From dd3c78ecaba07328d5a0ba29d7dcce4ee4ed2317 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Mon, 11 Mar 2024 17:49:06 +0100
Subject: [PATCH] filter.d/recidive.conf: conditional RE depending on logtype
 (for file or journal)

---
 config/filter.d/recidive.conf | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf
index 7dcecfe4..86d939bb 100644
--- a/config/filter.d/recidive.conf
+++ b/config/filter.d/recidive.conf
@@ -19,7 +19,7 @@
 # common.local
 before = common.conf
 
-[Definition]
+[DEFAULT]
 
 _daemon = (?:fail2ban(?:-server|\.actions)\s*)
 
@@ -27,8 +27,21 @@ _daemon = (?:fail2ban(?:-server|\.actions)\s*)
 # this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`
 _jailname = recidive
 
+failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
+
+[lt_short]
+_daemon = (?:fail2ban(?:-server|\.actions)?\s*)
 failregex = ^%(__prefix_line)s(?:\s*fail2ban(?:\.actions)?\s*%(__pid_re)s?:\s+)?(?:NOTICE\s+)?\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
 
+[lt_journal]
+_daemon = <lt_short/_daemon>
+failregex = <lt_short/failregex>
+
+[Definition]
+
+_daemon = <lt_<logtype>/_daemon>
+failregex = <lt_<logtype>/failregex>
+
 datepattern = ^{DATE}
 
 ignoreregex =