You aren't including the ignoreregex argument with this: fail2ban-regex -v /var/log/tomcat6/catalina.2015-02-09.log /etc/fail2ban/filter.d/guacamole.conf
If the ignoreregex and the failregex are both in your guacamole.conf, the command is this: fail2ban-regex -v /var/log/tomcat6/catalina.2015-02-09.log /etc/fail2ban/filter.d/guacamole.conf /etc/fail2ban/failter.d/guacamole.conf Notice the /etc/fail2ban/filter.d/guacamole.conf is written twice in the command. That should do it. Mike ----- Original Message ----- From: "Cristiano Nuzzo" <crinu...@gmail.com> To: fail2ban-users@lists.sourceforge.net Sent: Monday, February 9, 2015 3:48:45 PM Subject: Re: [Fail2ban-users] can't make ignoreregex working his is a copy/paste of my terminal windows, thanks in advance pippo@faxservernew:~$ fail2ban-regex -v /var/log/tomcat6/catalina.2015-02-09.log /etc/fail2ban/filter.d/guacamole.conf Running tests ============= Use failregex file : /etc/fail2ban/filter.d/guacamole.conf Use maxlines : 2 Use log file : /var/log/tomcat6/catalina.2015-02-09.log Use encoding : UTF-8 Results ======= Failregex: 129 total |- #) [# of hits] regular expression | 1) [129] ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$ | 95.226.42.86 Mon Feb 09 18:14:57 2015 | 95.226.42.86 Mon Feb 09 18:15:04 2015 | 95.226.42.86 Mon Feb 09 18:15:08 2015 | 95.226.42.86 Mon Feb 09 18:15:11 2015 | 95.226.42.86 Mon Feb 09 18:15:13 2015 | 95.226.42.86 Mon Feb 09 18:15:19 2015 | 95.226.42.86 Mon Feb 09 18:15:22 2015 | 95.226.42.86 Mon Feb 09 18:15:25 2015 | 95.226.42.86 Mon Feb 09 18:22:42 2015 | 95.226.42.86 Mon Feb 09 18:36:44 2015 | 95.226.42.86 Mon Feb 09 18:36:48 2015 | 95.226.42.86 Mon Feb 09 18:36:51 2015 | 95.226.42.86 Mon Feb 09 18:36:53 2015 | 95.226.42.86 Mon Feb 09 18:36:56 2015 | 95.226.42.86 Mon Feb 09 18:37:00 2015 | 95.226.42.86 Mon Feb 09 18:37:01 2015 | 95.226.42.86 Mon Feb 09 18:37:03 2015 | 95.226.42.86 Mon Feb 09 18:37:08 2015 | 95.226.42.86 Mon Feb 09 18:37:15 2015 | 95.226.42.86 Mon Feb 09 18:40:20 2015 | 95.226.42.86 Mon Feb 09 18:40:22 2015 | 95.226.42.86 Mon Feb 09 18:40:25 2015 | 95.226.42.86 Mon Feb 09 18:40:28 2015 | 95.226.42.86 Mon Feb 09 18:40:32 2015 | 95.226.42.86 Mon Feb 09 18:40:34 2015 | 95.226.42.86 Mon Feb 09 18:40:37 2015 | 95.226.42.86 Mon Feb 09 18:40:40 2015 | 95.226.42.86 Mon Feb 09 18:42:56 2015 | 95.226.42.86 Mon Feb 09 18:44: 02 2015 | 95.226.42.86 Mon Feb 09 18:44:03 2015 | 95.226.42.86 Mon Feb 09 18:44:04 2015 | 95.226.42.86 Mon Feb 09 18:44:05 2015 | 95.226.42.86 Mon Feb 09 18:44: 06 2015 | 95.226.42.86 Mon Feb 09 18:44:07 2015 | 95.226.42.86 Mon Feb 09 18:44:07 2015 | 95.226.42.86 Mon Feb 09 18:44:08 2015 | 95.226.42.86 Mon Feb 09 18:44:09 2015 | 95.226.42.86 Mon Feb 09 18:44:13 2015 | 95.226.42.86 Mon Feb 09 18:46:15 2015 | 95.226.42.86 Mon Feb 09 18:46:16 2015 | 95.226.42.86 Mon Feb 09 18:46:17 2015 | 95.226.42.86 Mon Feb 09 18:46:18 2015 | 95.226.42.86 Mon Feb 09 18:46:19 2015 | 95.226.42.86 Mon Feb 09 18:46:20 2015 | 95.226.42.86 Mon Feb 09 18:46:21 2015 | 95.226.42.86 Mon Feb 09 18:46:22 2015 | 95.226.42.86 Mon Feb 09 18:46:23 2015 | 95.226.42.86 Mon Feb 09 18:46:24 2015 | 95.226.42.86 Mon Feb 09 18:46:27 2015 | 95.226.42.86 Mon Feb 09 18:46:28 2015 | 95.226.42.86 Mon Feb 09 18:46:31 2015 | 95.226.42.86 Mon Feb 09 18:47:49 2015 | 95.226.42.86 Mon Feb 09 18:48:09 2015 | 95.226.42.86 Mon Feb 09 18:49:42 2015 | 95.226.42.86 Mon Feb 09 18:49:44 2015 | 95.226.42.86 Mon Feb 09 18:49:46 2015 | 95.226.42.86 Mon Feb 09 18:49:48 2015 | 95.226.42.86 Mon Feb 09 18:49:52 2015 | 95.226.42.86 Mon Feb 09 18:49:55 2015 | 95.226.42.86 Mon Feb 09 18:49:56 2015 | 95.226.42.86 Mon Feb 09 18:49:56 2015 | 95.226.42.86 Mon Feb 09 18:49:57 2015 | 95.226.42.86 Mon Feb 09 18:49:58 2015 | 95.226.42.86 Mon Feb 09 18:49:59 2015 | 95.226.42.86 Mon Feb 09 18:51:57 2015 | 95.226.42.86 Mon Feb 09 18:51:58 2015 | 95.226.42.86 Mon Feb 09 18:51:59 2015 | 95.226.42.86 Mon Feb 09 18:52:00 2015 | 95.226.42.86 Mon Feb 09 18:52:01 2015 | 95.226.42.86 Mon Feb 09 18:52:01 2015 | 95.226.42.86 Mon Feb 09 18:52: 02 2015 | 95.226.42.86 Mon Feb 09 18:52:04 2015 | 95.226.42.86 Mon Feb 09 18:52:05 2015 | 95.226.42.86 Mon Feb 09 18:52: 06 2015 | 95.226.42.86 Mon Feb 09 18:52:07 2015 | 95.226.42.86 Mon Feb 09 18:52:07 2015 | 95.226.42.86 Mon Feb 09 18:53:58 2015 | 95.226.42.86 Mon Feb 09 18:53:59 2015 | 95.226.42.86 Mon Feb 09 18:54:00 2015 | 95.226.42.86 Mon Feb 09 18:54:01 2015 | 95.226.42.86 Mon Feb 09 18:54: 02 2015 | 95.226.42.86 Mon Feb 09 18:54:04 2015 | 95.226.42.86 Mon Feb 09 18:54:07 2015 | 95.226.42.86 Mon Feb 09 18:54:09 2015 | 95.226.42.86 Mon Feb 09 18:54:11 2015 | 95.226.42.86 Mon Feb 09 18:54:12 2015 | 95.226.42.86 Mon Feb 09 18:54:14 2015 | 95.226.42.86 Mon Feb 09 18:54:17 2015 | 95.226.42.86 Mon Feb 09 18:54:18 2015 | 95.226.42.86 Mon Feb 09 18:54:18 2015 | 95.226.42.86 Mon Feb 09 18:54:20 2015 | 95.226.42.86 Mon Feb 09 18:54:22 2015 | 95.226.42.86 Mon Feb 09 19:03:31 2015 | 95.226.42.86 Mon Feb 09 19:03:32 2015 | 95.226.42.86 Mon Feb 09 19:03:34 2015 | 95.226.42.86 Mon Feb 09 19:03:35 2015 | 95.226.42.86 Mon Feb 09 19:03:37 2015 | 95.226.42.86 Mon Feb 09 19:03:39 2015 | 95.226.42.86 Mon Feb 09 19:03:41 2015 | 95.226.42.86 Mon Feb 09 19:13:54 2015 | 95.226.42.86 Mon Feb 09 19:13:57 2015 | 95.226.42.86 Mon Feb 09 19:13:59 2015 | 95.226.42.86 Mon Feb 09 19:14:00 2015 | 95.226.42.86 Mon Feb 09 19:14: 02 2015 | 95.226.42.86 Mon Feb 09 19:14:33 2015 | 95.226.42.86 Mon Feb 09 19:14:36 2015 | 95.226.42.86 Mon Feb 09 19:14:37 2015 | 95.226.42.86 Mon Feb 09 19:14:38 2015 | 95.226.42.86 Mon Feb 09 19:14:39 2015 | 95.226.42.86 Mon Feb 09 19:14:40 2015 | 95.226.42.86 Mon Feb 09 19:14:41 2015 | 95.226.42.86 Mon Feb 09 19:14:42 2015 | 95.226.42.86 Mon Feb 09 19:14:42 2015 | 95.226.42.86 Mon Feb 09 19:14:43 2015 | 95.226.42.86 Mon Feb 09 19:33:31 2015 | 95.226.42.86 Mon Feb 09 19:33:32 2015 | 95.226.42.86 Mon Feb 09 19:33:34 2015 | 95.226.42.86 Mon Feb 09 19:33:35 2015 | 95.226.42.86 Mon Feb 09 19:33:37 2015 | 217.200.201.249 Mon Feb 09 19:38:15 2015 | 217.200.201.249 Mon Feb 09 19:38:33 2015 | 217.200.201.249 Mon Feb 09 19:38:41 2015 | 217.200.201.249 Mon Feb 09 19:38:42 2015 | 217.200.201.249 Mon Feb 09 19:38:43 2015 | 151.52.140.102 Mon Feb 09 20:08:31 2015 | 151.52.140.102 Mon Feb 09 20:08:40 2015 | 151.52.140.102 Mon Feb 09 20:08:44 2015 | 151.52.140.102 Mon Feb 09 20:08:49 2015 | 151.52.140.102 Mon Feb 09 20:08:53 2015 `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [134] MON Day, Year 12hour:Minute:Second AMPM | [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? | [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)? | [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second | [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? | [0] Month/Day/Year:24hour:Minute:Second | [0] Month-Day-Year 24hour:Minute:Second\.Microseconds | [0] TAI64N | [0] Epoch | [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)? | [0] ^24hour:Minute:Second | [0] ^<Month/Day/Year2@24hour:Minute:Second> | [0] ^Year2MonthDay ?24hour:Minute:Second | [0] ^MON-Day-Year2 24hour:Minute:Second On Mon, Feb 9, 2015 at 9:40 PM, Arturo 'Buanzo' Busleiman < bua...@buanzo.com.ar > wrote: Please, show the complete command line for fail2ban-regex, which should include a 3rd argument. On Mon, Feb 9, 2015 at 5:35 PM, Cristiano Nuzzo < crinu...@gmail.com > wrote: Hi everybody, I'm using guacamole.conf to ban user that fails login, this is my guacamole.conf: # # Author: Steven Hiscocks # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" fa iled\.$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = user "null" and this is a tail of my log file: INFO: User "pippo" successfully authenticated from 217.200.201.249. Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info INFO: Login was successful. Feb 09, 2015 7:38:33 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 217.200.201.249 for user "null" failed. Feb 09, 2015 7:38:41 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 217.200.201.249 for user "pippo" failed. Feb 09, 2015 7:38:42 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 217.200.201.249 for user "pippo" failed. Feb 09, 2015 7:38:43 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 217.200.201.249 for user "pippo" failed. Feb 09, 2015 8:08:31 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. Feb 09, 2015 8:08:40 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. Feb 09, 2015 8:08:44 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. Feb 09, 2015 8:08:49 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. Feb 09, 2015 8:08:53 PM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. guacamole generate null login by itself on every page load so I want fail2ban to ignore them. This is fail2ban-regex output: Running tests ============= Use failregex file : /etc/fail2ban/filter.d/guacamole.conf Use maxlines : 2 Use log file : /var/log/tomcat6/catalina.2015-02-09.log Use encoding : UTF-8 Results ======= Failregex: 129 total |- #) [# of hits] regular expression | 1) [129] ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [134] MON Day, Year 12hour:Minute:Second AMPM `- Lines: 268 lines, 0 ignored, 258 matched, 10 missed [processed in 0.13 sec] |- Missed line(s): | Feb 09, 2015 6:15:04 PM org.slf4j.impl.JCLLoggerAdapter info | INFO: Reading user mapping file: /etc/guacamole/user-mapping.xml | Feb 09, 2015 7:14:28 PM org.slf4j.impl.JCLLoggerAdapter info | INFO: User "cristian" successfully authenticated from 95.226.42.86. | Feb 09, 2015 7:14:28 PM org.slf4j.impl.JCLLoggerAdapter info | INFO: Login was successful. | Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info | INFO: User "cristian" successfully authenticated from 217.200.201.249. | Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info | INFO: Login was successful. `- as you can see user "null" lines are not ignored. I'm using fail2ban 0.9.1 on ubuntu server. Thanks in advance for any help. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users