ENH: filter.d/recidive - anchor regex at start and support f2b SYSLOG target

ChangeLog

@@ -66,6 +66,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
      and extra failure examples in sample logs
 	 * filter.d/apache-auth - added expressions for mod_authz, mod_auth and
      mod_auth_digest failures.
+   * filter.d/recidive -- support f2b syslog target and anchor regex at start
   Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
    * filter.d/exim.conf -- regex hardening and extra failure examples in
      sample logs

config/filter.d/recidive.conf

@@ -15,8 +15,18 @@
 # for most jails, and shorewall for this one).
 #
 
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
+_daemon = fail2ban.actions
+
+
 # The name of the jail that this filter is used for. In jail.conf, name the 
 # jail using this filter 'recidive', or change this line!
 _jailname = recidive
@@ -28,11 +38,11 @@ _jailname = recidive
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>
+failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 # Ignore our own bans, to keep our counts exact.
-ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>
+ignoreregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>

testcases/files/logs/recidive

@@ -4,3 +4,7 @@
 2006-02-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban 1.2.3.4
 # failJSON: { "match": false }
 2006-02-13 15:52:30,388 fail2ban.actions: WARNING [recidive] Ban 1.2.3.4
+# syslog example
+# failJSON: { "time": "2004-09-16T00:44:55", "match": true , "host": "10.0.0.7" }
+Sep 16 00:44:55 spaceman fail2ban.actions: WARNING [jail] Ban 10.0.0.7
+