The original post: /r/selfhosted by /u/GalacticusTravelous on 2024-05-01 14:57:25.
I am trying to match this line:
(W) 2024-04-28T17:30:57 - WebAPI login failure. Reason: invalid credentials, attempt count: 3, IP: ::ffff:192.168.2.167, username: fdasdf
This is my greedy definition:
[Definition]
failregex = ^WebAPI login failure. Reason: invalid credentials,.*IP:\s::.*:<HOST>,\s*username:\s*\S+$
It doesn’t work. Even if I specify all of the regex for the start of the line it doesn’t work.
^\(W\)\s+(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})\s+-\s+WebAPI login failure. Reason: invalid credentials,.*IP:\s::.*:(?:\[?(?:(?:::f{4,6}:)?(?<ip4>(?:\d{1,3}\.){3}\d{1,3})|(P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?<dns>[\w\-.^_]*\w)),\s*username:\s*\S+$
I can see what <HOST> is being replaced to by (included above) using fil2ban-regex -l heavydebug and this is working in online regex testing tools.
You must log in or register to comment.