Skip to content

Logwatch does not process fail2ban log files #1

Open
Open
Logwatch does not process fail2ban log files#1
@thystra

Description

@thystra
thystra
opened on Nov 7, 2023

Hello,

I have a Ubuntu 22.04 server with logwatch installed. It does not pull in any information from the fail2ban logs. When I run the command/service as a stand alone against logwatch, it produces no output.

Debug output:

ReadConfigFile: Read Line: ###########################################################################
ReadConfigFile: Read Line: 
ReadConfigFile: Read Line: # You can put comments anywhere you want to.  They are effective for the
ReadConfigFile: Read Line: # rest of the line.
ReadConfigFile: Read Line: 
ReadConfigFile: Read Line: # this is in the format of <name> = <value>.  Whitespace at the beginning
ReadConfigFile: Read Line: # and end of the lines is removed.  Whitespace before and after the = sign
ReadConfigFile: Read Line: # is removed.  Everything is case *insensitive*.
ReadConfigFile: Read Line: 
ReadConfigFile: Read Line: # Yes = True  = On  = 1
ReadConfigFile: Read Line: # No  = False = Off = 0
ReadConfigFile: Read Line: 
ReadConfigFile: Read Line: 
ReadConfigFile: Read Line: *ApplyEuroDate
ReadConfigFile: Name=*ApplyEuroDate, Value=
ReadConfigFile: Read Line: 
ReadConfigFile: Read Line: 
ReadConfigFile: Read Line: LogFile = fail2ban.log
ReadConfigFile: Name=LogFile, Value=fail2ban.log
ReadConfigFile: Read Line: 
ReadConfigFile: Read Line: Archive = fail2ban.log.1
ReadConfigFile: Name=Archive, Value=fail2ban.log.1
ReadConfigFile: Read Line: Archive = fail2ban.log.*.gz
ReadConfigFile: Name=Archive, Value=fail2ban.log.*.gz
ReadConfigFile: Read Line: Archive = fail2ban.log-*
ReadConfigFile: Name=Archive, Value=fail2ban.log-*
ReadConfigFile: Read Line: 

[0] = afpd
[1] = amavis
[2] = arpwatch
[3] = audit
[4] = automount
[5] = autorpm
[6] = barracuda
[7] = bfd
[8] = cisco
[9] = citadel
[10] = clam-update
[11] = clamav
[12] = clamav-milter
[13] = courier
[14] = cron
[15] = denyhosts
[16] = dhcpd
[17] = dirsrv
[18] = dnf-rpm
[19] = dnssec
[20] = dovecot
[21] = dpkg
[22] = emerge
[23] = evtapplication
[24] = evtsecurity
[25] = evtsystem
[26] = exim
[27] = eximstats
[28] = extreme-networks
[29] = fail2ban
[30] = fetchmail
[31] = freeradius
[32] = ftpd-messages
[33] = ftpd-xferlog
[34] = http
[35] = http-error
[36] = identd
[37] = imapd
[38] = in.qpopper
[39] = init
[40] = ipop3d
[41] = iptables
[42] = kernel
[43] = knockd
[44] = lvm
[45] = mailscanner
[46] = mdadm
[47] = mod_security2
[48] = modprobe
[49] = mountd
[50] = mysql
[51] = mysql-mmm
[52] = named
[53] = netopia
[54] = netscreen
[55] = oidentd
[56] = omsa
[57] = openvpn
[58] = pam
[59] = pam_pwdb
[60] = pam_unix
[61] = php
[62] = pix
[63] = pluto
[64] = pop3
[65] = portsentry
[66] = postfix
[67] = postgresql
[68] = pound
[69] = proftpd-messages
[70] = puppet
[71] = pureftpd
[72] = qmail
[73] = qmail-pop3d
[74] = qmail-pop3ds
[75] = qmail-send
[76] = qmail-smtpd
[77] = raid
[78] = resolver
[79] = rsnapshot
[80] = rsyslogd
[81] = rt314
[82] = samba
[83] = saslauthd
[84] = scsi
[85] = secure
[86] = sendmail
[87] = sendmail-largeboxes
[88] = shaperd
[89] = slon
[90] = smartd
[91] = sonicwall
[92] = spamassassin
[93] = sshd
[94] = sshd2
[95] = sssd
[96] = stunnel
[97] = sudo
[98] = syslog-ng
[99] = syslogd
[100] = systemd
[101] = tac_acc
[102] = tivoli-smc
[103] = up2date
[104] = vdr
[105] = vpopmail
[106] = vsftpd
[107] = windows
[108] = xntpd
[109] = yum
[110] = zypp
[111] = zz-disk_space
[112] = zz-lm_sensors
[113] = zz-network
[114] = zz-runtime
[115] = zz-sys
[116] = zz-zfs

All Log Files:
[0] = kernel
[1] = windows
[2] = audit_log
[3] = spamassassin
[4] = citadel
[5] = dovecot
[6] = qmail-smtpd-current
[7] = rsnapshot
[8] = vsftpd
[9] = http
[10] = eventlog
[11] = secure
[12] = syslog
[13] = rt314
[14] = clamav
[15] = extreme-networks
[16] = autorpm
[17] = http-error
[18] = clam-update
[19] = pix
[20] = qmail-pop3d-current
[21] = dnssec
[22] = maillog
[23] = tac_acc
[24] = tivoli-smc
[25] = resolver
[26] = iptables
[27] = cron
[28] = samba
[29] = dnf-rpm
[30] = denyhosts
[31] = yum
[32] = dpkg
[33] = up2date
[34] = pureftp
[35] = emerge
[36] = sonicwall
[37] = qmail-pop3ds-current
[38] = fail2ban
[39] = exim
[40] = bfd
[41] = cisco
[42] = freeradius
[43] = dirsrv
[44] = qmail-send-current
[45] = netscreen
[46] = vdr
[47] = xferlog
[48] = messages
[49] = daemon
[50] = postgresql
[51] = mysql
[52] = zypp
[53] = netopia
[54] = php
[55] = mysql-mmm

All Shared:
[0] = applyeurodate
[1] = applybinddate
[2] = eventlogremoveservice
[3] = hostlist
[4] = applyusdate
[5] = applytaidate
[6] = removeheaders
[7] = onlycontains
[8] = removeservice
[9] = journalctl
[10] = onlyservice
[11] = hosthash
[12] = onlyhost
[13] = multiservice
[14] = remove
[15] = expandrepeats
[16] = eventlogonlyservice
[17] = applyhttpdate
[18] = applystddate


Service Name: fail2ban
   000-*onlycontains = fail2ban([^-]|).*\[[0-9]+\]
   Logfile = fail2ban
   Logfile = messages

Services that will be processed:
[0] = fail2ban

LogFiles that will be processed:
[0] = fail2ban
[1] = messages



Made Temp Dir: /var/cache/logwatch/logwatch.uSb4eXT6 with tempdir
export LOGWATCH_DATE_RANGE='yesterday'
export LOGWATCH_GLOBAL_DETAIL='5'
export LOGWATCH_OUTPUT_TYPE='stdout'
export LOGWATCH_FORMAT_TYPE='text'
export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.uSb4eXT6/'
export LOGWATCH_DEBUG='10'

Preprocessing LogFile: fail2ban
 cat '/var/cache/logwatch/logwatch.uSb4eXT6/fail2ban-archive' '/var/log/fail2ban.log'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/applyeurodate ''>/var/cache/logwatch/logwatch.uSb4eXT6/fail2ban

TimeFilter: Period is day

TimeFilter: SearchDate is (2023-11-05 ..:..:..(,...)? )

TimeFilter: Debug SearchDate is (2023-11-05 (, )? )
DEBUG: Inside ApplyEuroDate...
DEBUG: Looking For: (2023-11-05 ..:..:..(,...)? )

export LOGWATCH_LOGFILE_LIST='/var/log/fail2ban.log '
export LOGWATCH_ARCHIVE_LIST='/var/log/fail2ban.log.1 /var/log/fail2ban.log.2.gz /var/log/fail2ban.log.3.gz /var/log/fail2ban.log.4.gz '

Portion of fail2ban log:

Nov  6 20:46:41 huginn fail2ban.filter[394947]: INFO [sshd-invaliduser] Found 43.156.108.56 - 2023-11-06 20:46:41
Nov  6 20:46:41 huginn fail2ban.actions[394947]: NOTICE [sshd-invaliduser] Ban 43.156.108.56
Nov  6 20:46:42 huginn fail2ban.filter[394947]: INFO [sshd] Found 43.156.108.56 - 2023-11-06 20:46:41
Nov  6 20:50:37 huginn fail2ban.actions[394947]: NOTICE [sshd] Unban 121.176.206.51
Nov  6 20:50:37 huginn fail2ban.actions[394947]: NOTICE [sshd-invaliduser] Unban 121.176.206.51
Nov  6 20:54:40 huginn fail2ban.filter[394947]: INFO [postfix] Found 124.89.116.178 - 2023-11-06 20:54:40
Nov  6 20:54:42 huginn fail2ban.filter[394947]: INFO [postfix] Found 124.89.116.178 - 2023-11-06 20:54:41
Nov  6 20:54:51 huginn fail2ban.filter[394947]: INFO [postfix] Found 201.175.123.44 - 2023-11-06 20:54:51
Nov  6 20:54:51 huginn fail2ban.filter[394947]: INFO [postfix] Found 201.175.123.44 - 2023-11-06 20:54:51
Nov  6 21:05:33 huginn fail2ban.actions[394947]: NOTICE [nginx-xmlrpc] Unban 192.42.116.208

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions