I was checking my logs tonight and noticed my fail2ban log was almost a gig. Just from a day.
fail2ban.filterpoll [31356]: ERROR Unable to get stat on /var/log/httpd/ssl_error_log-20171007 because of: [Errno 2] No such file or directory: ‘/var/log/httpd/ssl_error_log-20171007’
fail2ban.filterpoll [31356]: WARNING Too many errors. Setting the jail idle
It does this hundreds of thousands of times, for the jail, all idle.
fail2ban.filter [31356]: WARNING Error decoding line from ‘/var/log/sogo/sogo.log-20171024.gz’ with ‘UTF-8’. Consider setting logencoding=utf-8 (or another appropriate encoding) for this jail. Continuing to process line ignoring invalid characters: ‘\x1f\x8b\x08\x00\x81\xec\xeeY\x00\x03\xed]ko\xdc6\x16\xfd\xde_A\x18X\xb4\xc5n8|J$\xfb\xc0z\xebIj \xb5\x8d\xb1\xbb\xc0"\x08\n’
Thats a SOGO thing.
Any hints as to the issue?
Edit: The issue seems to be that the logfile isnt rotated fast enough (or at all???) and the jail stops. Seems to be only an issue with the httpd jail(?) but from what I can tell it is a fail2ban issue upstream so maybe nothing we can do about it. Maybe we need to investigate if it is actually doing its job because failing to block a ddos or a hack attempt could be dangerous.
the problem is not only upstream but also in Nethserver. For example the logs used by nethserver for apache are not access.log or error.log but like you see ‘ssl_error_log-20171007’ when the logrotate is triggered.
At first fail2ban expect to find something in access.log or error.log but they are empty, like we find in Fail2Ban doesn´t ban webinterface
Therefore I tried to add a wildcard to the fail2ban regex (‘*’) and reload the fail2ban configuration when the fail2ban logs are rotated…but I suspect that maybe it doesn’t work
to solve you jail problem do : fail2ban-client reload
look after in the fail2ban log if the jail started well
question concerning your errors in fail2ban log, it concerns only httpd and sogo. have you already reported what it occurs precisely. I mean that I read two lines of errors concerning sogo and httpd.
Eventually could you please paste a gift of the fail2ban log
just in case, does the command fail2ban-client reload solved your issue please ?
A reload does seem to resolve part of the issue, its been half an hour and log file is blank except for
[details=Summary]2017-10-26 09:39:49,039 fail2ban.filter [31629]: WARNING Error decoding line from ‘/var/log/sogo/sogo.log-20171025.gz’ with ‘UTF-8’. Consider setting logencoding=utf-8 (or another appropriate encoding) for this jail. Continuing to process line ignoring invalid characters: ‘\x1f\x8b\x08\x00EA\xf0Y\x00\x03\xdd\ko\xdb6\x14\xfd\xbe_A\x04\x18\xd0\x02\x0b\xcd\xa7\xf8\xe8\x03\x0b\xd64+\xd6\xc5\x81\x93}\n’
[/details]
ok posted a gist, is there a better way to report errors in logs? Id be happy to monitor logs, but I dont want to open new topics when I find errors if Im clogging the forum
The sogo error is not related to a lack of log. I have the feeling that sogo wrote some ‘binary’ things in logs
Does it is just one line in fail2ban log or another tsunami of informations like for httpd
Weird. So I do a reload of the service about once a day, overnight it starts the error again and the next morning I reload the service. It goes about 18 hours before it starts filling the log again.