Date: Fri, 22 Jun 2018 18:54:30 +0200 From: Michael Grimm <trashcan@ellael.org> To: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, Mailing List FreeBSD Ports <freebsd-ports@FreeBSD.org> Cc: ed@freebsd.org, theis@gmx.at Subject: Re: py-fail2ban turned silent after syslogd rollout (r335059, stable/11) Message-ID: <697FFEFE-6AFB-45CE-ADCD-4DB10286E68B@ellael.org> In-Reply-To: <20180622155922.GA61217@plan-b.pwste.edu.pl> References: <590A1B87-464D-455C-A03D-9908EB7AF286@ellael.org> <20180622155922.GA61217@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote: > On Fri, Jun 22, 2018 at 03:12:05PM +0200, Michael Grimm wrote: >> Hi, >>=20 >> this is 11.2-STABLE (r335532), and I am referring to the recent MFC = of syslogd modifications [1].=20 >>=20 >> Because I cannot judge whether fail2ban lacks support for the renewed = syslogd or syslogd has an issue in receiving fail2ban messages I do = crosspost this mail to ports and stable. >>=20 >> I do have fail2ban configured to report to SYSLOG: >>=20 >> logtarget =3D SYSLOG >> syslogsocket =3D auto >>=20 >> But now, after upgrading to the new syslogd fail2ban refuses to = report to syslogd; no single message gets recorded [2]. >>=20 >> I did try to modify the syslogsocket setting to /var/run/log without = success. Pointing logtarget to a regular files tells me that fail2ban is = running as expected, it only lacks reporting to SYSLOG. >>=20 >> #) Does anyone else has running py-fail2ban at >=3D r335059 and can = confirm my observations?=20 >> #) Any ideas how to debug this issue? >>=20 >> Thank you in advance and regards, >> Michael >>=20 >>=20 >> [1] = https://svnweb.freebsd.org/base/stable/11/usr.sbin/syslogd/Makefile?revisi= on=3D335059&view=3Dmarkup&sortby=3Dfile >> [2] both syslogd and fail2ban are running at the host, thus another = issue with syslogd fixed in=20 >> = https://svnweb.freebsd.org/base?view=3Drevision&sortby=3Dfile&revision=3D3= 35314 does not apply >>=20 >=20 > This is probably connected with the lack of handling of non-RFC > compliant timestamps.=20 >=20 > My syslog server also suffers from this issue. It stopped logging > messages from old Cisco equipment and some newer Netgear switches. > Running it in debug mode gives some clue: >=20 > Failed to parse TIMESTAMP from x.x.x.x: 12403: Jun 22 17:31:38 CEST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17, > changed state to down Ah, yes! Haven't thought about running syslogd in debugging mode: Failed to parse TIMESTAMP from x.x.x.x: fail2ban.filter [79598]: = INFO [=E2=80=A6] > Could you please give any advice or workaround for this issue? I cannot answer whether it might be possible to either tell syslogd to = accept legacy timestamps [1] or configure fail2ban (or your = applications) to switch to using RFC5424 compliant timestamps. [1] I did try to set '-O rfc3164' starting syslogd to no avail Anyone? Regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?697FFEFE-6AFB-45CE-ADCD-4DB10286E68B>