-
-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should be able to monitor log files like the original Fail2Ban, not just Windows Events #33
Comments
Just wanted to 1 this request. I have a similar challenge with IIS logs. I can have the IIS put its logs into the Event Viewer, but the IP address and the rest of the filtering criteria I'd need to account for are in different EventData Data fields, so I can't use Fail2Ban4Win for this particular challenge. It'd work if I could trigger off of additional fields in an EventLogSelector, or if I could work with the logfile directly, like @JennaScvl is requesting. |
Hi @jmoeller-ua, |
An example entry looks like this:
The Event Viewer puts each element neatly and correctly into the EventData hashtable, but since I need to reference elements other than just Unhelpfully, the IIS logger puts in all events with the same event ID of 6200. But I guess it makes sense for a web log that it wouldn't be able to discern outcomes. |
That wasn't an .evtx file, but I figured out how to generate my own:
|
Indeed, I just wanted to strip out the identifying information. I had set it up just as you had mentioned.
Yes, that's sort of what I was imagining, additional optional configuration items that I could refer to put a specific event in scope of Fail2Ban4Win. Would love to see it if you think it'd be a reasonable feature to implement. |
Right, those ETW instructions were for me and anyone else who looks at this issue in the future, because I had to figure it out and was worried I'd forget next time I have to do it (when updating unit tests, adding new dependent features, etc). I believe adding the additional XPath predicate to the configuration is a reasonable feature to add. I will try to find the time soon to try it out and send you a development snapshot build to see if it fits your use case too before releasing it. |
@jmoeller-ua: give this a try and let me know how well it fits your use case Developer snapshot executableFail2Ban4Win.zip ConfigurationThere is now a new optional property of Multiple predicates can be constructed with XPath ExampleThis selector should select only IIS access logs where the response status code is 403. {
"logName": "Microsoft-Windows-IIS-Logging/Logs",
"source": "IIS-Logging",
"eventId": 6200,
"ipAddressEventDataName": "c-ip",
"eventPredicate": "[EventData/Data[@Name='sc-status']=403]"
} This will result in Fail2Ban4Win using an effective XPath expression of
Here is another example that matches requests with both status code 304 and request method GET. {
"eventPredicate": "[EventData[Data[@Name='sc-status']='304'][Data[@Name='cs-method']='GET']]"
/* other properties are the same */
} Here is an example of an or expression to match two different status codes. {
"eventPredicate": "[EventData/Data[@Name='sc-status']='304' or EventData/Data[@Name='sc-status']='403']"
/* other properties are the same */
} |
That would be fantastic. I'd be happy to try it out.
…________________________________
From: Ben Hutchison ***@***.***>
Sent: Wednesday, July 10, 2024 5:42:11 PM
To: Aldaviva/Fail2Ban4Win ***@***.***>
Cc: Moeller, John D - (jmoeller) ***@***.***>; Mention ***@***.***>
Subject: [EXT] Re: [Aldaviva/Fail2Ban4Win] Should be able to monitor log files like the original Fail2Ban, not just Windows Events (Issue #33)
External Email
________________________________
Right, those ETW instructions were for me and anyone else who looks at this issue in the future, because I had to figure it out and was worried I'd forget next time I have to do it (when updating unit tests, adding new dependent features, etc).
I believe adding the additional XPath predicate to the configuration is a reasonable feature to add. I will try to find the time soon to try it out and send you a development snapshot build to see if it fits your use case too before releasing it.
—
Reply to this email directly, view it on GitHub<#33 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/APM4GNXCFXGYFIEAQ5THIBLZLXIGHAVCNFSM6AAAAABJG57YP6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRRG43TINJYGI>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
It works great, this is amazing. I can't believe how fast you did this! |
Thanks! Great to hear it's working for you. This was a pretty straightforward change because it leveraged Windows' existing ETW XPath filtering, which this project was already using. By adding the one new optional, backwards-compatible configuration property, it augmented the existing Event ID and Source filtering that this project had already been set up to use. So it was a small change that did not reinvent the wheel. |
I'm splitting the |
I spent 3 hours trying to figure out why it wasn't loading when it turned out to be that it just can't monitor logs.
For example I'd been trying to use this as one of my rules
{
"logName": "F:/xampp/apache/logs/error.log",
"eventId": 0,
"ipAddressPattern": "\[client (?\d \.\d \.\d \.\d ):\d \]",
"failurePattern": "AH00124"
}
and it just wouldn't load. The idea was to block an exploit attempt I keep seeing pop up in my Apache error.log
Also
{
"logName": "F:/xampp/apache/logs/modsec_audit.log",
"eventId": 0,
"ipAddressPattern": ""client_ip":"(?\d \.\d \.\d \.\d )"",
"failurePattern": ""status":"218""
}
This one is to monitor modsecurity's audit log to block certain common exploit attempts I've seen come in.
But it just can't monitor log files like the original can, apparently.
The text was updated successfully, but these errors were encountered: