Understanding fail2ban test output when running fail2ban-regex on Nginx

Question

I'm setting up fail2ban on a Ubuntu 18.04 Digital Ocean droplet running Nginx.

I followed this tutorial for setup and this tutorial to create a custom filter to catch requests for forbidden urls.

Here's my filter:

[Definition]
failregex = ^ \[error\] \d+#\d+: .* forbidden .*, client: <HOST>, .*$

ignoreregex =

Here's what a sample log file entry looks like, that I'm trying to catch:

2020/03/09 12:18:08 [error] 14843#14843: *8 access forbidden by rule, client: xx.xx.xx.xx, server: xx.xx.xx.xx, request: "GET /var/ HTTP/1.1", host: "xxx.xxx.xxx.xx"

Here's the test I'm running:

/etc/fail2ban/filter.d# fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-forbidden.conf

And here's the output:

Running tests
=============

Use   failregex filter file : nginx-forbidden, basedir: /etc/fail2ban
Use         log file : /var/log/nginx/error.log
Use         encoding : UTF-8


Results
=======

Failregex: 131 total
|-  #) [# of hits] regular expression
|   1) [131] ^ \[error\] \d+#\d+: .* forbidden .*, client: <HOST>, .*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [200] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [254] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 1060 lines, 0 ignored, 131 matched, 929 missed
[processed in 0.47 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 929 lines

Looking at my log file, there are about 1060 lines, and 200 of them contain a date. Of those 200, 131 contain 'forbidden' so I think maybe it's working but I'm not sure.

Here are my questions:

1) What are 'date template hits'? Are they lines that start with a date in the expected format? And are they therefore 'candidates' for being log entries that should be matched?

2) What's the difference between 'ignored' and 'missed'?

3) Is there a way to see the 131 'matched' entries so I can check they look like what I am trying to catch?

4) Where the regex in the filter says client: <HOST>, what's that matching? Is it the 'client' IP address in the log entry, or the 'host' entry at the end of the line?

The answers are probably obvious once you know what the terms mean but I can't find any explanations simple enough for my ignorance.

Answer 1

Too late, but...

1. fail2ban searches for dates in your log by trying to match them against default date patterns (templates). If you have a hit, then a date was matched. In your example, there were found/matched two different date formats in total (200 dates of one format and 254 dates of another, respectively).

2. Ignored lines are those matched by your ignoreregex, if present (in your case there's none). Missed lines are those that weren't matched by any failregex or ignoreregex.

3. Add the --print-all-matched flag to your fail2ban-regex command

4. client: <HOST>, will match the client: xx.xx.xx.xx, part in your log line. <HOST> is an alias for a predefined regex which matches either a hostname or an IP address.