[Check_mk (english)] logwatch expression

Riccardo Murri riccardo.murri at uzh.ch
Fri Oct 10 13:39:11 CEST 2014

On 10 October 2014 12:53,  <sberg at mississippi.com> wrote:
> Here's what I've tried to do in logwatch.cfg, but it still doesn't throw a warning on new ban or unban entries.  How do I tweak this to get a match?
> # Fail2ban log
> /var/log/fail2ban.log
>  W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Ban
>  W fail2ban\.actions\[*\]\: WARNING \[ssh\-iptables\] Unban

IIRC, logwatch expressions are regexps, not glob patterns.

Hence you would need something like:

        W fail2ban\.actions\[[0-9]+\]\: WARNING \[ssh\-iptables\] Ban
        W fail2ban\.actions\[[0-9]+\]\: WARNING \[ssh\-iptables\] Unban

You can probably make the [pid] part optional so to match both
old-style and new-style logs:

        W fail2ban\.actions(\[[0-9]+\])?\: WARNING \[ssh\-iptables\] Ban
        W fail2ban\.actions(\[[0-9]+\])?\: WARNING \[ssh\-iptables\] Unban

Kind regards,

Riccardo Murri

S3IT: Services and Support for Science IT
University of Zurich
Winterthurerstrasse 190, CH-8057 Zürich (Switzerland)
Tel: +41 44 635 4222
Fax: +41 44 635 6888

More information about the checkmk-en mailing list