Merge pull request #3693 from pingou2712/ModifRecidive

Change Regex Recidive and journalmatch For Systemd Match

config/filter.d/recidive.conf

@@ -19,7 +19,7 @@
 # common.local
 before = common.conf
 
-[Definition]
+[DEFAULT]
 
 _daemon = (?:fail2ban(?:-server|\.actions)\s*)
 
@@ -29,10 +29,23 @@ _jailname = recidive
 
 failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
 
+[lt_short]
+_daemon = (?:fail2ban(?:-server|\.actions)?\s*)
+failregex = ^%(__prefix_line)s(?:\s*fail2ban(?:\.actions)?\s*%(__pid_re)s?:\s+)?(?:NOTICE\s+)?\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
+
+[lt_journal]
+_daemon = <lt_short/_daemon>
+failregex = <lt_short/failregex>
+
+[Definition]
+
+_daemon = <lt_<logtype>/_daemon>
+failregex = <lt_<logtype>/failregex>
+
 datepattern = ^{DATE}
 
 ignoreregex = 
 
-journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
+journalmatch = _SYSTEMD_UNIT=fail2ban.service
 
 # Author: Tom Hendrikx, modifications by Amir Caspi 

fail2ban/tests/files/logs/recidive

@@ -17,3 +17,8 @@ Sep 16 00:44:55 spaceman fail2ban.actions: NOTICE [jail] Ban 10.0.0.7
 Jan 16 17:11:25 testorg fail2ban.actions[6605]: NOTICE [postfix-auth] Ban 192.0.2.1
 # failJSON: { "time": "2005-03-05T08:41:28", "match": true , "host": "192.0.2.2", "desc": "SYSLOG / systemd-journal with daemon-name" }
 Mar 05 08:41:28 test.org fail2ban-server[11524]: fail2ban.actions        [11524]: NOTICE  [postfix-auth] Ban 192.0.2.2
+
+# filterOptions: {"logtype": "journal"}
+
+# failJSON: { "match": true , "host": "192.0.2.3", "desc": "systemd-journal short variant, gh-3693" }
+host fail2ban[15699]: [postfix-sasl] Ban 192.0.2.3