On Fri, May 22, 2020 4:01 pm, Adi Pircalabu wrote:
>> Results
>> =======
>>
>>
>> Failregex: 5149 total
>>
> [...]
>
>>
>> Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed
>> [processed in 87.44 sec]
>>
>
> Right, so it's not a regex problem then, you're getting some matches
> there, although you might want to revisit it it the result is not
> consistent with your own searches. It might be that Dovecot isn't logging
> to systemd' journal, or the regex doesn't match the journal entries. Try
> to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in
> your filter file, restart f2b and see if there's any change. P.S. Let's try
> and keep the replies to the list :)
Adi,
this is what I got, lot faster as well
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/dovecot.log
Use encoding : UTF-8
Results
=======
Failregex: 5177 total
|- #) [# of hits] regular expression
| 2) [5177]
^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[
*\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID
\d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?:
handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [343387] {^LN-BEG}(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 343387 lines, 0 ignored, 5177 matched, 338210 missed
[processed in 85.97 sec]
Missed line(s): too many to print. Use --print-all-missed to print all
338210 lines
