small enhancements (datepattern, timezone, etc.)

How-fail2ban-works.md

@@ -17,8 +17,12 @@ Each failure (attempt) will be logged in `fail2ban.log` as:<br/>
 `  INFO    [jail] Found 192.0.2.25`<br/>
 First if you'll see at least 5 such lines with this IP address within 10 minutes, the IP goes banned and you should see:<br/>
 `  NOTICE  [jail] Ban 192.0.2.25`<br/>
+- no matching date-time pattern or wrong date-time pattern specified for the jail resp. filter via `datepattern`, thus it does not match the log-line at all;
+- be careful with `%` character in fail2ban configurations (because of the python-config, it should be dual-escaped `%%`);
+- note the time of values that fail2ban recognizes from the log-file will be converted using the system time zone (if not specified different) - be sure that the times, written from the corresponding service into the log, are not too old for the fail2ban;
 - each failure should match a regular expressions (from stock fail2ban or local customized in jail.local, some filter from `/etc/fail2ban/filter.d`, etc). It may be, that the expression or some part of it is not good enough.
 You can use another fail2ban tool `fail2ban-regex` to check resp. build your own `failregex`.
+Note: fail2ban tries to search the match not the original string - the datetime value (matched `datepattern`) will be cut out from it before searching.
 - the banning action is not specified resp. something going wrong by execution of the ban-action. For example if iptables action used, you can verify it by checking of iptables entries, where you should find the fail2ban jail name (prefixed with `f2b-`) as chain and the rule corresponding the IP address.<br/>
 Mostly you'll see then too many log-lines like following in the `fail2ban.log`:<br/>
 `  NOTICE  [jail] 192.0.2.25 already banned`<br/>