Looking at the code, Fail2ban uses Inotify to know when a file has changed, and only at that point it's open and read. Inotify watches don't appear in open files.
Mickaël 2015-01-06 1:53 GMT+01:00 Adam Carter <adamcart...@gmail.com>: > AFAIK fail2ban tails log files to find login failures, but when i try lsof > its not reading daemon.log/auth.log/whatever for sshd's login failure > messages. > > # ps -ef | grep fail2 > root 518 1 0 Jan01 ? 00:05:22 /usr/bin/python3.4 > /usr/lib64/python-exec/python3.4/fail2ban-server -s > /run/fail2ban/fail2ban.sock -p /run/fail2ban/fail2ban.pid -x -b > root 21407 21250 0 11:45 pts/1 00:00:00 grep --colour=auto fail2 > # lsof -p 518 | grep var > fail2ban- 518 root 5w REG 9,126 107 263885 > /var/log/fail2ban.log > fail2ban- 518 root 6u REG 9,126 16384 1180229 > /var/lib/fail2ban/fail2ban.sqlite3 > # > > What am I missing? >
