i am trying to get a regex for an ical service on my host working without success. This is a part of the logfile:

Tue Jul 23 13:55:23 2019: ical|T720] [info   ] Accepted connection from [::ffff:]:56450
Tue Jul 23 13:55:23 2019: [net/[::ffff:5.6|T5234] [error  ] HrLogon server "http://localhost:123/" user "Admin": logon failed   
Tue Jul 23 13:55:23 2019: [net/[::ffff:5.6|T5234] [warning] Login failed (0x80040111 logon failed), resending authentication request   
Tue Jul 23 13:55:23 2019: [net/[::ffff:5.6|T5234] [notice ] [::ffff:]:56450 - Admin [23/Jul/2019:13:55:23 +0200] "GET / HTTP/1.1" 401 0 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"   
Tue Jul 23 13:55:23 2019: [net/[::ffff:5.6|T5234] [info   ] Connection closed

This is the part of the log file and i tried already different things to get this into a filter. The important parts are "Login failed" and in the next line the part with the IP. But how can i get this working? Any help would be great!!!

Thanks in advance


Actual configs looking like: ical.conf:

before = common.conf


failregex = ^*Login failed\n^.*\[notice \] \[::ffff:<HOST>\]$

ignoreregex =
maxlines = 2

and the jail conf:


enabled = false
port = 8443
filter = kopano-ical
logpath = /var/log/ical.log
maxtetry = 3
bantime = 3600
  • 3
  • 2
  • Welcome to Server Fault! What are the "different things" you have tried? What did you expect to happen? What happened instead? What does your config look like? – Jenny D Jul 24 '19 at 08:54
  • Hi Jenny, thanks for your answer. The purpose is that the ip is beeing banned as in the config: `[ical] enabled = false port = 8443 filter = ical logpath = /var/log/ical.log maxtetry = 3 bantime = 3600` The filter conf looks like this: `[INCLUDES] before = common.conf [Definition] failregex = ^*Login failed\n^.*\[notice \] \[::ffff:\]$ ignoreregex = [Init] maxlines = 2` – icey Jul 24 '19 at 08:55
  • It's very hard to read the config when it's in a comment - please instead click the "edit" link below the question, and add the config there. Then use the `{}` button to format it as code, so it will be easier to read. – Jenny D Jul 24 '19 at 08:59
  • hope it is better now, sorry for the trouble.. i tried around with several expression variants but i am not able to get the expression written that it finds the correct part in the log file. – icey Jul 24 '19 at 09:12

1 Answers1


I believe your regex is not correct. You're missing dot (.) at the beginning right after ^, .* before \n and since you used $ and the end you need to put .* before $, ] is not the last character.

failregex = ^.*Login failed.*\n^.*\[notice \] \[::ffff:<HOST>\].*$
  • 578
  • 1
  • 7
  • 25