How do I format this regex so it will work in fail2ban?
Solution 1:
Apparently this is a case of RTFM. After digging around for a while, I found a page on the fail2ban website that states that it makes two regex matches per line, one for the timestamp and one for the rest of the line following the timestamp. The timestamp in the audit.log is in Epoch format, and was apparently failing the first regex match. Using fail2ban-regex to compare /var/log/secure to my fail2ban sshd.conf file resulted in the desired behavior.
The correct solution was to point the appropriate section of my jail.conf at /var/log/secure.
For people who still want to make their own regular expressions, this section has a lot of good information, including this little tidbit that eventually helped me solve this:
In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex. If the failregex is anchored with a leading ^, then the anchor refers to the start of the remainder of the line, after the timestamp and intervening whitespace.
I hope that my RTFM moment will help someone down the line.