0008885: Logwatch script for fail2ban doesn't detect any ban/unbans

ID	Project	Category	View Status	Date Submitted	Last Update

0008885	CentOS-7	logwatch	public	2015-06-10 13:20	2020-08-03 11:37

Reporter	quintinbjacklin
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Platform	x64	OS	centos	OS Version	7.0
Product Version	7.0-1406
Target Version		Fixed in Version

Summary	0008885: Logwatch script for fail2ban doesn't detect any ban/unbans
Description	It seems the log levels and format for fail2ban has changed slightly, and so the logwatch script no longer detects bans or unbans.
Steps To Reproduce	1. enable sshd jail in /etc/fail2ban/jail.conf 2. login to the server 5 times with an invalid user 3. verify the ban occurred by viewing /var/log/fail2ban.log 4. run: sudo logwatch --output stdout --debug Med --service fail2ban No output is produced to reflect the ban.
Additional Information	The problem lies in the expected log format which the logwatch script is looking for. Affected package: logwatch-7.4.0-28.20130522svn140.el7.noarch Affected file: /usr/share/logwatch/scripts/services/fail2ban Affected line: 81 The affected line currently reads: } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/WARNING:?\s\[?(.?)[]:]?\s(Ban\|Unban)[^\.] (\S+)/)) { To fix, change this line to: } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/NOTICE:?\s+\[?(.?)[]:]?\s(Ban\|Unban)[^\.] (\S+)/)) { This includes: 1. the loglevel change to NOTICE 2. the extra + after the first \s to match all whitespace up until the jail name.
Tags	No tags attached.

abrt_hash
URL

rexbinary 2020-08-02 19:50 reporter ~0037481	This issue seems to be resolved within the fail2ban service script of later versions of logwatch.Specifically I tested the file from version 7.5.4 of logwatch and the fix is present there.

ManuelWolfshant 2020-08-03 11:37 manager ~0037483	RHEL and by matter of consequence CentOS do not ship fail2ban and on top of that RHEL 7 is in maintenance mode. So I can safely bet that the chances of having the script modified so as to include the proposed change are very very slim while the chances of including a newer version of logwatch are zero. You can however attempt to bug RedHat by opening a RFE at bugzilla.redhat.com in the hope that they will include the change in RHEL 7.10 ( 7.9 beta was announced several months ago so the chances of including such a late change in 7.9 is below zero).

Date Modified	Username	Field
2015-06-10 13:20	quintinbjacklin	New Issue
2020-08-02 19:50	rexbinary	Note Added: 0037481
2020-08-03 11:37	ManuelWolfshant	Note Added: 0037483