View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008885 | CentOS-7 | logwatch | public | 2015-06-10 13:20 | 2020-08-03 11:37 |
Reporter | quintinbjacklin | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Platform | x64 | OS | centos | OS Version | 7.0 |
Product Version | 7.0-1406 | ||||
Summary | 0008885: Logwatch script for fail2ban doesn't detect any ban/unbans | ||||
Description | It seems the log levels and format for fail2ban has changed slightly, and so the logwatch script no longer detects bans or unbans. | ||||
Steps To Reproduce | 1. enable sshd jail in /etc/fail2ban/jail.conf 2. login to the server 5 times with an invalid user 3. verify the ban occurred by viewing /var/log/fail2ban.log 4. run: sudo logwatch --output stdout --debug Med --service fail2ban No output is produced to reflect the ban. | ||||
Additional Information | The problem lies in the expected log format which the logwatch script is looking for. Affected package: logwatch-7.4.0-28.20130522svn140.el7.noarch Affected file: /usr/share/logwatch/scripts/services/fail2ban Affected line: 81 The affected line currently reads: } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/WARNING:?\s\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) { To fix, change this line to: } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/NOTICE:?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) { This includes: 1. the loglevel change to NOTICE 2. the extra + after the first \s to match all whitespace up until the jail name. | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
This issue seems to be resolved within the fail2ban service script of later versions of logwatch.Specifically I tested the file from version 7.5.4 of logwatch and the fix is present there. | |
RHEL and by matter of consequence CentOS do not ship fail2ban and on top of that RHEL 7 is in maintenance mode. So I can safely bet that the chances of having the script modified so as to include the proposed change are very very slim while the chances of including a newer version of logwatch are zero. You can however attempt to bug RedHat by opening a RFE at bugzilla.redhat.com in the hope that they will include the change in RHEL 7.10 ( 7.9 beta was announced several months ago so the chances of including such a late change in 7.9 is below zero). |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2015-06-10 13:20 | quintinbjacklin | New Issue | |
2020-08-02 19:50 | rexbinary | Note Added: 0037481 | |
2020-08-03 11:37 | ManuelWolfshant | Note Added: 0037483 |