Fail2Ban regex where IP is on one line and failure message on another

Question

I'm trying to create a regular expression to match Xen's XAPI log. The problem is that the IP is stored on the first line and the failure message on the second. Here's an example:

Jan  8 23:07:42 myserver stunnel: LOG5[6732:3073162128]: xapi connected from 1.1.1.1:55002
Jan  8 23:07:42 myserver xapi: pam_unix(xapi:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root

The regular expression I have is:

^.*xapi connected from <HOST>:[0-9]*\n.*xapi: pam_unix.xapi:auth.: authentication failure;.*$

This works fine in VI (obviously without ) but not in fail2ban. My testing seems to indicate that the problem is the \n. Is this possible with fail2ban?

I found this Stackoverflow article: Can regex match be based on two lines of text?. I am simply treating the line feed as a character. Has anyone developed a Fail2Ban filter that supports information on multiple lines? (I'm using Fail2Ban v0.8.4. if it matters)

Answer 1

Using fail2ban v0.9.0, this is possible (didn't check older versions). You do have to specify the maxlines option. Try following filter file:

[Init]
maxlines = 2

[Definition]

failregex = ^.*xapi connected from <HOST>:[0-9]*\n.*xapi: pam_unix.xapi:auth.: authentication failure;.*$

ignoreregex =

Answer 2

Disclaimer: I don't know Fail2Ban. One possible issue is that you use both ^ and & along with \n. I don't think they mix well. They are different and concurrent ways to indicate line bounds.

You better use \n systematically.

Also replace .* with .*?, to avoid spawning over the whole log...