both work on their own just fine and fail2ban happily logs to /var/log/fail2ban.log I would like to enable some log monitoring and I can only monitor the syslog file so I thought I could use this directive to make fail2ban log to syslog: Code: logtarget = SYSLOG it works, fail2ban now logs to syslog but if I want to enable the recidive module of fail2ban I need to tell it which log file to monitor and I'd rather avoid monitoring syslog so I was looking to make rsyslog write to /var/log/fail2ban.log I tried these but none really works, it seems I cannot figure out the correct syntax, could someone help out? Code: fail2ban.actions -/var/log/fail2ban.log :msg, contains, "fail2ban.*" /var/log/fail2ban.log if $programname == 'fail2ban.*' then /var/log/fail2ban.log The first one definitely doesn't work, the other two seem to have problems with fail2ban.* - if I remove .* it works. Also, I need to log to fail2ban.log AND syslog Any pointers?
Anyone familiar with rsyslog? What is wrong with this line: Code: :msg, contains, "fail2ban\.*" /var/log/fail2ban.log I tried inserting as the first rule to rule out that it was being overwritten but I can still see fail2ban lines inside syslog but not inside /var/log/fail2ban.log
I know this is an old thread, but I thought I'd post this in case it helps someone else in the future. This is the rsyslog filter I went with to send fail2ban messages to /var/log/fail2ban.log in addition to syslog: (colon)programname, startswith, "fail2ban" -/var/log/fail2ban.log Replace (colon) with : of course. I couldn't get this to post without replacing that with
