11

Does fail2ban continue to monitor rotated log files?

For example, I have a rule monitoring /var/log/fail2ban.log which is automatically rotated by the system every week (7 days). I want to have a rule that monitors for banned IPs in that log to find repeat offenders that have been banned 5 times in the last 10 days. Is that possible?

J. Chin
  • 595
  • 5
  • 9

3 Answers3

7

One can specify multiple logs in one of two ways (or a combination). You can use file globs (wildcards) to match log files to monitor (i.e.logpath = /var/log/*somefile.log) or a list of logfiles to monitor, separated by whitespace (spaces, tabs, newlines) such as

    logpath = /var/log/auth.log /var/log/auth.log.1

or

    logpath = /var/log/auth.log
              /var/log/auth.log.1
Troy Morehouse
  • 211
  • 2
  • 4
  • So basically fail2ban can't detect new logfiles? I have it set to monitor something-*.log where a new file gets created with the new date (such as something-20200101.log) and fail2ban won't detect it. Are there any alternatives to fail2ban (because I don't think this is acceptable)? – dan Jan 09 '20 at 03:45
5

The above accepted answer is incorrect with regards to your question. FileContainer only uses file log rotation detection to reset log reading back to the start of the file instead of the standard procedure of continuing from the last offset:

class FileContainer:
   ...
       def open(self):
                self.__handler = open(self.__filename, 'rb')
                ...
                # Compare hash and inode
                if self.__hash != myHash or self.__ino != stats.st_ino:
                        logSys.info("Log rotation detected for %s" % self.__filename)
                        self.__hash = myHash
                        self.__ino = stats.st_ino
                        self.__pos = 0
                # Sets the file pointer to the last position.
                self.__handler.seek(self.__pos)

There is no code in there that goes looking for rotated files to also parse through.

Philippe Chaintreuil
  • 170
  • 1
  • 7
  • 2
    One can specify multiple logs in one of two ways (or a combination). You can use file globs (wildcards) to match log files to monitor (i.e.`logpath = /var/log/*somefile.log`) or a list of logfiles to monitor, separated by whitespace (spaces, tabs, newlines) such as `logpath = /var/log/auth.log /var/log/auth.log.1`. – Troy Morehouse Dec 29 '15 at 20:02
  • 1
    @Troy, you've got the answer, it would be good for you to write an actual answer so we can give you a +1. – Alexis Wilke Mar 10 '17 at 03:26
  • 1
    @AlexisWilke, per your suggestion I have added an answer – Troy Morehouse Mar 10 '17 at 14:19
1

Yes, fail2ban continues to monitor rotated log files. From server/filter.py

439 ##
440 # FileContainer class.
441 #
442 # This class manages a file handler and takes care of log rotation detection.
443 # In order to detect log rotation, the hash (MD5) of the first line of the file
444 # is computed and compared to the previous hash of this line.
Brian Neal
  • 113
  • 3
Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
  • 3
    That comment has nothing to do with whether the _recidive_ ban will work. I don't think (I'm pretty sure) that `fail2ban` does not read but the current file. The log rotation detect allows `fail2ban` to know that the file changed, not to read the `.1`, `.2.gz`, etc. files that may also be in that folder. – Alexis Wilke Mar 10 '17 at 03:24