CentOS EPEL fail2ban not processing systemd journal for tomcat

Question

I've installed fail2ban 0.10.5-2.el7 from EPEL on CentOS 7.8. I'm trying to get it to work with systemd for processing a Tomcat log (also systemd).

In jail.local I added:

[guacamole]
enabled = true
port     = http,https
backend = systemd

In filter.d/guacamole.conf:

[Definition]
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=tomcat.service + _COMM=java

If I run journalctl -u tomcat.service I see all the log lines. The ones I am interested in look like this:

May 18 13:58:26 myhost catalina.sh[42065]: 13:58:26.485 [http-nio-8080-exec-6] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4 for user "test" failed.

If I redirect journalctl -u tomcat.service to a log file, and process it with fail2ban-regex then it works exactly the way I want it to work, finding all the lines it needs.

% fail2ban-regex /tmp/j9 /etc/fail2ban/filter.d/guacamole.conf

Running tests
=============

Use   failregex filter file : guacamole, basedir: /etc/fail2ban
Use         log file : /tmp/j9
Use         encoding : UTF-8


Results
=======

Failregex: 47 total
|-  #) [# of hits] regular expression
|   1) [47] Authentication attempt from <HOST> for user "[^"]*" failed\.$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [570] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 571 lines, 0 ignored, 47 matched, 524 missed
[processed in 0.12 sec]

However, if fail2ban reads the journal directly then it does not work:

fail2ban-regex systemd-journal /etc/fail2ban/filter.d/guacamole.conf

It comes back right away, and processes 0 lines!

Running tests
=============

Use   failregex filter file : guacamole, basedir: /etc/fail2ban
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : _SYSTEMD_UNIT=tomcat.service + _COMM=java


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Lines: 0 lines, 0 ignored, 0 matched, 0 missed
[processed in 0.00 sec]

I've tried to remove _COMM=java. It doesn't make a difference.

If I leave out the journal match line altogether, it at least processes all the lines from the journal, but does not find any matches (even though, as I mentioned, it processes a dump of the log file fine):

Running tests
=============

Use   failregex filter file : guacamole, basedir: /etc/fail2ban
Use         systemd journal
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Lines: 202271 lines, 0 ignored, 0 matched, 202271 missed
[processed in 34.54 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 202271 lines

Either this is a bug, or I'm missing a small detail.

Thanks for any help you can provide.

score 0 · Answer 1 · answered Jul 14 '20 at 14:15

To make sure the filter definition is properly initialised, it would be good to include the common definition. Your filter definition (/etc/fail2ban/filter.d/guacamole.conf) would therefore look like:

[INCLUDES]

before = common.conf

[Definition]

journalmatch = _SYSTEMD_UNIT='tomcat.service'

failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$

ignoreregex =

A small note given that your issue only occurs with systemd but not flat files, could you try the same pattern without $ at the end? Maybe there is an issue with the end of line when printed to the journal?

In your jail definition (/etc/fail2ban/jail.d/guacamole.conf), remember to define the ban time/find time/retries if they haven't already been defined in the default configuration:

[guacamole]
enabled  = true
port     = http,https
maxretry = 3
findtime = 1h
bantime  = 1d

# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend = systemd

Remember to restart the fail2ban service after doing such changes.

CentOS EPEL fail2ban not processing systemd journal for tomcat

1 Answers1