From ff701e94c3cba689bc5203521c148e8563b24c94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A1szl=C3=B3=20K=C3=A1rolyi?= Date: Thu, 7 Mar 2024 17:38:29 +0100 Subject: [PATCH 1/2] Add to postfix syslog daemon format --- config/filter.d/postfix.conf | 2 +- fail2ban/tests/files/logs/postfix | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index 79cea25e..8806ee3d 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -10,7 +10,7 @@ before = common.conf [Definition] -_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? +_daemon = postfix(-\w+)?/[^/\[:]+(?:/smtp[ds])? _port = (?::\d+)? _pref = [A-Z]{4} diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix index 7fcb540b..da7f4219 100644 --- a/fail2ban/tests/files/logs/postfix +++ b/fail2ban/tests/files/logs/postfix @@ -154,6 +154,8 @@ Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD # failJSON: { "time": "2005-02-10T13:26:34", "match": true , "host": "192.0.2.1" } Feb 10 13:26:34 srv postfix/smtpd[123]: disconnect from unknown[192.0.2.1] helo=1 auth=0/1 quit=1 commands=2/3 +# failJSON: { "time": "2005-02-10T13:26:34", "match": true , "host": "192.0.2.1" } +Feb 10 13:26:34 srv postfix/smtp-25/smtpd[123]: disconnect from unknown[192.0.2.1] helo=1 auth=0/1 quit=1 commands=2/3 # failJSON: { "time": "2005-02-10T13:26:34", "match": true , "host": "192.0.2.2" } Feb 10 13:26:34 srv postfix/smtpd[123]: disconnect from unknown[192.0.2.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 From 45d7f3cb978cf73d865c23bddd5a0dae3de42fa0 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Fri, 8 Mar 2024 11:43:46 +0100 Subject: [PATCH 2/2] no space in any case --- config/filter.d/postfix.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index 8806ee3d..b88faf7b 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -10,7 +10,7 @@ before = common.conf [Definition] -_daemon = postfix(-\w+)?/[^/\[:]+(?:/smtp[ds])? +_daemon = postfix(-\w+)?/[^/\[:\s]+(?:/smtp[ds])? _port = (?::\d+)? _pref = [A-Z]{4}