Does fail2ban monitor rotated log files?
Does fail2ban continue to monitor rotated log files?
For example, I have a rule monitoring /var/log/fail2ban.log which is automatically rotated by the system every week (7 days). I want to have a rule that monitors for banned IPs in that log to find repeat offenders that have been banned 5 times in the last 10 days. Is that possible?
Solution 1:
Yes, fail2ban continues to monitor rotated log files. From server/filter.py
439 ##
440 # FileContainer class.
441 #
442 # This class manages a file handler and takes care of log rotation detection.
443 # In order to detect log rotation, the hash (MD5) of the first line of the file
444 # is computed and compared to the previous hash of this line.
Solution 2:
One can specify multiple logs in one of two ways (or a combination). You can use file globs (wildcards) to match log files to monitor (i.e.logpath = /var/log/*somefile.log) or a list of logfiles to monitor, separated by whitespace (spaces, tabs, newlines) such as
logpath = /var/log/auth.log /var/log/auth.log.1
or
logpath = /var/log/auth.log
/var/log/auth.log.1
Solution 3:
The above answer is incorrect with regards to your question. FileContainer only uses file log rotation detection to reset log reading back to the start of the file instead of the standard procedure of continuing from the last offset:
class FileContainer:
...
def open(self):
self.__handler = open(self.__filename, 'rb')
...
# Compare hash and inode
if self.__hash != myHash or self.__ino != stats.st_ino:
logSys.info("Log rotation detected for %s" % self.__filename)
self.__hash = myHash
self.__ino = stats.st_ino
self.__pos = 0
# Sets the file pointer to the last position.
self.__handler.seek(self.__pos)
There is no code in there that goes looking for rotated files to also parse through.