`paths-common.conf`: changed default `mysql_log` path (default `logpath` of `mysqld-auth` jail without maintainer overrides); adjusted comments (`log_error_verbosity = 3` instead of `log-warnings = 2`)

closes gh-3932
2025-01-30 14:00:43 +01:00 · 2025-01-30 14:00:43 +01:00 · b55c20594e
parent 6d3308ecb4
commit b55c20594e
4 changed files with 16 additions and 14 deletions
--- a/2
+++ b/2
@ -33,6 +33,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
  - adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8 
    several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782)
  - `ddos` and `aggressive` modes: regex extended for timeout before authentication (optional connection from part, gh-3907)
+* `paths-common.conf`:
+  - changed default `mysql_log` path (default `logpath` of `mysqld-auth` jail without maintainer overrides, gh-3932)

 ### New Features and Enhancements
 * new jail option `skip_if_nologs` to ignore jail if no `logpath` matches found, fail2ban continue to start with warnings/errors,
--- a/config/filter.d/mysqld-auth.conf
+++ b/config/filter.d/mysqld-auth.conf
@ -1,9 +1,10 @@
 # Fail2Ban filter for unsuccessful MySQL authentication attempts
 #
 #
-# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
-# log-error=/var/log/mysqld.log
-# log-warnings = 2
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld],
+# `log_error_verbosity` system variable set to 3 (`log-warnings = 2` for older versions),
+# and check whether `log_error` (or `log-error`) system variable would match the `logpath` of fail2ban
+# (see https://dev.mysql.com/doc/refman/en/communication-errors.html)
 #
 # If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf

--- a/config/jail.conf
+++ b/config/jail.conf
@ -785,17 +785,11 @@ logpath  = /var/lib/znc/moddata/adminlog/znc.log

 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
 # equivalent section:
-# log-warnings = 2
-#
-# for syslog (daemon facility)
-# [mysqld_safe]
-# syslog
-#
-# for own logfile
-# [mysqld]
-# log-error=/var/log/mysqld.log
+#   log_error_verbosity = 3
+# for older versions:
+#   log-warnings = 2
+# Also check whether `log_error` (or `log-error`) system variable match the `logpath`.
 [mysqld-auth]
-
 port     = 3306
 logpath  = %(mysql_log)s
 backend  = %(mysql_backend)s
--- a/config/paths-common.conf
+++ b/config/paths-common.conf
@ -87,7 +87,12 @@ dovecot_backend = %(default_backend)s
 # Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
 solidpop3d_log = %(syslog_local0)s

-mysql_log = %(syslog_daemon)s
+mysql_log = /var/log/mariadb/mariadb.log
+            /var/log/mariadb/error.log
+            /var/log/mysql/mysqld.log
+            /var/log/mysql/error.log
+            /var/log/mysqld.log
+            
 mysql_backend = %(default_backend)s

 roundcube_errors_log = /var/log/roundcube/errors