[Fail2ban-users] Dovecot in docker with systemd-journal: regex don't match due to additional journal prefixes

Wed, 10 Apr 2024 06:45:34 -0700 

Hi and thanks for reading ...
I'veĀ  scoured the usual sources and whilst I'm convinced I'm not the first with this config challenge, I can't find anything appropriate. 


The issue appears to be the additional fields 
(timestamp/hostname/process) that journal is adding to the original 
dovecot log lines. Now there's a bunch of work arounds for this but I'm 
trying to avoid hacks and also convinced fail2ban can handle this in 
itself (and I'm just being dumb).



Currently exploring the common.conf macro's and how they work (e.g. 
logtype = journal) and if/how this could be modified to handle journal 
entries but my assumption is I'm missing something obvious as I can't 
imagine I'm the first to need to filter out the additional fields for 
the regex to work out of the box.



If anyone has any pointers here it will be much appreciated, an hour or 
two saved as I'm burning through them ;)


Some more detail ...


Dovecot docker container logging to stdout (no rsyslog in the middle), 
docker configured to log to journal.


-docker logs:


Apr 10 13:10:14 submission-login: Info: Disconnected: Connection closed 
(auth failed, 1 attempts in 23 secs): user=<squir...@yourdomain.net>, 
method=LOGIN, rip=194.169.175.10, lip=172.20.0.4, TLS: Connection 
closed, session=<EzX/wL0V8KnCqa8K>


-journal logs:


Apr 10 13:10:14 toad be63bba8ba56[2836635]: Apr 10 13:10:14 
submission-login: Info: Disconnected: Connection closed (auth failed, 1 
attempts in 23 secs): user=<squir...@yourdomain.net>, method=LOGIN, 
rip=194.169.175.10, lip=172.20.0.4, TLS: Connection closed, 
session=<EzX/wL0V8KnCqa8K>


NOTE: additonal timestamp etc

- Control test:


journalctl -u docker.service CONTAINER_NAME=ms-dovecot --output cat > 
dovecot-native.logs


fail2ban-regex ./dovecot-native.logs dovecot

NOTE: everything works, 100's of Failregex counted (14k lines via Prefregex)

fail2ban-regex systemd-journal -m 'CONTAINER_NAME=ms-dovecot' dovecot

NOTE: Prefregex counts 14k lines but zero Failregex.





_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users














    











					Reply via email to