From 1b7df1181f74ee05a571152150d76b545f52295b Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Mon, 23 Dec 2013 08:28:40 +0000 Subject: [PATCH 1/2] BF: apache-2.4 log format fix. Closes gh-516 --- ChangeLog | 2 ++ THANKS | 1 + config/filter.d/apache-common.conf | 3 ++- testcases/files/logs/apache-noscript | 3 +++ 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 964cdd87..5484a91e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - complain action - ensure where not matching other IPs in log sample. Closes gh-467 - Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622 + - Fix apache-common for apache-2.4 log file format. Thanks Mark White. + Closes gh-516 - Enhancements: - long names on jails documented based on iptables limit of 30 less diff --git a/THANKS b/THANKS index 4dc2776f..7e97c04c 100644 --- a/THANKS +++ b/THANKS @@ -54,6 +54,7 @@ Manuel Arostegui Ramirez Marcel Dopita Mark Edgington Mark McKinstry +Mark White Markus Hoffmann Marvin Rouge mEDI diff --git a/config/filter.d/apache-common.conf b/config/filter.d/apache-common.conf index ca8f2417..ce7da6e8 100644 --- a/config/filter.d/apache-common.conf +++ b/config/filter.d/apache-common.conf @@ -8,12 +8,13 @@ after = apache-common.local [DEFAULT] -_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client (:\d{1,5})?\] +_apache_error_client = \[[^]]*\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (:\d{1,5})?\] # Common prefix for [error] apache messages which also would include # Depending on the version it could be # 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4] # 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652] +# 2.4: [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to # # Reference: https://github.com/fail2ban/fail2ban/issues/268 # diff --git a/testcases/files/logs/apache-noscript b/testcases/files/logs/apache-noscript index 19fa408a..68fc7c0a 100644 --- a/testcases/files/logs/apache-noscript +++ b/testcases/files/logs/apache-noscript @@ -13,3 +13,6 @@ [Tue Jul 22 06:48:30 2008] [error] [client 198.51.100.86] script not found or unable to stat: /home/e-smith/files/ibays/Primary/cgi-bin/php.cgi # failJSON: { "time": "2008-07-22T06:48:30", "match": true , "host": "198.51.100.86" } [Tue Jul 22 06:48:30 2008] [error] [client 198.51.100.86] script not found or unable to stat: /home/e-smith/files/ibays/Primary/cgi-bin/php4 +# apache 2.4 +# failJSON: { "time": "2013-12-23T07:49:01", "match": true , "host": "204.232.202.107" } +[Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to stat From 382d68f0fe923f33f716a471d82a54fe30dbc505 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Mon, 23 Dec 2013 09:09:48 +0000 Subject: [PATCH 2/2] DOC: perfork model for apache log format --- config/filter.d/apache-common.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/apache-common.conf b/config/filter.d/apache-common.conf index ce7da6e8..60591481 100644 --- a/config/filter.d/apache-common.conf +++ b/config/filter.d/apache-common.conf @@ -14,7 +14,7 @@ _apache_error_client = \[[^]]*\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? # Depending on the version it could be # 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4] # 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652] -# 2.4: [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to +# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to # # Reference: https://github.com/fail2ban/fail2ban/issues/268 #