Chr*_*ski 5 fail2ban systemd journald
我已经运行 nginx 并记录到 systemd/journald。
\n如何指定来自 systemd 单元的日志源?
\n在man jail.conf我看到的后端列出为:
systemd\n uses systemd python library to access the systemd journal.\n Specifying logpath is not valid for this backend and instead\n utilises journalmatch from the jails associated filter con\xe2\x80\x90\n fig.\n和:
\n journalmatch\n specifies the systemd journal match used to filter the journal entries. See journalctl(1) and systemd.journal-fields(7) for matches syntax and\n more details on special journal fields. This option is only valid for the systemd backend.\n所以我的尝试是基于上述:
\n[nginx-bots-123]\n\nenabled = true\nbackend = systemd\njournalmatch = CONTAINER_TAG=nginx\nport = http,https\nfilter = nginx-botsearch\nmaxretry = 6\n然而,它似乎显示空白的日记匹配:
\nroot@chris-travis-development:~# fail2ban-client -vvvvvv status nginx-bots-123\n + 72 7F47BAAD7740 fail2ban.configreader INFO | configreader-20: read | Loading configs for fail2ban under /etc/fail2ban \n + 72 7F47BAAD7740 fail2ban.configreader DEBUG | configreader-10: read | Reading configs for fail2ban under /etc/fail2ban \n + 73 7F47BAAD7740 fail2ban.configreader DEBUG | configreader-10: read | Reading config files: /etc/fail2ban/fail2ban.conf, /etc/fail2ban/fail2ban.local\n + 74 7F47BAAD7740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: ['/etc/fail2ban/fail2ban.conf']\n + 76 7F47BAAD7740 fail2ban.configparserinc TRACE | configparserinc-7 : read | Reading file: /etc/fail2ban/fail2ban.conf\n + 77 7F47BAAD7740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: ['/etc/fail2ban/fail2ban.local']\n + 77 7F47BAAD7740 fail2ban.configparserinc TRACE | configparserinc-7 : read | Reading file: /etc/fail2ban/fail2ban.local\n + 77 7F47BAAD7740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']\n + 77 7F47BAAD7740 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/fail2ban.conf\n + 77 7F47BAAD7740 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/fail2ban.local\n + 78 7F47BAAD7740 fail2ban INFO | fail2bancmdline-20: initCmdLine | Using socket file /var/run/fail2ban/fail2ban.sock\n + 78 7F47BAAD7740 fail2ban INFO | fail2bancmdline-20: initCmdLine | Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log\n + 78 7F47BAAD7740 fail2ban HEAVY | fail2banclient-5 : __processCmd | CMD: ['status', 'nginx-bots-123']\n + 79 7F47BAAD7740 fail2ban HEAVY | fail2banclient-5 : __processCmd | OK : [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])]\n + 79 7F47BAAD7740 fail2ban.beautifier HEAVY | beautifier-5 : beautify | Beautify [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])] with ['status', 'nginx-bots-123']\nStatus for the jail: nginx-bots-123\n|- Filter\n| |- Currently failed: 0\n| |- Total failed: 0\n| `- Journal matches: \n`- Actions\n |- Currently banned: 0\n |- Total banned: 0\n `- Banned IP list: \n + 79 7F47BAAD7740 fail2ban DEBUG | fail2bancmdline-10: exit | Exit with code 0\n \n虽然它们确实存在:
\nroot@chris-travis-development:~# journalctl CONTAINER_TAG=nginx --since "2 hour ago" | cat\n-- Logs begin at Wed 2020-07-08 16:07:56 UTC, end at Thu 2020-08-13 15:54:43 UTC. --\nAug 13 13:57:49 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:13:57:49 +0000] "\\x05\\x01\\x00" 400 173 "-" "-"\nAug 13 13:58:44 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:13:58:44 +0000] "\\x04\\x01\\x00P\\x05\\xBC\\xD2\\xE3\\x00" 400 173 "-" "-"\nAug 13 14:00:41 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:14:00:41 +0000] "GET http://5.188.210.227/echo.php HTTP/1.1" 301 185 "https://www.google.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"\n我究竟做错了什么?我如何正确配置它?
\n这是一个似乎也正确显示记录存在的测试:
\nroot@chris-travis-development:~# fail2ban-regex --journalmatch='CONTAINER_TAG=nginx' systemd-journal "nginx-botsearch"\n\nRunning tests\n=============\n\nUse failregex filter file : nginx-botsearch, basedir: /etc/fail2ban\nUse datepattern : Default Detectors\nUse systemd journal\nUse encoding : UTF-8\nUse journal match : CONTAINER_TAG=nginx\n\n\nResults\n=======\n\nFailregex: 0 total\n\nIgnoreregex: 0 total\n\nDate template hits:\n\nLines: 3050 lines, 0 ignored, 0 matched, 3050 missed\n[processed in 0.77 sec]\n\nMissed line(s): too many to print. Use --print-all-missed to print all 3050 lines\n额外的调试strace似乎表明该文件甚至没有被读取?除非我弄错了。
root@chris-travis-development:~# strace fail2ban-client -vvvvvv status nginx-bots-123 2>&1 | grep nginx-bots.conf\nroot@chris-travis-development:~# strace fail2ban-client -vvvvvv status nginx-bots-123 2>&1 | grep nginx\nexecve("/usr/bin/fail2ban-client", ["fail2ban-client", "-vvvvvv", "status", "nginx-bots-123"], 0x7fff49c76428 /* 20 vars */) = 0\nwrite(2, " + 172 7F3597063740 fail2ban "..., 132 + 172 7F3597063740 fail2ban HEAVY | fail2banclient-5 : __processCmd | CMD: ['status', 'nginx-bots-123']\nsendto(3, "\\200\\4\\225\\37\\0\\0\\0\\0\\0\\0\\0]\\224(\\214\\6status\\224\\214\\16nginx-b"..., 59, 0, NULL, 0) = 59\nwrite(2, " + 177 7F3597063740 fail2ban.be"..., 314 + 177 7F3597063740 fail2ban.beautifier HEAVY | beautifier-5 : beautify | Beautify [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])] with ['status', 'nginx-bots-123']\nwrite(1, "Status for the jail: nginx-bots-"..., 200Status for the jail: nginx-bots-123\n| 归档时间: |
|
| 查看次数: |
5124 次 |
| 最近记录: |