I have a server running Apache and handling a bunch of redirected domains; the redirects aren't logged into individual logs but into other_vhosts_access.log, which consists of lines which look roughly like this:
host.name:80 1.2.3.4 - - [26/Oct/2022:14:18:59 +0100] "GET / HTTP/1.1" 302 498 "-" "browser_string_here"
other.host.name:80 5.6.7.8 - - [26/Oct/2022:14:22:45 +0100] "\x16\x03\x01" 400 0 "-" "-"
(In other words, this doesn't look quite the same as a standard Apache access file because of the host.name:80 part at the beginning of each line.)
There are several fail2ban filters I'd like to run across this file, but the simplest is to ban any hosts trying to access without GET, HEAD or POST being involved (as in the second line in the example above). The fail2ban filter I am trying to use for this looks like:
[INCLUDES]
before = common.conf
[Definition]
failregex = ^\S+ <ADDR> - - .*$
ignoreregex = GET
HEAD
POST
So anything which includes GET, HEAD or POST should be ignored, and anything else should be matched with ADDR. (This is the simplest example I have handy; it isn't the only filter I want to use, but if I can fix this case then the rest should fall into line... I hope.) Using ADDR rather than HOST here, because HOST matches on the hostname at the start of the string and that's not what we are after.
This is not working. Running fail2ban-regex using the above details against the log file shows the ignoreregex working the way it's supposed to, but I am not getting any hits at all on the failregex (all the lines on which it should hit are being listed as missed, instead). It's also not hitting any of the "datepattern" options, which seems odd because this is not any kind of unusual date format. Adding a specific "datepattern" line within the filter does not seem to help.
Running fail2ban-regex on a single line of the log with the failregex set to the failregex above does seem to work, but running it across the whole log does not.
I'm wondering if the problem here is that the LN-BEG preset within fail2ban is not correctly matching the start of the line because of the added hostname/port at the beginning of the line, but I'm struggling to figure out how to add to it if that is what needed. I would rather not set up specific logs for each of the redirected domains -- it would be a lot of logs!
Fail2ban 0.10.2 on Debian Buster (this is the distro's version)
I think I have solved this, and it did turn out to be related to the datepattern not correctly matching the log lines. Adding in a more specific datepattern rather than relying on one of the defaults matching sorted things out:
datepattern = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\]
Basically, if the date isn't getting picked up correctly, lines won't match even if they "should" do.