From 2a436cb9a16c907f67dced90c92f9661a1c68990 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 26 Mar 2024 14:33:37 +0100
Subject: [PATCH] NEW Update log with v20 log format

---
 etc/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf      | 3 ++-
 etc/fail2ban/filter.d/web-dolibarr-ruleslimitpublic.conf     | 5 +++--
 etc/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf   | 5 +++--
 .../filter.d/web-dolibarr-rulesregisterinstance.conf         | 5 +++--
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/etc/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf b/etc/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf
index 1cf908d69..7cc23b8f7 100644
--- a/etc/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf
+++ b/etc/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf
@@ -9,6 +9,7 @@
 
 # To test, you can inject this example into log
 # echo `date +'%Y-%m-%d %H:%M:%S'`" INFO    1.2.3.4         functions_dolibarr::check_user_password_abcd Authentication KO" >> /home/admin/wwwroot/dolibarr_documents/dolibarr.log
+# echo `date +'%Y-%m-%d %H:%M:%S'`" INFO    1.2.3.4         1234567     33 functions_dolibarr::check_user_password_abcd Authentication KO" >> /home/admin/wwwroot/dolibarr_documents/dolibarr.log
 #
 # then 
 # fail2ban-client status web-dol-bruteforce 
@@ -16,5 +17,5 @@
 # To test rule file on a existing log file
 # fail2ban-regex /home/admin/wwwroot/dolibarr_documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf --print-all-matched
 
-failregex = ^ [A-Z\s]+ <HOST>\s+functions_.*::check_user_.* Authentication KO
+failregex = ^ [A-Z\s]+ <HOST>\s.*functions_.*::check_user_.* Authentication KO
 ignoreregex =
diff --git a/etc/fail2ban/filter.d/web-dolibarr-ruleslimitpublic.conf b/etc/fail2ban/filter.d/web-dolibarr-ruleslimitpublic.conf
index f42ba2d52..358cfb4b0 100644
--- a/etc/fail2ban/filter.d/web-dolibarr-ruleslimitpublic.conf
+++ b/etc/fail2ban/filter.d/web-dolibarr-ruleslimitpublic.conf
@@ -6,7 +6,8 @@
 [Definition]
 
 # To test, you can inject this example into log
-# echo `date +'%Y-%m-%d %H:%M:%S'`" NOTICE  1.2.3.4    --- Access to GET /public/clicktodial/cidlookup.php" >> /home/admin/wwwroot/dolibarr_documents/dolibarr.log
+# echo `date +'%Y-%m-%d %H:%M:%S'`" NOTICE  1.2.3.4         --- Access to GET /public/clicktodial/cidlookup.php" >> /home/admin/wwwroot/dolibarr_documents/dolibarr.log
+# echo `date +'%Y-%m-%d %H:%M:%S'`" NOTICE  1.2.3.4         1234567     33 --- Access to GET /public/clicktodial/cidlookup.php" >> /home/admin/wwwroot/dolibarr_documents/dolibarr.log
 #
 # then 
 # fail2ban-client status web-dolibarr-limitpublic 
@@ -14,5 +15,5 @@
 # To test rule file on a existing log file
 # fail2ban-regex /mypath/documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-ruleslimitpublic.conf --print-all-matched
 
-failregex = ^ [A-Z\s]+ <HOST>\s+--- Access to .*/public/
+failregex = ^ [A-Z\s]+ <HOST>\s.*--- Access to .*/public/
 ignoreregex =
diff --git a/etc/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf b/etc/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf
index 2ada77c64..774659f43 100644
--- a/etc/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf
+++ b/etc/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf
@@ -8,7 +8,8 @@
 [Definition]
 
 # To test, you can inject this example into log
-# echo `date +'%Y-%m-%d %H:%M:%S'`" NOTICE  1.2.3.4    --- Access to GET /passwordforgotten.php" >> /home/admin/wwwroot/dolibarr_documents/dolibarr.log
+# echo `date +'%Y-%m-%d %H:%M:%S'`" NOTICE  1.2.3.4         --- Access to GET /passwordforgotten.php" >> /home/admin/wwwroot/dolibarr_documents/dolibarr.log
+# echo `date +'%Y-%m-%d %H:%M:%S'`" NOTICE  1.2.3.4         1234567     33 --- Access to GET /passwordforgotten.php" >> /home/admin/wwwroot/dolibarr_documents/dolibarr.log
 #
 # then 
 # fail2ban-client status web-dol-passforgotten 
@@ -16,5 +17,5 @@
 # To test rule file on a existing log file
 # fail2ban-regex /home/admin/wwwroot/dolibarr_documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf --print-all-matched
 
-failregex = ^ [A-Z\s]+ <HOST>\s+--- Access to .*/passwordforgotten.php
+failregex = ^ [A-Z\s]+ <HOST>\s.*--- Access to .*/passwordforgotten.php
 ignoreregex =
diff --git a/etc/fail2ban/filter.d/web-dolibarr-rulesregisterinstance.conf b/etc/fail2ban/filter.d/web-dolibarr-rulesregisterinstance.conf
index c23714495..5e8779bb3 100644
--- a/etc/fail2ban/filter.d/web-dolibarr-rulesregisterinstance.conf
+++ b/etc/fail2ban/filter.d/web-dolibarr-rulesregisterinstance.conf
@@ -8,7 +8,8 @@
 [Definition]
 
 # To test, you can inject this example into log
-# echo `date +'%Y-%m-%d %H:%M:%S'`" WARNING 1.2.3.4 Instance creation blocked for 1.2.3.4" >> /home/admin/wwwroot/dolibarr_documents/dolibarr_register.log
+# echo `date +'%Y-%m-%d %H:%M:%S'`" WARNING 1.2.3.4         Instance creation blocked for 1.2.3.4" >> /home/admin/wwwroot/dolibarr_documents/dolibarr_register.log
+# echo `date +'%Y-%m-%d %H:%M:%S'`" WARNING 1.2.3.4         1234567     33 Instance creation blocked for 1.2.3.4" >> /home/admin/wwwroot/dolibarr_documents/dolibarr_register.log
 #
 # then 
 # fail2ban-client status web-dol-registerinstance 
@@ -16,5 +17,5 @@
 # To test rule file on a existing log file
 # fail2ban-regex /home/admin/wwwroot/dolibarr_documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-rulesregisterinstance.conf --print-all-matched
 
-failregex = ^ [A-Z\s]+ <HOST>\s+Instance creation blocked for
+failregex = ^ [A-Z\s]+ <HOST>\s.*Instance creation blocked for
 ignoreregex =