30

How can I configure multiple logpaths for the same rule?

I'm trying to write a syntax like this:

[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/log/apache*/*error.log 
logpath  = /var/www/vhosts/site1.com/log/errorlog 
logpath  = /var/www/vhosts/site1.com/subdom/log/errorlog
logpath  = /var/www/vhosts/site3/log/errorlog
logpath  = /var/www/vhosts/site4/log/errorlog
maxretry = 1

The paths are all different, so I can not use the RE *

What is the correct syntax to put more logs to a rule?

Chris S
  • 77,337
  • 11
  • 120
  • 212
Max121
  • 323
  • 1
  • 3
  • 6

1 Answers1

31

I tried using the same syntax and got no errors when launching fail2ban. Try this in your jail.conf and if nevertheless it doesn't work you can easily split your rule in several ones with a single logpath, ex.:

[apache-w00tw00t-1]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/log/apache*/*error.log 
maxretry = 1

[apache-w00tw00t-2]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/www/vhosts/site1.com/log/errorlog 
maxretry = 1

etc.

This should finally work:

[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/www/vhosts/site1.com/log/errorlog
           /var/log/apache*/*error.log
           /var/www/vhosts/site1.com/subdom/log/errorlog
           /var/www/vhosts/site3/log/errorlog
           /var/www/vhosts/site4/log/errorlog  
maxretry = 1

You can consult http://centoshelp.org/security/fail2ban/ for information.

Meriadoc Brandybuck
  • 1,300
  • 9
  • 11
  • my code does not show errors, but does not work as expected. Fail2ban sees only one log rule. Your solution is that for every rule I have to create a file in / filter.d? example [apache-w00tw00t-1] / etc/fail2ban/filter.d/apache-w00tw00t-1.conf [apache-w00tw00t-2] / etc/fail2ban/filter.d/apache-w00tw00t-2.conf etc. – Max121 Mar 09 '13 at 22:04
  • Yes, I mean that. – Meriadoc Brandybuck Mar 09 '13 at 22:05
  • If you mean this is interesting, but it is not the best solution I think, would create many duplicates with the same rules. I think there is a more elegant solution to merge multiple logs into a rule In any case, thank you for the collaboration. – Max121 Mar 09 '13 at 22:12
  • Please, check my editions in my answer above. Looking forward to your results. – Meriadoc Brandybuck Mar 09 '13 at 22:22
  • Perfect!!!! Great job :) – Max121 Mar 10 '13 at 13:42
  • 4
    The 2nd part of your answer works perfect if you give "tab" spacing for the extra logs. If there is no "tab" fail2ban throws error. – Hashid Hameed May 25 '16 at 05:23
  • Multiple line separation is not works on centos 7. – e-info128 Aug 06 '19 at 04:39