View Issue Details

IDProjectCategoryView StatusLast Update
0008885CentOS-7logwatchpublic2020-08-03 11:37
Reporterquintinbjacklin 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Platformx64OScentosOS Version7.0
Product Version7.0-1406 
Target VersionFixed in Version 
Summary0008885: Logwatch script for fail2ban doesn't detect any ban/unbans
DescriptionIt seems the log levels and format for fail2ban has changed slightly, and so the logwatch script no longer detects bans or unbans.
Steps To Reproduce1. enable sshd jail in /etc/fail2ban/jail.conf
2. login to the server 5 times with an invalid user
3. verify the ban occurred by viewing /var/log/fail2ban.log
4. run: sudo logwatch --output stdout --debug Med --service fail2ban

No output is produced to reflect the ban.
Additional InformationThe problem lies in the expected log format which the logwatch script is looking for.

Affected package: logwatch-7.4.0-28.20130522svn140.el7.noarch
Affected file: /usr/share/logwatch/scripts/services/fail2ban
Affected line: 81

The affected line currently reads:
} elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/WARNING:?\s\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {

To fix, change this line to:
} elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/NOTICE:?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {

This includes:
1. the loglevel change to NOTICE
2. the extra + after the first \s to match all whitespace up until the jail name.

TagsNo tags attached.
abrt_hash
URL

Activities

rexbinary

rexbinary

2020-08-02 19:50

reporter   ~0037481

This issue seems to be resolved within the fail2ban service script of later versions of logwatch.Specifically I tested the file from version 7.5.4 of logwatch and the fix is present there.
ManuelWolfshant

ManuelWolfshant

2020-08-03 11:37

manager   ~0037483

RHEL and by matter of consequence CentOS do not ship fail2ban and on top of that RHEL 7 is in maintenance mode. So I can safely bet that the chances of having the script modified so as to include the proposed change are very very slim while the chances of including a newer version of logwatch are zero.
You can however attempt to bug RedHat by opening a RFE at bugzilla.redhat.com in the hope that they will include the change in RHEL 7.10 ( 7.9 beta was announced several months ago so the chances of including such a late change in 7.9 is below zero).

Issue History

Date Modified Username Field Change
2015-06-10 13:20 quintinbjacklin New Issue
2020-08-02 19:50 rexbinary Note Added: 0037481
2020-08-03 11:37 ManuelWolfshant Note Added: 0037483