I may have answered my own question. This works (in the filter file): backend = systemd journalmatch = SYSLOG_FACILITY=2
The trick was replacing the facility name (mail) with its decimal number (2). This seems really poor to me. No one uses these numbers and I'm not convinced they are even immutable or constant across systems. Journalctl does support using facility names with the --facility= option as shown below, so there should be some way for fail2ban to use the facility name, rather than resorting to this. If any of you know a better way, please let me know. Cheers, --George On 12/9/23 3:30 PM, George Welch wrote: > Howdy, > > I am developing a custom fail2ban filter for a daemon that logs to syslog. I > am using Debian 12, so syslog is handled by systemd. If I dump a syslog > facilty to a file: > > # journalctl --facility=mail --output=short-full --no-tail >test.log > > and then test my filter with > > # fail2ban-regex test.log myfilter.conf > > Then it seems to work well. At least it seems to match the correct lines. > > But of course I don't want to dump the journal to a file. So how can I tell > fail2ban to look into the syslog when it is handled by systemd? I know that > if a daemon logs directly to systemd, then you can do this: > > backend = systemd > journalmatch = _SYSTEMD_UNIT=mydaemon.service > > But this daemon logs to syslog, so that does not work. > > As a guess, I tried changing that to > > journalmatch = _SYSTEMD_FACILIY=mail > > but of course that was a bad guess. > > Can you tell me how to tell fail2ban which syslog facility to follow? > > Thanks, > > --George > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
