I've got nginx running and logging to systemd / journald.
How do I specify the source of the log to be from a systemd unit?
In man jail.conf I see for the backends listed as :
systemd
uses systemd python library to access the systemd journal.
Specifying logpath is not valid for this backend and instead
utilises journalmatch from the jails associated filter con‐
fig.
And:
journalmatch
specifies the systemd journal match used to filter the journal entries. See journalctl(1) and systemd.journal-fields(7) for matches syntax and
more details on special journal fields. This option is only valid for the systemd backend.
So my attempt is based on the above:
[nginx-bots-123]
enabled = true
backend = systemd
journalmatch = CONTAINER_TAG=nginx
port = http,https
filter = nginx-botsearch
maxretry = 6
However it seems to show a blank journalmatch:
root@chris-travis-development:~# fail2ban-client -vvvvvv status nginx-bots-123
+ 72 7F47BAAD7740 fail2ban.configreader INFO | configreader-20: read | Loading configs for fail2ban under /etc/fail2ban
+ 72 7F47BAAD7740 fail2ban.configreader DEBUG | configreader-10: read | Reading configs for fail2ban under /etc/fail2ban
+ 73 7F47BAAD7740 fail2ban.configreader DEBUG | configreader-10: read | Reading config files: /etc/fail2ban/fail2ban.conf, /etc/fail2ban/fail2ban.local
+ 74 7F47BAAD7740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 76 7F47BAAD7740 fail2ban.configparserinc TRACE | configparserinc-7 : read | Reading file: /etc/fail2ban/fail2ban.conf
+ 77 7F47BAAD7740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: ['/etc/fail2ban/fail2ban.local']
+ 77 7F47BAAD7740 fail2ban.configparserinc TRACE | configparserinc-7 : read | Reading file: /etc/fail2ban/fail2ban.local
+ 77 7F47BAAD7740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
+ 77 7F47BAAD7740 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/fail2ban.conf
+ 77 7F47BAAD7740 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/fail2ban.local
+ 78 7F47BAAD7740 fail2ban INFO | fail2bancmdline-20: initCmdLine | Using socket file /var/run/fail2ban/fail2ban.sock
+ 78 7F47BAAD7740 fail2ban INFO | fail2bancmdline-20: initCmdLine | Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
+ 78 7F47BAAD7740 fail2ban HEAVY | fail2banclient-5 : __processCmd | CMD: ['status', 'nginx-bots-123']
+ 79 7F47BAAD7740 fail2ban HEAVY | fail2banclient-5 : __processCmd | OK : [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])]
+ 79 7F47BAAD7740 fail2ban.beautifier HEAVY | beautifier-5 : beautify | Beautify [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])] with ['status', 'nginx-bots-123']
Status for the jail: nginx-bots-123
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
+ 79 7F47BAAD7740 fail2ban DEBUG | fail2bancmdline-10: exit | Exit with code 0
While they do exist:
root@chris-travis-development:~# journalctl CONTAINER_TAG=nginx --since "2 hour ago" | cat
-- Logs begin at Wed 2020-07-08 16:07:56 UTC, end at Thu 2020-08-13 15:54:43 UTC. --
Aug 13 13:57:49 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:13:57:49 +0000] "\x05\x01\x00" 400 173 "-" "-"
Aug 13 13:58:44 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:13:58:44 +0000] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 173 "-" "-"
Aug 13 14:00:41 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:14:00:41 +0000] "GET http://5.188.210.227/echo.php HTTP/1.1" 301 185 "https://www.google.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
What am I doing wrong? How do I get it correctly configured?
Here is a test that also seems to correctly show the presence of records:
root@chris-travis-development:~# fail2ban-regex --journalmatch='CONTAINER_TAG=nginx' systemd-journal "nginx-botsearch"
Running tests
Use failregex filter file : nginx-botsearch, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use systemd journal
Use encoding : UTF-8
Use journal match : CONTAINER_TAG=nginx
Results
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 3050 lines, 0 ignored, 0 matched, 3050 missed
[processed in 0.77 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 3050 lines
Extra debugging with strace seems to show that the file isn't even read? Unless I'm mistaken.
root@chris-travis-development:~# strace fail2ban-client -vvvvvv status nginx-bots-123 2>&1 | grep nginx-bots.conf
root@chris-travis-development:~# strace fail2ban-client -vvvvvv status nginx-bots-123 2>&1 | grep nginx
execve("/usr/bin/fail2ban-client", ["fail2ban-client", "-vvvvvv", "status", "nginx-bots-123"], 0x7fff49c76428 /* 20 vars */) = 0
write(2, " + 172 7F3597063740 fail2ban "..., 132 + 172 7F3597063740 fail2ban HEAVY | fail2banclient-5 : __processCmd | CMD: ['status', 'nginx-bots-123']
sendto(3, "\200\4\225\37\0\0\0\0\0\0\0]\224(\214\6status\224\214\16nginx-b"..., 59, 0, NULL, 0) = 59
write(2, " + 177 7F3597063740 fail2ban.be"..., 314 + 177 7F3597063740 fail2ban.beautifier HEAVY | beautifier-5 : beautify | Beautify [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])] with ['status', 'nginx-bots-123']
write(1, "Status for the jail: nginx-bots-"..., 200Status for the jail: nginx-bots-123
