filter.d/znc-adminlog.conf: support logging format of systemd-journal, bypass port after address (optional, removed end-anchor, see gh-2520)

config/filter.d/znc-adminlog.conf

@@ -3,12 +3,28 @@
 # to use this module, enable the adminlog module from within ZNC and point
 # logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log).
 
+[DEFAULT]
+
+logtype = file
+
 [Definition]
 
-failregex = ^\[\] \[[^]]+\] failed to login from <ADDR>$
+_daemon = znc
+
+# Prefix for different logtype (file, journal):
+#
+__prefix_file = (?:\[\]\s+)?
+__prefix_short = (?:\S+\s+%(_daemon)s\[\d+\]:)\s+
+__prefix_journal = %(__prefix_short)s
+
+__prefix_line = <__prefix_<logtype>>
+
+failregex = ^%(__prefix_line)s\[[^]]+\] failed to login from <ADDR>
 
 ignoreregex = 
 
+journalmatch = _SYSTEMD_UNIT=znc.service + _COMM=znc
+
 # DEV Notes:
 # Log format is: [<DATE+TIME>] [<USERNAME>] <ACTION> from <ADDR>
 # [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4

fail2ban/tests/files/logs/znc-adminlog

@@ -5,3 +5,11 @@
 [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4
 # failJSON: { "match": false }
 [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4
+
+# failJSON: { "time": "2019-09-08T15:53:19", "match": true , "host": "192.0.2.1", "desc": "port after IP" }
+[2019-09-08 15:53:19] [admin] failed to login from 192.0.2.1:65001
+
+# filterOptions: {"logtype": "journal"}
+
+# failJSON: { "match": true , "host": "192.0.2.2", "desc": "systemd-journal entry, port after IP" }
+Test znc[37232]: [admin] failed to login from 192.0.2.2:65009