* FROM table WHERE ip = '\<HOST\>'
AND port = '.*';'


Running tests

=============


Use   failregex line : SELECT \* FROM table WHERE ip = <HOST> AND port = .*;

Use      single line : 2016-05-31 07:08:33,628 SELECT * FROM table WHERE ...



Results

=======


Failregex: 1 total

|-  #) [# of hits] regular expression

|   1) [1] SELECT \* FROM table WHERE ip = <HOST> AND port = .*;

|      5.5.5.5  Tue May 31 07:08:33 2016

`-


Ignoreregex: 0 total


Date template hits:

|- [# of hits] date format

|  [1] Year-Month-Day Hour:Minute:Second[,subsecond]

|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year

|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year

|  [0] WEEKDAY MONTH Day Hour:Minute:Second

|  [0] MONTH Day Hour:Minute:Second

|  [0] Year/Month/Day Hour:Minute:Second

|  [0] Day/Month/Year Hour:Minute:Second

|  [0] Day/Month/Year2 Hour:Minute:Second

|  [0] Day/MONTH/Year:Hour:Minute:Second

|  [0] Month/Day/Year:Hour:Minute:Second

|  [0] Year-Month-Day Hour:Minute:Second

|  [0] Year.Month.Day Hour:Minute:Second

|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]

|  [0] Day-Month-Year Hour:Minute:Second

|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]

|  [0] TAI64N

|  [0] Epoch

|  [0] ISO 8601

|  [0] Hour:Minute:Second

|  [0] <Month/Day/Year@Hour:Minute:Second>

|  [0] YearMonthDay Hour:Minute:Second

|  [0] Month-Day-Year Hour:Minute:Second

`-


Lines: 1 lines, 0 ignored, 1 matched, 0 missed


Without date it fails

fail2ban-regex -v 'SELECT * FROM table WHERE ip = '5.5.5.5' AND port =
'5071';' 'SELECT \* FROM table WHERE ip = '\<HOST\>' AND port = '.*';'


Running tests

=============


Use   failregex line : SELECT \* FROM table WHERE ip = <HOST> AND port = .*;

Use      single line : SELECT * FROM table WHERE ip = 5.5.5.5 AND port = ...



Results

=======


Failregex: 0 total

|-  #) [# of hits] regular expression

|   1) [0] SELECT \* FROM table WHERE ip = <HOST> AND port = .*;

`-


Ignoreregex: 0 total


Date template hits:

|- [# of hits] date format

|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year

|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year

|  [0] WEEKDAY MONTH Day Hour:Minute:Second

|  [0] MONTH Day Hour:Minute:Second

|  [0] Year/Month/Day Hour:Minute:Second

|  [0] Day/Month/Year Hour:Minute:Second

|  [0] Day/Month/Year2 Hour:Minute:Second

|  [0] Day/MONTH/Year:Hour:Minute:Second

|  [0] Month/Day/Year:Hour:Minute:Second

|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]

|  [0] Year-Month-Day Hour:Minute:Second

|  [0] Year.Month.Day Hour:Minute:Second

|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]

|  [0] Day-Month-Year Hour:Minute:Second

|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]

|  [0] TAI64N

|  [0] Epoch

|  [0] ISO 8601

|  [0] Hour:Minute:Second

|  [0] <Month/Day/Year@Hour:Minute:Second>

|  [0] YearMonthDay Hour:Minute:Second

|  [0] Month-Day-Year Hour:Minute:Second

`-


Lines: 1 lines, 0 ignored, 0 matched, 1 missed

|- Missed line(s):

|  SELECT * FROM table WHERE ip = 5.5.5.5 AND port = 5071;

Any ideas?

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Fail2ban on a log with no date timestamp

Reply via email to