From owner-freebsd-ports@freebsd.org  Fri Jun 22 16:54:34 2018
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B85671020C86;
 Fri, 22 Jun 2018 16:54:34 +0000 (UTC)
 (envelope-from trashcan@ellael.org)
Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net
 [IPv6:2001:41d0:302:1100::7:9a96])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D05C7714F;
 Fri, 22 Jun 2018 16:54:34 +0000 (UTC)
 (envelope-from trashcan@ellael.org)
Received: from [IPv6:2003:e9:7f1b:7801:dd22:e1f2:698:8f0d]
 (p200300E97F1B7801DD22E1F206988F0D.dip0.t-ipconnect.de
 [IPv6:2003:e9:7f1b:7801:dd22:e1f2:698:8f0d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.enfer-du-nord.net (Postfix) with ESMTPSA id 41C4RW0b7Sz23k;
 Fri, 22 Jun 2018 18:54:31 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.100.0 at mail.enfer-du-nord.net
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Subject: Re: py-fail2ban turned silent after syslogd rollout (r335059,
 stable/11)
From: Michael Grimm <trashcan@ellael.org>
In-Reply-To: <20180622155922.GA61217@plan-b.pwste.edu.pl>
Date: Fri, 22 Jun 2018 18:54:30 +0200
Cc: ed@freebsd.org,
 theis@gmx.at
Content-Transfer-Encoding: quoted-printable
Message-Id: <697FFEFE-6AFB-45CE-ADCD-4DB10286E68B@ellael.org>
References: <590A1B87-464D-455C-A03D-9908EB7AF286@ellael.org>
 <20180622155922.GA61217@plan-b.pwste.edu.pl>
To: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>,
 Mailing List FreeBSD Ports <freebsd-ports@FreeBSD.org>
X-Mailer: Apple Mail (2.3445.8.2)
X-Spam-Status: No, score=1.3 required=5.0 tests=RDNS_NONE autolearn=no
 autolearn_force=no version=3.4.1
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.mer-waases.lan
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 16:54:35 -0000

Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
> On Fri, Jun 22, 2018 at 03:12:05PM +0200, Michael Grimm wrote:

>> Hi,
>>=20
>> this is 11.2-STABLE (r335532), and I am referring to the recent MFC =
of syslogd modifications [1].=20
>>=20
>> Because I cannot judge whether fail2ban lacks support for the renewed =
syslogd or syslogd has an issue in receiving fail2ban messages I do =
crosspost this mail to ports and stable.
>>=20
>> I do have fail2ban configured to report to SYSLOG:
>>=20
>> 	logtarget =3D SYSLOG
>> 	syslogsocket =3D auto
>>=20
>> But now, after upgrading to the new syslogd fail2ban refuses to =
report to syslogd; no single message gets recorded [2].
>>=20
>> I did try to modify the syslogsocket setting to /var/run/log without =
success. Pointing logtarget to a regular files tells me that fail2ban is =
running as expected, it only lacks reporting to SYSLOG.
>>=20
>> #) Does anyone else has running py-fail2ban at >=3D r335059 and can =
confirm my observations?=20
>> #) Any ideas how to debug this issue?
>>=20
>> Thank you in advance and regards,
>> Michael
>>=20
>>=20
>> [1] =
https://svnweb.freebsd.org/base/stable/11/usr.sbin/syslogd/Makefile?revisi=
on=3D335059&view=3Dmarkup&sortby=3Dfile
>> [2] both syslogd and fail2ban are running at the host, thus another =
issue with syslogd fixed in=20
>>    =
https://svnweb.freebsd.org/base?view=3Drevision&sortby=3Dfile&revision=3D3=
35314 does not apply
>>=20
>=20
> This is probably connected with the lack of handling of non-RFC
> compliant timestamps.=20
>=20
> My syslog server also suffers from this issue. It stopped logging
> messages from old Cisco equipment and some newer Netgear switches.
> Running it in debug mode gives some clue:
>=20
> Failed to parse TIMESTAMP from x.x.x.x: 12403: Jun 22 17:31:38 CEST:
> %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17,
> changed state to down

Ah, yes! Haven't thought about running syslogd in debugging mode:

	Failed to parse TIMESTAMP from x.x.x.x: fail2ban.filter [79598]: =
INFO [=E2=80=A6]

> Could you please give any advice or workaround for this issue?

I cannot answer whether it might be possible to either tell syslogd to =
accept legacy timestamps [1] or configure fail2ban (or your =
applications) to switch to using RFC5424 compliant timestamps.

[1] I did try to set '-O rfc3164' starting syslogd to no avail

Anyone?

Regards,
Michael