How do I specify multiple logfiles for a jail in fail2ban?

python ubuntu fail2ban ubuntu-15.10

Heyo,

I'm using Ubuntu 15.10 and fail2ban 0.9.3. Apache is set up with a bunch of Apache virtualhosts.

I have my Apache2 logfiles located in subdirectories, one per localhost, e.g. '/var/log/apache2/vwww_example_vhost_com/ and logfiles under that as error.log or access.log (or ssl_error.log and ssl_access.log).

The main apache2 logfiles (for localhost and default) are in /var/log/apache2.

Ideally I'd like to be able to wildcard the subdirectory and have fail2ban read in any logfiles under that subdirectory.

The jail.local manpage indicates that in order to specify multiple logfiles you must put a newline and whitespace between each logfile. This does not appear to work with wildcarded directories.

Here's the default config for one of the jails:

[apache-auth]
port     = http,https
logpath  = %(apache_error_log)s
enabled  = true

Currently I have tried: 

[apache-auth]
port     = http,https
logpath  = %(apache_error_log)s
           /var/log/apache2/*/*error.log
enabled  = true

With the secondary logfile path on a newline with leading whitespace. This errors and service fail2ban restart fails with a cryptic (and useless) error message.

This fails:

[apache-auth]
port     = http,https
logpath  = /var/log/apache2/*/*error.log
enabled  = true

Trying to override the %(apache_error_log)s variable in /etc/fail2ban/paths-overrides.local also fails:

[DEFAULT]
apache_error_log = /var/log/apache2/*error.log
               /var/log/apache2/*/*error.log

apache_access_log = /var/log/apache2/*access.log
               /var/log/apache2/*/*access.log

Specifying the logfile masks with a space gives me 'head or tail' error in /var/log/fail2ban.log but the service will launch. However, it's not using the logfiles at all then. Separating the logfile masks with a semicolon stops fail2ban from restarting.

My conclusion is that I'm going to have to manually define the directory names for the virtualhosts in jail.local but I haven't found anything that specifically says you can't use a wildcarded subdirectory.

Does anyone have insight on this or a workaround?

Edit: I just tried specifying multiple logfile directories (with the directory name spelled out) and with the same wildcarded filename masks in paths-overrides.local and that is also causing fail2ban not to start.


Solution 1:

For me i just keep it simple in my custom jail config file:

[apache-auth] 
enabled = true 
logpath = %(apache_error_log)s
          /var/log/apache2/*/*error.log

Same For The access

[php-url-fopen]
enabled = true
logpath = %(apache_access_log)s
          /var/log/apache2/*/*access.log

Then to test it after i reload the fail2ban-client:

sudo fail2ban-client status apache-auth
sudo fail2ban-client status php-url-fopen

Related

Accidentally turned my RHEL installation into an Oracle one. How do I change it back?
multipart/mixed content type and boundary refused by Amavis
Stopping encryption on a MacOS ver.10.12 Time Machine
Batch File Not Looping for Non-File Items in a List
Is there a way to open google drive files with your installed programs?
Will M.2 NVMe or itegrated graphics slow discrete graphics cards
How do I restart a total if a cell equals 0?
Insufficient disk space to repair master file table (MFT) mirror
In Synergy, how can I configure a client monitor with a server monitor on either side?
How to make a Google Cloud VM forward Minecraft traffic to an OpenVPN client?
rfkill command not found
How to lookup a string within a column of substrings